« PHP Security Audit Comic | Main | Simplifying PHP Form Processors (Part II) »

Simplifying PHP Form Processors

Making a simple easy to use web form processor for PHP keeps coming up on projects. The usual way which I've seen people implement form processing are:

  • just relying on JS validation on the webbrowser for form processing, which does not prevent people from disabling JS in their webbrowser and you're back at square one without having any form validation as it's bypassed
  • minimal error checking for if a value is set
  • long winded approach checking each required field is set, etc. as well as verifying that the inputted variables have been scrubbed and are clean, and then get checked against true / false, for dropdowns if a value appears on the dropdown, etc.

Simon Willison has published his implementation of a form processor which looks quite promising for processing forms. This example shows how to call the form and includes all the error code and validation requirements as part of the XHTML document, which it strips prior to sending to the webbrowser.

I was initailly thinking that it would be useful to have a XML document that goes hand in hand with a form (rather than including the form processors ruleset within the form). That way you can have multiple forms on a page and use the various xml files to get the ruleset data for processing.

The form processor would need to do all the variable scrubbing for you. Chris Shiflett's Essential PHP Security: Forms and URLs explains this in more details:

This chapter discusses form processing and the most common types of attacks that you need to be aware of when dealing with data from forms and URLs. You will learn about attacks such as cross-site scripting (XSS) and cross-site request forgeries (CSRF), as well as how to spoof forms and raw HTTP requests manually. By the end of the chapter, you will not only see examples of these attacks, but also what practices you can employ to help prevent them. 

<?php 
 
$html = array(); 
 
$html['username'] = htmlentities($clean['username'], 
                    ENT_QUOTES'UTF-8'); 
 
echo "<p>Welcome back, {$html['username']}.</p>"; 
 
?>

In the example above Chris demonstrates escaping output back to the webbrowser. I tend to use the Smarty Template Engine to seperate HTML away from the PHP code which I'm developing. In Smarty 2.6.11, you can specify which character set you need to use with the escape function e.g. {$foobar|escape:"htmlall":"UTF-8"}

Posted by Jacques Marneweck on December 27, 2005 10:03 PM |



TrackBack

TrackBack URL for this entry:
http://www.powertrip.co.za/blog/mt-tb.cgi/487

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)