PROGRAMMING

 
REMEMBERS




Last update:   29-10-2021

Superglobals arrays

All of PHP's superglobals arrays should be considered tainted. Even $_SERVER array is not fully safe, it contains some data provided by the client. Only $_SESSION is safe.

Filter Input

Server-side filtering is important for security. Client-side validation is important for usability. Ctype functions are always preferred over regular expressions. This is because of the fact that ctype uses a native C library, processes faster.
 
<form method="POST">
    Username: <input type="text" name="username">
    Color: 
         <select name="color">
             <option></option>
             <option>Red</option>
             <option>Blue</option>
         </select>
    <input type="submit" name="btn_submit">
</form>
... 5 lines
 
You should force the user to provide correct information (ctype_*)
 
if (isset($_POST['btn_submit'])) {

    $clean = array();

    if (ctype_alpha($_POST['username'])) { // Look Here
        $clean['username'] = $_POST['username'];
    }
    if (in_array($_POST['color'], array("Red", "Blue"))) {
        $clean['color'] = $_POST['color'];
    }
    
    var_dump($clean);        
}
... 5 lines
 

Escape Output

Escaping output protects the client and user from potentially damaging commands. For html escape use htmlentities(). For sql escape use mysql_escape_string($sql).
 
<form method="POST">
    Message: <input type="text" name="message"> 
                <input type="submit" name="btn_submit">
    <br><br>
    Example: <br>
    John's message is "Hellow World!"
</form>
... 2 lines
 
 
if (isset($_POST['btn_submit'])) {

    echo "nr" . htmlentities($_POST['message']); 
        // John's message is &quot;Hellow World!
        // Will convert double-quotes

    echo "nr" . htmlentities($_POST['message'], ENT_QUOTES); 
        // John&#039;s message is &quot;Hellow World!
        // Will convert both double and single quotes
}
... 3 lines
 

Questions    
Remote code injection

        A B C D E F
🔔
1/5