PROGRAMMING

  MINTE9
REMEMBERS




Last update:   13-05-2022

Filter Input

Server-side filtering is important for security.
 
# Client-side validation is important for usability. 

<form method="POST">
    Username: <input type="text" name="username">
    Color: 
         <select name="color">
             <option></option>
             <option>Red</option>
             <option>Blue</option>
         </select>
    <input type="submit" name="btn_submit">
</form>
 
# All of PHP's superglobals arrays should be considered tainted
# Even $_SERVER array is not fully safe, ...
# it contains some data provided by the client
#
# Only $_SESSION is safe!
# Ctype functions are always preferred over regular expressions

if (isset($_POST['btn_submit'])) {

    $clean = array();

    if (ctype_alpha($_POST['username'])) { // Look Here
        $clean['username'] = $_POST['username'];
    }
    if (in_array($_POST['color'], array("Red", "Blue"))) {
        $clean['color'] = $_POST['color'];
    }
    
    var_dump($clean);        
}

Escape Output

Escaping output protects the client and user from potentially damaging commands.
 
<form method="POST">
    Message: <input type="text" name="message"> 
                <input type="submit" name="btn_submit">
    <br><br>
    Example: <br>
    John's message is "Hellow World!"
</form>
 
if (isset($_POST['btn_submit'])) {

    echo "nr" . htmlentities($_POST['message']); 
        # John's message is &quot;Hellow World!
        # Will convert double-quotes

    echo "nr" . htmlentities($_POST['message'], ENT_QUOTES); 
        # John&#039;s message is &quot;Hellow World!
        # Will convert both double and single quotes
}

Questions    
Remote code injection
        A B C D E F
🔔
1/4