That really depends on what you want to do. In your current example I doubt it makes sense to do anything other than to check if it can be parsed as a float or integer after trimming.
I know for my previous exercise it doesn't make a lot of sense I was really thinking in terms of things like contact forms login form etc.
for example here is another little practice exercise I've been working on, now as you will see I've taken what I learn from my previous exercise and incorporated it into this one.
Code: Select all
<?php
//Start Session
session_start();
//define and set variables
$sent = false;
$conformation_message = "";
$error = false;
$name_error_message = "";
$email_error_message = "";
$subject_error_message = "";
$comments_error_message = "";
$captcha_error_message = "";
//add the variables needed to make the mail() function work.
function input_sanitizer($user_input)
{
//strip whitespace (or other characters) from the beginning and end of a string.
$user_input = trim($user_input);
//returns a string with backslashes stripped off
$user_input = stripslashes($user_input);
//strip HTML and PHP tags from a string
$user_input = strip_tags($user_input);
//htmlentities() converts special characters to HTML entities
//"UTF-8" explicitly specifies the use of UTF-8 encoding needed if running older versions of PHP
//ENT_QUOTES, tells htmlentities() to encodes both double and single quotes
$user_input = htmlspecialchars($user_input, ENT_QUOTES, "UTF-8");
return $user_input;
}
//check if the submit button has been pressed.
if(isset($_POST['submit']))
{
//pass each input through the sanitizer funtion
$_POST['name'] = input_sanitizer($_POST['name']);
$_POST['email'] = input_sanitizer($_POST['email']);
$_POST['subject'] = input_sanitizer($_POST['subject']);
$_POST['comments'] = input_sanitizer($_POST['comments']);
$_POST['captcha'] = input_sanitizer($_POST['captcha']);
//check if the name field is empty.
if(empty($_POST['name']))
{
$error = true;
$name_error_message = '<span class="error">Name is required.</span>';
}
//check if the name field only contains letters and spaces.
else if (!preg_match("/^[a-z\040]*$/i",$_POST['name']))
{
$error = true;
$name_error_message = '<span class="error">Only letters and spaces are allowed.</span>';
}
//check if the email field is empty.
if(empty($_POST['email']))
{
$error = true;
$email_error_message = '<span class="error">Email is required.</span>';
}
//check if the e-mail address is well-formed.
else if (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL))
{
$error = true;
$email_error_message = '<span class="error">Please enter a valid email address.</span>';
}
//check if the subject field is empty.
if(empty($_POST['subject']))
{
$error = true;
$subject_error_message = '<span class="error">Subject is required.</span>';
}
// check if the subject field only contains letters and spaces.
else if (!preg_match("/^[a-z\040]*$/i",$_POST['subject']))
{
$error = true;
$subject_error_message = '<span class="error">Only letters and spaces are allowed</span>';
}
//check if the comments field is empty.
if(empty($_POST['comments']))
{
$error = true;
$comments_error_message = '<span class="error">Comments is required.</span>';
}
//insert another check to limit what characters users can input into the comments field.
//check if the captcha field is empty.
if (empty($_POST['captcha']))
{
$error = true;
$captcha_error_message = '<span class="error">Captcha is required.</span>';
}
//check if the captcha field only contains positive negative or decimal numbers.
else if(!preg_match("/-?\d\.*/",$_POST['captcha']))
{
$error = true;
$captcha_error_message = '<span class="error">The captcha field can only contains positive, negative or decimal numbers.</span>';
}
//check if the stored answer is identical to the users response.
//(float)$_POST['captcha'] and (integer)$_POST['captcha'] forces $_POST['captcha']
//to be evaluated as a whole number or as a decimal number instead of as a string.
else if ($_SESSION['total'] !== (integer)$_POST['captcha']
and $_SESSION['total'] !== (float)$_POST['captcha'])
{
$error = true;
$captcha_error_message = '<span class="error">You answered the question incorrectly.</span>';
}
else if($error === false and $sent === false)
{
//add the mail() function to actually send the mail.
$sent = true;
$conformation_message = '<p class="sent">Message Sent.</p>';
}
}
if(!isset($_POST['submit']) or $error === true or $sent === true)
{
//Generate Random Numbers
$value_1 = rand(1,100);
$value_2 = rand(1,100);
$value_3 = rand(1,4);
switch ($value_3)
{
case 1:
$question = "What is" ." ". $value_1 . " / " . $value_2 . " Rounded to 2 decimal places ? ";
$answer = round($value_1 / $value_2, 2);
break;
case 2:
$question = "What is" ." ". $value_1 . " * " . $value_2 . " ? ";
$answer = $value_1 * $value_2;
break;
case 3:
$question = "What is" ." ". $value_1 . " + " . $value_2 . " ? ";
$answer = $value_1 + $value_2;
break;
case 4:
$question = "What is" ." ". $value_1 . " - " . $value_2 . " ? ";
$answer = $value_1 - $value_2;
break;
}
//Store/Update The Answer To The Question.
$_SESSION['total'] = $answer;
}
?>
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Contact form test</title>
<style>
.error{color:red;}
.sent{color:green;}
</style>
</head>
<body>
<main>
<h1>Contact</h1>
<form action="test2.php" method="post" name="contact">
<p>Name: <?php echo $name_error_message; ?>
<!-- Prevent the browser from deleting the contents of the field if the form didn’t send due to an error. -->
<br><input type="text" name="name" <?php if(isset($_POST['name']) and $error === true){echo'value="'.$_POST['name'].'"';}?>></p>
<p>Email Address: <?php echo $email_error_message; ?>
<!-- Prevent the browser from deleting the contents of the field if the form didn’t send due to an error. -->
<br><input type="text" name="email" <?php if(isset($_POST['email']) and $error === true){echo'value="'.$_POST['email'].'"';}?>></p>
<p>Subject: <?php echo $subject_error_message; ?>
<!-- Prevent the browser from deleting the contents of the field if the form didn’t send due to an error. -->
<br><input type="text" name="subject" <?php if(isset($_POST['subject']) and $error === true){echo'value="'.$_POST['subject'].'"';}?>></p>
<p>Comments: <?php echo $comments_error_message; ?>
<!-- Prevent the browser from deleting the contents of the field if the form didn’t send due to an error. -->
<br><textarea name="comments"><?php if(isset($_POST['comments']) and $error === true){echo $_POST['comments'];}?></textarea></p>
<p><?php echo $question; echo $captcha_error_message; ?>
<br><input type="text" name="captcha"></p>
<p><input type="submit" name="submit" value="Submit"></p>
<?php if(isset($_POST['submit']) and $sent === true){echo $conformation_message;} ?>
</form>
</main>
</body>
</html>
While this is a reasonable start I am aware that there are still a few issues with it, and there are some additional things that can be done to make it harder to attack.
one suggestion I read about was generating and setting a session token and then checking for the presence of that token upon submunition, and if its wrong or not present then you can assume its a hacking attempt and then kill the script and log the attempt.
another suggestion I read about was to use a randomly placed hidden bate field to trip up bots and just like the previous idea you can check to see if that field has been messed with and if so then you can assume its a hacking attempt and kill the script and log the attempt.
Now I know this contact form isn’t complete and won't actually send email just yet because there are still a couple of bits missing this is deliberate because I'm not at that point yet, I wanted to try and figure out the form security first because it's important and if you don’t do it correctly then that can lead to all sorts of nastiness like for example header injection which would potentially allow spammers to hijack the form.
Or if I was doing say a login form then something like cross site request forgery attacks could potentially allow an attacker to gain unauthorized access to stuff that is supposed to be protected like peoples credit card numbers for example.
And of course lets not for get about SQL injection type attacks if the form is attached to a back end database, again if you don’t set up your form security correctly then potentially that could lead to all sorts of issues like people having there details stolen, the database being deleted, maybe even the whole site being deleted to name but a few.
More over allowing these sort of things to occur is an offence that can potentially get you sacked, so I figure it's well worth my time to learn how to do this stuff correctly since this is not something that I covered extensively during my HND, and therefore its not something that I currently understand well.
now obviously if you are only talking about a contact form then there is no database involvement which eliminates 1 set of issues, but there are still various other issues that can occur even with something as common and relatively simple as a contact form, one of which as I mentioned above is header injection which my current code doesn't protect against, another is XSS or Cross Site Scripting attacks which the input_sanitizer function should take care of so long as all inputs are ran through it to remove any unexpected input, and of course doing input validation and making sure that the mail wont send if the form has any errors helps in this with this as well.
So like I said I'm simply looking to learn how to lock down any forms that I crate to make it as hard as possible for other people to attack them.