PHP Security (Form, Password Encryption, Fake Options)

Introduction: This tutorial will cover adding security in to your forms with PHP/HTML. Pre-creation: I am going to be using my login form as an example for this page, you can find my tutorial on a login form here; Login Form Tutorial. What security flaws are there? Whenever a user enters data in to your web forms the data gets processed as it is, and as such, needs the creator to add in security checks. A good example of this is XSS Cross-Site-Scripting exploiting - a simple XSS command will be entered in to a form which will get executed through the PHP (unless we do something about it). Are they real options? Another potential problem is if someone uses something along the lines of Chrome Inspect or Firebug to edit the source code of our site and add in an option in to one of our drop down lists. If we simply pass the given value from our drop down lists, we could be passing a value that doesn't exist. For example; if you have a voting form for only a particular group of people, they could start a new vote. Prevention: Strip the tags: To get out of the form command passing (XSS etc.) we can use real_escape_string and strip_tags functions to ensure we are only passing harmless strings. For example; We have a value from our passed form element named 'nam' (since I avoided using 'name' as the login username since it is already an HTML keyword), we get the value, then run each security function on it:
  1. $name = $_POST['nam'];
  2. $name = real_escape_string($name);
  3. $name = strip_tags($name);
As you can see, they both accept one argument which is the string to perform the actions to. We can also output the $name variable after each execution to ensure we are not losing any data, just converting it to harmless strings...
  1. $name = $_POST['nam'];
  2. echo $name;
  3. $name = mysql_real_escape_string($name);
  4. echo $name;
  5. $name = strip_tags($name);
  6. echo $name;
Check for real options: To avoid passing fake options, we simply need to check if they are equal to one of our own options, here is a mock:
  1. if ($sel == 'a' || $sel == 'b') {
  2.         //Real
  3. }
  4. <select name='sel'><option value='a'>a</option><option value='b'>b</option></select>
Password Encryption: Finally, we have password encryption. This is very simple to do since md5 hash encryption is a function within PHP and as such only requires one parameter, the string to encrypt (our password)...
  1. $pass = 'abcd';
  2. echo $pass;
  3. $pass = md5($pass);
  4. echo $pass;
Why MD5? MD5 is great for password encryption because it can not be reversed, it can only be cracked by guessing the correct string and comparing the two hashes. So; if a hacker or someone else gets hold of your password encrypted with md5 hash, it's unlikely they will get your actual, original, un-encrypted password.

Add new comment