Xemnas
New Member
- Messages
- 812
- Reaction score
- 0
- Points
- 0
Before I start, if you're only interested in the scripts and nothing else, feel free to copy and paste those (but make sure you know what they do, and don't steal this tutorial either - VIOLATORS WILL BE SMACKED =P). This tutorial assumes basic knowledge of XHTML and PHP.
In any production web site which handles user input, security is just as important as its look, layout, speed and function. Because of that, most web scripting languages offer several bulit-in functions for keeping those nasty hackers, crackers etc. at bay. But rather than calling them all and hoping you've blocked all known bad input (doing so is a bad security practice, and at any rate you'll only succeed in bloating your code out of proportion), you can instead write your own function, which only allows what we want it to, and keeps everything optimised at the same time.
So, say we have a PHP script named "login.php", which contains an XHTML login portal mock-up, resembling this:
As you can see, the form submits post data to itself. Each of the three input tags has an id element, which we can use in PHP to identify the relevant object. The script isn't ready for adding log in functionality, of course: if we were to add a PHP script for it, any user could inject the portal, and all of a sudden things would be really messed up. So before we do that, we're going to make sure that when we do, nothing can be screwed up. We could, of course, use stuff like gpc_magic_quotes(), mysql_real_escape_string(), filter_var etc, but there's a problem with using those - they can only block known bad input. Instead, we want to only allow known clean input; since PHP itself has no functions for this, we'll create a custom function, form_validation. Functions contain PHP code, which is then called elsewhere in a script; for example, echo() is actually a predefined function.
Our function looks like this:
This function has two parameters, $username (which represents the username field's input) and $password (representing the password field's input). When we call the function, we substitute these for actual values. Since the form submits post data, we can use the $_POST variable to get the username and password input, using the relevant id tags. In this case, the syntax to call our function would be:
Now we come to the line "if (strlen($username) > 0 && strlen($password) > 0)". strlen()is a function which calculates the length of a variable; in this case we are using it in an if () statement to check if either of our function parameters are null (a length of zero). If not, the first code block is executed; if so, the second block is executed. Let's look at the second block first. It's defined by an elseif () statement; in this case, it calls the isset() function, which checks if a variable (here $_POST['btn1'], has been assigned a value. Basically this line is checking for whether the form has been submitted yet; if it has then it tells the user they haven't filled out all the fields yet.
The line "if (preg_match("/[^a-z\.^A-Z\.^0-9\._\.]/",$username.$password))" is the heart of our function; it checks for any characters in $username and $password besides those defined as the first parameter in preg_match() (i.e. alphanumeric characters and the underscore); it then outputs some info which changes based on the result. Normally, preg_match() checks a string for the first occurence of a set of characters (defined as, for example, "\abc\"). In our case, we've grouped together four sets (a-z, A-Z, 0-9 and the underscore), and set the function to check for characters other than those. The other parameter is the string to check. Notice that $username and $password are concatenated, or joined together; this means here they're treated as one string, which is faster than checking them separately.
So now that we know how our function works, it's time to implement it. Although "PHP mode" can be entered into anywhere in the script, I prefer placing it before the form closing tag since the form is what the function is dealing with. So for me, and if you've been following me all the way, the script would look like this:
There you have it. A small block of PHP code which makes your site nigh-impregnable. It's by no means complete though; you may find yourself changing things in this, and there are a lot of ways to use it too (it doesn't have to be for user validation either; there are many other scenarios this script is useful for!)
Finally, thank you for taking the time to read this tutorial (IF you read it)!
In any production web site which handles user input, security is just as important as its look, layout, speed and function. Because of that, most web scripting languages offer several bulit-in functions for keeping those nasty hackers, crackers etc. at bay. But rather than calling them all and hoping you've blocked all known bad input (doing so is a bad security practice, and at any rate you'll only succeed in bloating your code out of proportion), you can instead write your own function, which only allows what we want it to, and keeps everything optimised at the same time.
So, say we have a PHP script named "login.php", which contains an XHTML login portal mock-up, resembling this:
HTML:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/2002/REC-xhtml1-20020801/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Filter Chars Test</title>
</head>
<body>
<form action="login.php" method="post">
<p>Username: <input type="text" name="txt1" /></p>
<p>Password: <input type="password" name="pwd1" /></p>
<p><input type="submit" name="btn1" value="Validate" /></p>
</form>
<br /><div style="z-index:3" class="smallfont" align="center">Search Engine Friendly URLs by <a rel="nofollow" href="http://www.crawlability.com/vbseo/">vBSEO</a> 3.0.0</div><br /><div style="z-index:3" class="smallfont" align="center">Search Engine Friendly URLs by <a rel="nofollow" href="http://www.crawlability.com/vbseo/">vBSEO</a> 3.0.0</div><br /><div style="z-index:3" class="smallfont" align="center">Search Engine Friendly URLs by <a rel="nofollow" href="http://www.crawlability.com/vbseo/">vBSEO</a> 3.0.0</div><br /><div style="z-index:3" class="smallfont" align="center">Search Engine Friendly URLs by <a rel="nofollow" href="http://www.crawlability.com/vbseo/">vBSEO</a> 3.0.0</div></body>
</html>
Our function looks like this:
PHP:
// Declare function with two parameters, one for username and one for password
function form_validation($username,$password)
{
// Has the user filled out both fields?
if (strlen($username) > 0 && strlen($password) > 0)
{
// Does the input have non-alphanumeric characters (excluding "_")?
if (preg_match("/[^a-z\.^A-Z\.^0-9\._]/",$username.$password))
// Yes
echo "<br />Input contains illegal characters.";
else
// No
echo "<br />Input is valid.";
}
// If either parameter is blank when form is submitted, reject input
elseif (isset($_POST['btn1']))
echo "<br />You submitted a blank username and/or password.";
}
PHP:
form_validation($_POST['txt1'],$_POST['pwd1']);
The line "if (preg_match("/[^a-z\.^A-Z\.^0-9\._\.]/",$username.$password))" is the heart of our function; it checks for any characters in $username and $password besides those defined as the first parameter in preg_match() (i.e. alphanumeric characters and the underscore); it then outputs some info which changes based on the result. Normally, preg_match() checks a string for the first occurence of a set of characters (defined as, for example, "\abc\"). In our case, we've grouped together four sets (a-z, A-Z, 0-9 and the underscore), and set the function to check for characters other than those. The other parameter is the string to check. Notice that $username and $password are concatenated, or joined together; this means here they're treated as one string, which is faster than checking them separately.
So now that we know how our function works, it's time to implement it. Although "PHP mode" can be entered into anywhere in the script, I prefer placing it before the form closing tag since the form is what the function is dealing with. So for me, and if you've been following me all the way, the script would look like this:
HTML:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/2002/REC-xhtml1-20020801/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Filter Chars Test</title>
</head>
<body>
<form action="filterchars.php" method="post">
<p>Username: <input type="text" name="txt1" /></p>
<p>Password: <input type="password" name="pwd1" /></p>
<p><input type="submit" name="btn1" value="Validate" /></p>
<?php
function login_validation($username,$password)
{
if (strlen($username) > 0 && strlen($password) > 0)
{
if (preg_match("/[^a-z\.^0-9\._]/i",$username.$password))
echo "<br />Input contains illegal characters.";
else
echo "<br />Input is valid.";
}
elseif (isset($_POST['btn1']))
echo "<br />You submitted a blank username and/or password.";
}
login_validation($_POST['txt1'],$_POST['pwd1']);
?>
</form>
</body>
</html>
Finally, thank you for taking the time to read this tutorial (IF you read it)!
Last edited: