To protect our web application, the first thing is never trust any input. We must escape every inputs properly. Php comes with many escape functions .For input escaping , htmlentities() function converts all applicable characters to HTML entities. It has 4 parameters. The first arguments takes the string to escape. The second argument is the quote style. There are 3 types of styles:
1. ENT_COMPAT: this will convert double quotes and leaves the single quotes.
2. ENT_QUOTES: this will convert both single and double quotes.
3. ENT_NOQUOUTES: this will leave both single and double quotes.
The third parameter is the charset. The default is ISO-8859-1 and the fourth parameter is double_encodes. If it is set to off , then php will not encode existing html entities, the default is On.
There is a similar function called htmlspecialchars() with the exception is that htmlentities convert all characters and htmlspecialchars encodes only special characters.
The translations performed are:
• '&' (ampersand) becomes '&'
• '"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
• ''' (single quote) becomes ''' only when ENT_QUOTES is set.
• '<' (less than) becomes '<'
• '>' (greater than) becomes '>'
This function has the same 4 parameters of htmlentities. These 2 function uses the html translation table. We can find with the function get_html_translation_table.
$trans = get_html_translation_table(HTML_ENTITIES);
$str = "Hallo &
$encoded = strtr($str, $trans);
echo $encoded;
?>
We can decode the encoded string with respective decode functions : html_entity_decode and htmlspecialchars_decode .
The functions urlencode and rawurlencode is used for encoding data on the url. This helps to hide any important data from possible attackers. The difference between these 2 is that the first function converts spaces into ‘+’ sign. Urldecode and rawurldecode decodes the encoded data. The encoded data in $_GET and $_REQUEST method automatically decodes data.
Filtering data:
So, We must filter any input data before use. There are 2 approaches .
1. Blacklist approach: In this approach, we assume every thing is secure except the some given listed data. If any input matches the given data, we will treat is as tainted.
2. Whitelist approach: This approach assumes that all are tainted except some given data. If a data matches this given data, then we can say this data is safe to proceed.
We can use ctype_* and is_* functions for filtering inputs. These functions check whether the given data is our required data type.
if (ctype_alpha($_POST[’username’]))
{
$clean[’username’] = $_POST[’username’];
}
if (ctype_alnum($_POST[’password’]))
{
$clean[’password’] = $_POST[’password’];
}
$colours = array(’Red’, ’Blue’, ’Yellow’, ’Green’);
if (in_array($_POST[’colour’], $colours))
{
$clean[’colour’] = $_POST[’colour’];
}
Here we are checking the input data whether they are of specified type. Sometimes client-side javascript validation is not necessary for filtering, as there is one security issue called ‘spoofed form’. We will talk about this later. So, we must not rely on client-side javascript. We need to use server side filtering also.
This is not all about web security in php world. We will focus on the rest later on.
List of my works:
Technical Support:
If you still face the technical problem, please get support of our highly skilled technical team: garazlab.com.
Wordpress Plugins:
If you still face the technical problem, please get support of our highly skilled technical team: garazlab.com.
Wordpress Plugins:
- Real-Time Health Data from Every Where:WP plugin to display real-time health data & increase sale by promoting user specific products according to health information: garazlab.com.
- Woocommerce Stock Notification Builder:Sends desktop, mobile & email notifications with full customization.Build your own product notification system with it: garazlab.com.
Opencart Extensions:
- Product Based Quantity Wise Shipping: Find it here.
- OpenSSLCOMMERZ: integrate SSLCOMMERZ with opencart: Find it here.
- Fine Search v.1.0 - Improves Opencart search feature to find relevant: Find it here.
- Opensweetcaptcha - An easy way to generate attractive captcha for your system!: Find it here.
- Custom Field Product - add unlimited custom fields to the product form: Find it here.
- Formcaptcha - add captcha on the register page: Find it here.