0

I was just wondering if this is the safest and best way to handle a form submission, i am trying to find the most "safest" and presented for my coding views,

PHP

<?php
if(isset($_POST['submit'])) {
 //Handle the form here with many $_POST['namehere']
}
?>

HTML

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
<label>Email</label>
     <input name="email" type="text">
<label>Password</label>     
     <input type="password" name="password">
<label>Submit</label>     
     <input type="submit" name="submit">
</form>

Would this be deemed as the only way possible to do this and the most secure ?

Curtis Crewe
  • 37
  • 5
  • 1
    Why do you think that this is more secure? Where do you think there are security flaws? I don't quite get it. – chrki Feb 24 '13 at 12:53
  • I'm not stating that i have security flaws, i'm just wondering if someone could inspect element and change a value name etc.. to process a form that shouldn't be posted on that page or something like that – Curtis Crewe Feb 24 '13 at 12:54
  • `` -- this is [not safe](http://jetlogs.org/2007/08/06/php-_serverphp_self-is-unsafe/). – Ja͢ck Feb 24 '13 at 12:55
  • ` – hjpotter92 Feb 24 '13 at 12:56
  • Of course anyone could change the form field's names and values however they like, you need to make sure in the part where you evaluate the data that 1. everything is filled and 2. everything is valid, e.g. no email addresses without @ – chrki Feb 24 '13 at 12:56
  • @Jack that article you linked, it's incorrect. You can't do that with a properly configured php installation with POST. – markus Feb 24 '13 at 13:01
  • Maybe you should reflect about what your code actually does: `isset($_POST['submit'])` tests whether there is a POST parameter named *submit*; nothing more, nothing less. – Gumbo Feb 24 '13 at 13:01
  • @markus Care to elaborate on "properly configured"? – DaveRandom Feb 24 '13 at 13:14
  • Yep, I see that I'm partly wrong. I have to elaborate on that in my answer. – markus Feb 24 '13 at 13:26
  • @CurtisCrewe rule of thumb for forms: *anyone* can submit *any* data to *any* form. – DisgruntledGoat Feb 24 '13 at 13:42

4 Answers4

1

This is hard to answer, because there's not much code to go by, however:

Don't use PHP_SELF

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">

Don't do this, or at least sanitize the value, because using the raw value leaves the site open to XSS attacks! Posting to yourself can be done simply like this:

<form action="" method="POST">

Alternatively, use an absolute (and static) URI as the form destination.

Addendum

Don't let others talk you into thinking that you're somehow magically protected against it because you're hosting a small site, using some framework xyz or that some browsers will stop it. Find out for yourself and take appropriate action.

On SSL

If you submit sensitive data, you should use SSL! Anything else is a joke in comparison.

On CSRF

Forms that cause a state change in your site and use cookies to perpetuate sessions should be protected by CSRF tokens; the token must be part of the form submissions and are regenerated once used.

On SQL injection

Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.

Tidbits (not actually related to security)

if(isset($_POST['submit'])) {
 //Handle the form here with many $_POST['namehere']
}

This code assumes you will always have a submit button on your form that's called submit. A more generic approach is to use this condition:

if ($_SERVER['HTTP_METHOD'] === 'POST') {
    // something was submitted
    if (isset($_POST['email'], $_POST['password']) {
        // email and password submitted
        // you may still wish to verify whether a "valid" email was given
    }
}
Zoe
  • 27,060
  • 21
  • 118
  • 148
Ja͢ck
  • 170,779
  • 38
  • 263
  • 309
1

What you have there is just a form. It's neither secure nor insecure. What defines whether or not a form is secure is how you transmit the data to the server and how you handle the input on the server side.

A secure login form...

  • posts its content to the server via HTTPS (SSL)
  • does proper validation of all inputs server side
  • doesn't allow for SQL injection
  • uses a hidden field with a properly validated anti CSRF token
  • uses a server with a hardened Apache/PHP installation

About the PHP_SELF XSS exploit:

  • The article Jack links in his comment suggest a string that actually doesn't work
  • Under certain circumstances* there is a possibility for this XSS attack, the question is, how easily can it be exploited? The vulnerability is client side so it can't be exploited directly, you need to engineer something around it (reflected attack), say a fake email action where I pretend to be your site and provide a link for you to login while letting you post your credentials to my site. Or a stored attack but if I'm able to do that, your site has a bigger problem than PHP_SELF XSS.
  • Sure, the best thing is just in case avoiding the use of PHP_SELF and replace it with htmlspecialchars($_SERVER['SCRIPT_NAME']) for example.

* Circumstances

  • The exploit doesn't work with most modern PHP frameworks, even if they're not protecting and really using PHP_SELF, because the url including the attack string would not match any allowed url route.
  • Browsers have started implementing XSS protection. E.g. the exploit doesn't work in Chrome/WebKit and IE8+ but it works in Firefox, at the time of writing.
  • Small, private sites are very very unlikely to be a target of such an attack, since it takes some effort to engineer one. Targets are usually social networks and similar sites.
markus
  • 40,136
  • 23
  • 97
  • 142
  • Care to explain what would happen if a POST action shows the same form again (in case of validation errors for example)? – Ja͢ck Feb 24 '13 at 13:18
  • @Jack One should be using a PRG pattern in that situation so I don't think that's really relevant if we are talking about best practices, but it is a fair point – DaveRandom Feb 24 '13 at 13:20
  • @DaveRandom Sure, but it's convenient to show the submitted values in the form again; otherwise you'd be looking at sessions. – Ja͢ck Feb 24 '13 at 13:20
  • I'm partly wrong and will change my post accordingly and add some additional info. – markus Feb 24 '13 at 13:26
1

To beef up the security of your form, you should look into using XSRF keys/tokens. These will make it much harder for requests from sites outside your domain to succeed in calling your script.

http://en.wikipedia.org/wiki/Cross-site_request_forgery

http://query7.com/preventing-csrf-in-php

Nick Pickering
  • 3,095
  • 3
  • 29
  • 50
1

You can improve a few points!

1. Don´t use PHP_SELF

Leave the action-formtag empty 

<form action='' method='post'>

2. Escape the SQL-chars

If you want to work with databases you should escape the SQL-chars from the String. Use:

[mysql_real_escape_string($string)][1]

Check the values for data types

If you have a from field that only expects full numbers you should delete all letters. You can change the type of a PHP-variable by writing the wanted type in brackets in front of the variable like this:

$number=(int) $value;
Maximii77
  • 93
  • 1
  • 8