0

My form has several types of inputs including text, checkbox and radio. I'd like to make sure the form is secure. I used the Prestashop functions isGenericname and isCleanHTML to check the text and comment fields by ensuring the fields are valid.

Prestashop Validate.php 

public static function isGenericName($name)
  {
    return empty($name) || preg_match('/^[^<>={}]*$/u', $name);
  }

public static function isCleanHtml($html, $allow_iframe = false)
  {
    $events = 'onmousedown|onmousemove|onmmouseup|onmouseover|onmouseout|onload|onunload|onfocus|onblur|onchange';

    if (preg_match('/<[\s]*script/ims', $html) || preg_match('/('.$events.')[\s]*=/ims', $html) || preg_match('/.*script\:/ims', $html))
        return false;

    if (!$allow_iframe && preg_match('/<[\s]*(i?frame|form|input|embed|object)/ims', $html))
        return false;

    return true;
  }

This is how the function is called in the form PHP file.

if (!Validate::isCleanHtml($message))
    $this->errors[] = Tools::displayError('Invalid message');
elseif (!Validate::isGenericName($fname))
    $this->errors[] = Tools::displayError('Invalid First Name.');

So my question are. Is it ok to not produce an error message for inputs such as check boxes and radio box that are not valid? The only reason they'd be invalid was if someone hacked he code before sending. Or is there a better way to strip and secure the inputs?

$checkbox = Tools::getValue('checkbox ');
 if (!Validate::isGenericName($checkbox ))
    $validCheckbox = $checkbox;

I have 68 inputs I want to make sure are secure. Is there a good PHP function that can strip out and stop any sort of SQL injection? Prestashop documents state "getValue() does not protect your code from hacking attempts (SQL injections, XSS flaws and CRSF breaches). You still have to secure your data yourself." I'm thinking I'll need to scrub it all through trim(), stripslashes(), htmlspecialchars() but I didn't know of the most efficient way.

N13Design
  • 85
  • 2
  • 2
  • 12
  • 5
    #1 rule of web software: never **EVER EVER EVER** trust anything submitted by the client. Assume **EVERYTHING** is malicious/hostile/bad/invalid and deal with it appropriately. http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Marc B Apr 16 '15 at 15:12
  • 1
    You'll have to sanitise your input based on what you're doing with it - `htmlspecialchars()` might not be a huge amount of help if you're plopping it straight into a database but it will help if you're spaffing the data out to the screen (in HTML anyway)... even a library like HTMLPurifier won't necessarily help against SQL injection attacks. There's no magic bullet here I'm afraid, trust nothing and clean everything in the most appropriate manner. – CD001 Apr 16 '15 at 15:14
  • You also have to make sure that you handle things like [Preventing SQL Injection](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Apr 16 '15 at 15:15
  • 68 fields... I would suggest something like this: http://php.net/manual/es/function.array-map.php#102130 BUT - it is not 100% secure and: http://php.net/manual/en/function.mysql-real-escape-string.php... You should know what values you are expecting - so, you can check is received value == expected value. E, g. for checkboxes, or radio buttons groups, you can make array of values you are expecting ('option1', 'option2',...'optionX') - if $_POST value is not in 'expected values' array -> stop script/submission... That's maybe not efficient, but it is secure. – sinisake Apr 16 '15 at 15:27
  • Ok so Prestashop uses PDO to protect against SQL injections. Could I add all three functions I talked about? $fname= htmlspecialchars(strip_tags(trim(Tools::getValue('fname')))); – N13Design Apr 16 '15 at 16:01

1 Answers1

3

To prevent first order SQL injection you can use PDO with mysql prepared statement. And when you want to display it to the html page use

htmlspecialchars(trim($value), ENT_QUOTES, "UTF-8")`

Make sure you set the appropriate character encoding in your response header correctly and use the meta tag to indicate character encoding of your HTML. 

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

If you ever need to update back the html output into the database. Use

htmlspecialchars_decode(trim($value))

This should give you some protection.

frz3993
  • 1,595
  • 11
  • 13
  • 1
    Thanks. I checked and Prestashop used PDO. I ended up using `$fname= htmlspecialchars(strip_tags(trim(Tools::getValue('fname'))));` and a few other variations. – N13Design Apr 23 '15 at 17:38
  • for more secure: `htmlspecialchars(addslashes(trim($value)), ENT_QUOTES, "UTF-8")` – ramin Jan 20 '23 at 09:14