0

I am creating a website where I try to respect the Model, View, Controller architecture. Sometimes I am calling php functions in the html View part such as in the form bellow:

  <html> 
  <form role="form" action="#" method="POST"> 
  <div class="col-sm-6">  
    <?php $workinghours->isCheckedWH($db, 'workinghours', $id, 'day', 'open', 'closed', 'check_list[]'); ?>
  </div>


<div class="row">
  <div class="col-sm-offset-1 col-sm-8">
    <br>
    <button type="submit" class="btn btn-default" name="modify_wh" value="modify">Modify</button>
    </form>
    </html>

Is there any risks in terms of security for doing this? Could someone modify the parameters in the function to make evrything crash. If yes, what would be the best solution to prevent it?

Thanks a lot.

michltm
  • 1,399
  • 2
  • 13
  • 33
  • 1
    It's perfectly fine. There won't be any security issues unless you're doing something like doing queries without escaping input or something of the sort. – Andrei Aug 31 '15 at 09:36
  • php execute on server end there would be no issue. No one even can view php. @andrew is correct unless you are fetching quires without having security measurement its 100% safe. – Farhan Aug 31 '15 at 09:39

2 Answers2

0

User can not "see" or crash your functions such as server response competed HTML (or other format: XML, TEXT, ...).

User can crash your code for example if you use request data without filtering:

$workinghours->isCheckedWH($db, 'workinghours', $_GET['id'], 'day', 'open', 'closed', 'check_list[]');
Taron Saribekyan
  • 1,360
  • 7
  • 13
  • so for example, nobody could modify the html to: $workinghours->isCheckedWH($db, 'workinghours','xxx', 'open', 'closed', 'check_list[]'); where xxx wouldent exist in the database and therefore make a crash? or could someone add a parameter that the php function wouldent understand? I'm sorry if the answers already answer this quetions but I'm very new to all this! – michltm Aug 31 '15 at 12:04
  • @michltm F.e. parameter **xxx** can be some query or bracket, and if in your function `isCheckedWH` you use it without filtering or checking, it may "break" your logic (SQL injection or XSS, or somthing else may be) – Taron Saribekyan Aug 31 '15 at 13:51
0

Your PHP code will never arrive to the client, because it's interpreted on the server. Displaying data in such way is not problematic security wise, but you should be careful when taking input from users, because of possible code injections, such as SQL injections.

You should always sanitize and validate user input. There's already a post, that describes this in a bit more detail.

Community
  • 1
  • 1
Blaž Zupančič
  • 2,176
  • 2
  • 13
  • 22
  • One does not sanitize input with `htmlspecialchars()`. You render html and js code in outputs unharmful, but you don't do anything with it with inputs. – Charlotte Dunois Aug 31 '15 at 10:19
  • @CharlotteDunois: Correct, but be careful outputting to js. `htmlspecialchars` is not suitable for this. Here you want `\x62` format (hex entity encoding). – SilverlightFox Aug 31 '15 at 14:40