How to protect $_POST and params from hackers

Question

I'm using this with html2canvas.js to generate and save images from HTML.

I use url params to make this work - eg: website.com/?price=10&name=xxx

All ok untill here - the script works fine - images are saved in /cart/ dir

<?php
$image = $_POST['image'];
$username = $_POST['username'];
$front_class = $_POST['front_plass'];
$decoded = base64_decode(str_replace('data:image/png;base64,', '', $image));
$date = date('d-M-Y-h-i-a', time());
$curdir = getcwd();
$cartDir = $curdir ."/cart";
$userDir = $cartDir.'/'.$username;
if (!file_exists($userDir)) {
    mkdir($cartDir.'/'.$username, 0777);
}
$name = $front_class."-front-".$date.".png";
$full_path = $userDir.'/'.$name;
$name1 = 'cart/'.$username.'/'.$name;
function ImageFillAlpha($image, $color) {
    imagefilledrectangle($image, 0, 0, imagesx($image), imagesy($image), $color);
}
function imageCreateCorners($sourceImageFile, $name, $radius) {
...
}
file_put_contents($full_path, $decoded);
imageCreateCorners($full_path, $name, 25);
echo '<img src="'.$name1.'" alt="front" id="front_img" />'; 
?>

And the js

 html2canvas($('#front'), {
        "logging": true,
        //"proxy":"html2canvasproxy.php",
        "onrendered": function(canvas){
               var dataURL = canvas.toDataURL("image/png");
               $.post('image_front.php',{
                    image: dataURL,
                    username: username,
                    front_class: frontClass
               },function(data){
                    $('.imageHolder_front').html(data);
               });
        }
});

The problem is that someone hacked me twice yesterday thought this and I need to protect the $_POST or the params can be the problem?

Any help here please? I'm not really good with backend development - more with frontend.

Thanks.

Answer 1

Sanitize your user input. In general: Don't ever ever ever trust user input!

I would recommend the very good writeup from @Charles in the first answer of this question: What are the best PHP input sanitizing functions?

Answer 2

You made a couple of big mistakes.

First, validate your POST data as @JohnConde said, don't use them directly in your code, ever.

Second, don't create directory with 777 permission on your server, since everybody will be able to write into it and hack you that way.

Answer 3

You cannot "protect" parameters. Your server is a box which receives arbitrary HTTP requests and returns HTTP response. Realise this: anybody can send any arbitrary HTTP request to your server at any time containing any data they wish. You do not control what somebody sends you. The only thing you control is what you do with this data. Expect this data to not conform to your expectations. In fact, expect it to be malicious. Validate it instead of assuming it conforms to any particular format. Never blindly use user provided data in something like SQL queries or in constructing file paths without escaping/binding/validating/confirming the data, or you might be building strings you didn't expect to.

This is the one fundamental truth of all programming. You need to write your applications from the ground up with this in mind. There is no easy fix, there's only diligence.

Answer 4

Hackers can hack even if you are not using url parameters.

It has to be done in the backend. Before interacting with database you have check whether the parameters are what you are expecting. For example you should not allow single quotes in your params, this will actually allow hackers to add some more queries to your query.

Use mysqli prepared statements