$_POST Form advanced security

Question

I wanted to ask how can i secure my form from hackers who try to edit the input name? I mean... What i am trying to ask is the following:

<form action="?page=forumpost&action=posttopic">
    <input type="hidden" name="parrentID" value="1">
    <input type="text" name="post_name">
    <input type="submit">
</form>

You see that form? Lets say i open the inspect element option, and i decide to change the

<input name="">

When i click the submit button after i edit the input name, i get redirected to the other page ?page=forumpost&action=posttopic where my form is proceeded. Of course, i get a PHP error "Undefined index: post_name". The server is searching for post_name, instead of that, a blank name was send to the server which resulted that error. This is the code that throws error.

if($_GET['action'] === "posttopic"){
    posttopic($_POST['parrentID'],$_POST['postname']);
}


function posttopic($parrentID,$postname){
    // Form code here
}

How can i prevent this from happening? Of course, i am using prepared statements, htmlspecialchars(), stripslashes(), strip_tags(), and additionally checking the min/max length of the input. But that doesn't prevent the user from making my server throw error. I can disable the errors but i don't find that as a good solution. A few security tips about forms will be welcome. Also is there a way for the user to somehow hack my website trough playing with fake forms or something... ?

You need to add checks server-side if the values are set, use `isset()`. — Qirel, Mar 21 '19 at 08:33
Are you blindly using `htmlspecialchars(), stripslashes(), strip_tags()` on all input? Do you know what they do, or where they should be used? — Qirel, Mar 21 '19 at 08:34
Of course i do. Strip tags removes the tags, in this case adding htmlspecialchars seems kinda pointless, but i also add that for additional security. And about the striplashes, i think that's also unnecessary but i add it just in case there is a hole that that is reachable by them. — Black Sun Phoenix Entertainmen, Mar 21 '19 at 08:38

Qirel · Accepted Answer · 2019-03-21T08:43:18.637

1

Just check that all values are set before processing the data.

if (isset($_GET['action'], $_POST['parrentID'], $_POST['postname']) && $_GET['action'] === "posttopic") {
    posttopic($_POST['parrentID'], $_POST['postname']);
}

http://php.net/isset

Also, you mention using htmlspecialchars(), stripslashes(), strip_tags() - are you aware what these functions are doing? You risk mangling the data in ways you didn't intend to.

htmlspecialchars() should only be called on output and not input. Storing values in the database with that function will make it a nightmare to search. Store clean text in the database, and instead do echo htmlspecialchars($myValue); when printing text around the website.
stripslashes() is not needed if you are using a prepared statement (this function that "could help" if you are not using a prepared statement (alternative, escape the input)). Just keep your prepared statement and ditch this function.
strip_tags() strips HTML tags, which could be useful - depends on your approach, but if you're using htmlspecialchars() on your output (again, not input!), it's redundant.

edited Mar 21 '19 at 08:43

answered Mar 21 '19 at 08:37

Qirel

25,449
7
45
62

Perfect, just the answer i needed. – Black Sun Phoenix Entertainmen Mar 21 '19 at 08:40
Yeah i am aware of everything that you said, i am coding a simple forum that doesn't have any search bars and anything else. Just posting text. Thanks for telling me about the striplashes, i will remove this code. I thought that i can be vulnerable to XSS somehow trough them. – Black Sun Phoenix Entertainmen Mar 21 '19 at 08:44
If you're using a prepared statement to handle your queries, and use `htmlspecialchars()` on any output that *could* be user-input, you're in the clear. This will also make HTML-input render as text, by replacing `<` with `>`, so you don't have to use `strip_tags()` (unless you have a different reason for removing it, of course). If you're worried about XSS, also make sure your charsets are the same throughout the application (recommend you use UTF8, see [this previous answer of mine](https://stackoverflow.com/a/31899827/4535200). – Qirel Mar 21 '19 at 08:55
I just checked mine. I added to my PDO connection charset=big5;. My database uses that. So, am i fine now? – Black Sun Phoenix Entertainmen Mar 21 '19 at 09:14
1

The charset throughout your application should be the same, I recommend UTF8. `big5` is not the same as UTF8. It needs to be the same in all your headers, all your MySQL connections, your MySQL tables... Everywhere. :-) – Qirel Mar 21 '19 at 09:25

$_POST Form advanced security

1 Answers1