Tilted Forum Project Discussion Community - View Single Post

trache · 05-01-2006, 08:40 PM

I think you should make some hard and fast rules about your input. Say, length or only numbers and test your input against them. Then start with your regular expressions.

If you receive any errors, push an error string onto an array. When you go and display your page after the user hits submit and the form starts to process the input, if the array is not empty, display the errors, don't die().

If you are a good webmaster (and we know that you are!), you will fill the partial form out with the users input from the submission, as we know that no one likes to input anything twice. :-)

Log the bad submissions because then you can decide whether or not to add more checks into your code.

Also, it is good to use the (add|strip)slashes when handling data from your database.

#1 rule? Don't trust the user to do anything you ask. That includes adding things like if ($admin == 1) with things like register_globals. I can easily add ?admin=1 to the form and have superuser access to your website. Remember to turn register_globals off and use _GET, _POST etc with the _SERVER["REQUEST_METHOD"] variable.

Check things like referrers (not always accurate or should be taken into consideration).

Put a hidden variable on your form and put that variable into a database. When the user submits the form, make sure that variable is in the database (for a short time). That will cut down on spoofing.

05-01-2006, 08:40 PM	#8 (permalink)
trache Insane	I think you should make some hard and fast rules about your input. Say, length or only numbers and test your input against them. Then start with your regular expressions. If you receive any errors, push an error string onto an array. When you go and display your page after the user hits submit and the form starts to process the input, if the array is not empty, display the errors, don't die(). If you are a good webmaster (and we know that you are!), you will fill the partial form out with the users input from the submission, as we know that no one likes to input anything twice. :-) Log the bad submissions because then you can decide whether or not to add more checks into your code. Also, it is good to use the (add\|strip)slashes when handling data from your database. #1 rule? Don't trust the user to do anything you ask. That includes adding things like if ($admin == 1) with things like register_globals. I can easily add ?admin=1 to the form and have superuser access to your website. Remember to turn register_globals off and use _GET, _POST etc with the _SERVER["REQUEST_METHOD"] variable. Check things like referrers (not always accurate or should be taken into consideration). Put a hidden variable on your form and put that variable into a database. When the user submits the form, make sure that variable is in the database (for a short time). That will cut down on spoofing. __________________ "You looked at me as if I was eating runny eggs in slow motion." - Gord Downie of The Tragically Hip Last edited by trache; 05-01-2006 at 08:48 PM..