On 07/28/2013 12:38 PM, Ashley Sheridan wrote:
On Sun, 2013-07-28 at 13:37 -0400, Jim Giner wrote:

Never write your own form?  I'm guilty - oh, so guilty.  What exactly is
a 'security hardened' form?

- All forms need a valid CSRF token to avoid CSRF attacks. This needs to be matched between the submitted form and server-maintained state. Do all of your forms have that? Every single one? (A GET lookup form like a search box doesn't need it, but anything with POST does, I'd argue.)

- Do you have a select element? Do you have error handling for when someone submits a value for that wasn't one of the option elements?

- Your text input field has a max length of 20. Does your code return an error when the user enters a string of 100 characters?

- Are you checking for weird edge-case-y character encoding issues? (Some versions of some browsers can be hacked by sending UTF-7 instead of UTF-8 for certain parts of the request. I don't fully understand that stuff myself, either.)

- You have a "number" field (HTML5). Does your PHP code handle someone submitting a string anyway?

- Are you checking all of those correctly every single time you write a form?

Remember, a form POST is not a form submission. It's a wide open RPC call for the entire Internet, for which you provide casual suggestions via HTML. Always assume an attacker bypasses the HTML and just POSTs variables right at your server. I'm probably forgetting a few things in the list above, too.

Hence, for 98% of cases, if you're writing your own <form> and <input> tags, you're doing it wrong. :-) Maybe you end up with your own PHP library to do that for you that handles all of the above, but... why, when there are so many already that do a better job than you can on your own (because they've had dozens of smart people including security experts working on them)?

I would say code forms on your own first, as a learning experience, then
use frameworks once you know what you're doing.

That I'll agree with. "Do it manually for the learning, then use a battle-hardened tool for real work" is a generally good approach to many things in programming.

--Larry Garfield

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to