On 07/28/2013 12:38 PM, Ashley Sheridan wrote:
On Sun, 2013-07-28 at 13:37 -0400, Jim Giner wrote:
Never write your own form? I'm guilty - oh, so guilty. What exactly is
a 'security hardened' form?
- All forms need a valid CSRF token to avoid CSRF attacks. This needs
to be matched between the submitted form and server-maintained state.
Do all of your forms have that? Every single one? (A GET lookup form
like a search box doesn't need it, but anything with POST does, I'd argue.)
- Do you have a select element? Do you have error handling for when
someone submits a value for that wasn't one of the option elements?
- Your text input field has a max length of 20. Does your code return an
error when the user enters a string of 100 characters?
- Are you checking for weird edge-case-y character encoding issues?
(Some versions of some browsers can be hacked by sending UTF-7 instead
of UTF-8 for certain parts of the request. I don't fully understand that
stuff myself, either.)
- You have a "number" field (HTML5). Does your PHP code handle someone
submitting a string anyway?
- Are you checking all of those correctly every single time you write a
Remember, a form POST is not a form submission. It's a wide open RPC
call for the entire Internet, for which you provide casual suggestions
via HTML. Always assume an attacker bypasses the HTML and just POSTs
variables right at your server. I'm probably forgetting a few things in
the list above, too.
Hence, for 98% of cases, if you're writing your own <form> and <input>
tags, you're doing it wrong. :-) Maybe you end up with your own PHP
library to do that for you that handles all of the above, but... why,
when there are so many already that do a better job than you can on your
own (because they've had dozens of smart people including security
experts working on them)?
I would say code forms on your own first, as a learning experience, then
use frameworks once you know what you're doing.
That I'll agree with. "Do it manually for the learning, then use a
battle-hardened tool for real work" is a generally good approach to many
things in programming.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php