On Sun, Jul 28, 2013 at 08:46:06PM -0500, Larry Garfield wrote:

> On 07/28/2013 12:38 PM, Ashley Sheridan wrote:
> >On Sun, 2013-07-28 at 13:37 -0400, Jim Giner wrote:
> >
> >>
> >>Never write your own form?  I'm guilty - oh, so guilty.  What exactly is
> >>a 'security hardened' form?
> - All forms need a valid CSRF token to avoid CSRF attacks.  This
> needs to be matched between the submitted form and server-maintained
> state.  Do all of your forms have that?  Every single one?  (A GET
> lookup form like a search box doesn't need it, but anything with
> POST does, I'd argue.)

Yes. I wrote a "bless" class just for this purpose, which I use on all
form pages.

> - Do you have a select element? Do you have error handling for when
> someone submits a value for that wasn't one of the option elements?

Yes, since I realize that what comes back to me may bear no resemblence
to what I coded in HTML. Thus, I always check for allowed "SELECT"

> - Your text input field has a max length of 20. Does your code
> return an error when the user enters a string of 100 characters?

Yes. Same answer. Putting a max length of 20 in the HTML works okay, but
the user could still submit something much longer if they are attempting
to hack the page. Thus I always check for max characters on the return.

> - Are you checking for weird edge-case-y character encoding issues?
> (Some versions of some browsers can be hacked by sending UTF-7
> instead of UTF-8 for certain parts of the request. I don't fully
> understand that stuff myself, either.)

No I don't check for this.

> - You have a "number" field (HTML5).  Does your PHP code handle
> someone submitting a string anyway?

I don't use HTML5 tags like this, since they are not universally
supported. However, I check that numbers look like numbers on return and
strings look like strings on return. PHP has built-in functions for

All this is part of my validation class.

> - Are you checking all of those correctly every single time you
> write a form?

Except as noted above. This is all home-grown, using native PHP
functions designed to do these things, and classes I've written. I
carefully examine each field when writing the POST-handling code with
the idea in mind that no matter what the HTML says, the return value
must conform to what *I* think it should be. No MVC framework written by
others (though I do conform to MVC paradigm).


Paul M. Foster

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to