On 7/28/13 9:23 PM, Paul M Foster wrote:
On Sun, Jul 28, 2013 at 08:46:06PM -0500, Larry Garfield wrote:

On 07/28/2013 12:38 PM, Ashley Sheridan wrote:
On Sun, 2013-07-28 at 13:37 -0400, Jim Giner wrote:

Never write your own form?  I'm guilty - oh, so guilty.  What exactly is
a 'security hardened' form?

- All forms need a valid CSRF token to avoid CSRF attacks.  This
needs to be matched between the submitted form and server-maintained
state.  Do all of your forms have that?  Every single one?  (A GET
lookup form like a search box doesn't need it, but anything with
POST does, I'd argue.)

Yes. I wrote a "bless" class just for this purpose, which I use on all
form pages.

- Do you have a select element? Do you have error handling for when
someone submits a value for that wasn't one of the option elements?

Yes, since I realize that what comes back to me may bear no resemblence
to what I coded in HTML. Thus, I always check for allowed "SELECT"

- Your text input field has a max length of 20. Does your code
return an error when the user enters a string of 100 characters?

Yes. Same answer. Putting a max length of 20 in the HTML works okay, but
the user could still submit something much longer if they are attempting
to hack the page. Thus I always check for max characters on the return.

- Are you checking for weird edge-case-y character encoding issues?
(Some versions of some browsers can be hacked by sending UTF-7
instead of UTF-8 for certain parts of the request. I don't fully
understand that stuff myself, either.)

No I don't check for this.

- You have a "number" field (HTML5).  Does your PHP code handle
someone submitting a string anyway?

I don't use HTML5 tags like this, since they are not universally
supported. However, I check that numbers look like numbers on return and
strings look like strings on return. PHP has built-in functions for

All this is part of my validation class.

- Are you checking all of those correctly every single time you
write a form?

Except as noted above. This is all home-grown, using native PHP
functions designed to do these things, and classes I've written. I
carefully examine each field when writing the POST-handling code with
the idea in mind that no matter what the HTML says, the return value
must conform to what *I* think it should be. No MVC framework written by
others (though I do conform to MVC paradigm).


Then you're not writing your own form tags from the sound of it; you're writing your own Form API. Still an improvements. :-)

Now, let's talk about form accessibility...

--Larry Garfield

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to