Never trust external data or input
The first thing you must realize about web application security is that external data should not be trusted. External data includes any data that is not entered directly by the programmer in the PHP code. Any data from any other source (such as GET variables, form POST, databases, configuration files, session variables, or cookies) cannot be trusted until steps are taken to ensure security.
For example, the following data elements can be considered safe because they are set in PHP.
Listing 1. Safe and flawless code
The following is the quoted content:
$myUsername = tmyer;
$arrayUsers = array(tmyer, tom, tommy );
define("GREETING", hello there . $myUsername);
?>
However, the following data elements are flawed.
Listing 2. Unsafe and defective code
The following is the quoted content:
$myUsername = $_POST[username]; //tainted!
$arrayUsers = array($myUsername, tom, tommy); //tainted!
define("GREETING", hello there . $myUsername); //tainted!
?>
Why first The variable $myUsername is flawed because it comes directly from the form POST. Users can enter any string into this input field, including malicious commands to clean files or run previously uploaded files. You might ask, "Can't you avoid this danger by using a client-side (Javascript) form validation script that only accepts the letters A-Z?" Yes, this is always a beneficial step, but as we'll see later , anyone can download any form to their machine, modify it, and resubmit whatever they need.
The solution is simple: the cleanup code must be run on $_POST[username]. If you don't do this, you could pollute these objects any other time you use $myUsername (such as in an array or constant).
An easy way to sanitize user input is to use regular expressions to process it. In this example, only letters are expected to be accepted. It might also be a good idea to limit the string to a specific number of characters, or require all letters to be lowercase.
Listing 3. Making user input safe
The following is the quoted content:
$myUsername = cleanInput($_POST[username]); //clean!
$arrayUsers = array($myUsername, tom, tommy); //clean!
define("GREETING", hello there . $myUsername); //clean!
function cleanInput($input){ $clean = strtolower($input);
$clean = preg_replace("/[^a-z]/", "", $clean);
$clean = substr($clean,0,12);return $clean;
}