PHP Security - Forms and Data

##Form and data

In typical PHP application development, most logic involves data processing tasks, such as confirming whether the user has successfully logged in, adding items to the shopping cart, and processing credit card transactions.

Data may come from countless sources. As a security-conscious developer, you need to easily and reliably distinguish between two types of data:

l Filtered data

l Contaminated data

All trusted data that you set yourself can be considered as filtered data. A data that you set yourself is any hard-coded data, such as the following email address data:

  $email = 'chris@example.org';

The above email address chris@example.org does not come from any remote data source. It's obviously credible. Any data coming from a remote data source is input, and all input data is tainted and must be filtered before use.

Contaminated data refers to all data that cannot be guaranteed to be legal, such as forms submitted by users, emails received from mail servers, and xml documents sent from other web applications. In the previous example, $email is a variable containing filtered data. The data is the key, not the variables. Variables are just containers for data, which are often overwritten by contaminated data as the program executes:

  $email = $_POST['email'];

## Of course , this is why $email is called a variable. If you don’t want the data to change, you can use a constant instead:

CODE:

define('EMAIL', 'chris@example.org');

If defined with the above statement, EMAIL is an unchanging constant with the value chris@example.org throughout the script, and will not change even if you try to reassign it (usually accidentally). For example, the following code outputs chris@example.org (Attempting to redefine a constant will cause an error message with level Notice).

CODE:

Tips

For more information about constants, please visit http://www.php.cn /

As discussed in Chapter 1, register_globals can make it difficult to determine the origin of a variable such as $email. All data from external sources should be considered contaminated until proven legitimate.

Although a user can send data in a variety of ways, most applications perform the most important operations based on form submission results. Another attacker can compromise simply by manipulating the submitted data (which your app operates on), and the form conveniently opens up your app's design and the data you need to use to them. This is why form handling is the first concern among all web application security issues.

A user can transfer data to your application in three ways:

l Through the URL (such as GET data method)

l Through the content of a request (such as POST data method)

l Through HTTP header information (Such as Cookie)

Since HTTP header information is not directly related to form processing, it will not be discussed in this chapter. In general, suspicion of GET and POST data can be extended to all input, including HTTP header information.

表单通过GET或POST请求方式传送数据。当你建立了一个HTML表单，你需要在form标签的method属性中指定请求方式：

  <form action="http://example.org/register.php"
method="GET">

在前例中，请求方式被指定为GET，浏览器将通过URL的请求串部分传输数据，例如，考虑下面的表单：

CODE:

<form action="http://example.org/login.php"
method="GET">
  <p>Username: <input type="text"
name="username" /></p>
  <p>Password: <input type="password"
name="password" /></p>
  <p><input type="submit" /></p>
  </form>

如果我输入了用户名chris和密码mypass，在表单提交后，我会到达URL为http://www.php.cn/的页面。该URL最简单的合法HTTP/1.1请求信息如下：

CODE:

 GET /login.php?username=chris&password=mypass
HTTP/1.1
  Host: example.org

并不是必须要使用HTML表单来请求这个URL，实际上通过HTML表单的GET请求方式发送数据与用户直接点击链接并没有什么不同。

记住如果你在GET方式提交的表单中的action中试图使用请求串，它会被表单中的数据所取代。

而且，如果你指定了一个非法的请求方式，或者请求方式属性未写，浏览器则会默认以GET方式提交数据。

为说明POST请求方式，只对上例进行简单的更改，考虑把GET请求方式更改为POST的情况：

CODE:

<form action="http://example.org/login.php"
method="POST">
  <p>Username: <input type="text"
name="username" /></p>
  <p>Password: <input type="password"
name="password" /></p>
  <p><input type="submit" /></p>
  </form>

如果我再次指定用户名chris和密码mypass，在提交表单后，我会来到http://www.php.cn/页面。表单数据在请求的内部而不是一个URL的请求串。该方式最简单的合法HTTP/1.1请求信息如下

CODE:

POST /login.php HTTP/1.1
  Host: example.org
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 30
 
  username=chris&password=mypass

 

      现在你已看到用户向你的应用提供数据的主要方式。在下面的小节中，我们将会讨论攻击者是如何利用你的表单和URL作为进入你的应用的缺口的。

以上就是PHP安全-表单与数据的内容，更多相关内容请关注PHP中文网（www.php.cn）！