Server side validation in PHP. What should be covered for a secure system?

Question

0.00/5 (No votes)

See more:

Hi,

Recently I have been wondering 'how can I make this more secure' in regards to building websites.

As I have only recently started building webpages professionally, I have naturally been challenged with making sites more secure and I have practiced this so far through PDO prepared statements and parameterised queries, but what else would you consider an essential security measure?

I am currently looking into validation and the general idea is to use both server side and client side validation, for usability if anything.

So as my question states, Im just wondering what I should be doing for the server side validation? I have looked at sanitizing filters and character lengths, but I really want to become well acquainted with these issues.

Thanks.

Posted 19-Mar-15 1:44am

jba1991

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Peter Leow · Answer 1 · 2015-03-19T01:56:00

Solution 1

Read this PHP 5 Form Validation[^] and the few chapters that follow.

Posted 19-Mar-15 1:56am

Peter Leow

Comments

Peter Leow 19-Mar-15 8:11am

Let say the page that you are submitting is called "welcome.php", place it in the action attribute of the form tag, e.g.
<form action="welcome.php" method="post">
read more about the different methods: http://www.w3schools.com/php/php_forms.asp

jba1991 19-Mar-15 8:22am

No, I understand how to do this part, but I mean using the htmlspecialchars part too, or can I just pass each field into a function (seen on the first page of the link you provided) after submitting?

Sergey Alexandrovich Kryukov 19-Mar-15 11:05am

Validating all forms is, by far, not enough. How about many other cases? Please see Solution 2 where I explain what I mean.
—SA

Peter Leow 19-Mar-15 11:26am

Noted. Thank you, Sergey.

Sergey Alexandrovich Kryukov 19-Mar-15 11:41am

You are welcome.
—SA

Sergey Alexandrovich Kryukov · Answer 2 · 2015-03-19T02:46:00

Pretty much everything which comes from the client side. Even what is entered automatically, not via UI, which is partially covered by Solution 1.

So, I want to emphasize only one point. Everything else you can logically draw from each kind of settings. Let's say, your server side get HTTP request. It contains URI, body of the request with data, normally in key-value pairs, metadata, in particular, client information (client IP, browser information), referrer, and so on. Of course it should be apparent to you that the user can enter any URI manually and inject anything there. But how about the rest of HTTP request. If you have some UI, and some of the control values go directly to the request, it's apparent that it is easy to inject anything into request. Moreover, anything can be sent even of JavaScript validates input on client side.

But what is there is no UI? Remember once and forever: the whole HTTP request still can be forged. No, it's better to say: the whole HTTP request can easily be forged. No, not just easily, very easily.

Assuming that, sanitize every request reliably.

—SA