PHP Security - Form Elements

 

If you have things like textboxes and text areas on your forms, then you need to do some security checking on the data that comes in. That's because of things like Cross-Site Scripting. This is when somebody enters scripts into your textboxes to launch an attack on your site. Take this simple form as an example:

<html>
<head>
<title>Test Attack</title>

<?PHP

if ($_SERVER['REQUEST_METHOD'] == 'POST') {

$first_name = $_POST['first_name'];

echo $first_name;

}

?>

</head>
<BODY>

<Form Method = "Post" action ="testSecurity.php">
<input type = "text" name = "first_name" value ="test name">
<input type="submit" name="Submit" value="Submit">
</Form>

</BODY>
</html>

This form is one of the files you download. It can be found in the scripts folder and is called testSecurity.php.

Load it up and you'll see that it's just a textbox and a Submit button. Click the button, and you should see "test name" printed on the page.

Now, click inside the textbox and enter the following Javascript:

<SCRIPT>alert("Scary Script!")</SCRIPT>

Click the Submit button, and then watch what happens. You should see this (you need Javascript enabled in your browser):

A security alert

It's just an alert box. But it could have been something worse!

Another thing someone could do, especially if you have a forum, is to enter HTML directly into your textboxes. They could flood your forum with links to harmful or undesirable web sites. Try this as an example. Delete everything from your textbox, and enter this:

<A HREF ="nastysite">A Nasty Site</A>

When you click Submit this time, you should see the following:

HTML injected into a HTML form elelment

This time, a HTML hyperlink displays above a comments text area. If that was your forum, guess where the link would be?

To stop this kind of thing happening, there are a number of techniques you can use. We'll explore them in the next few parts.