0
PHP security - POST and GET Superglobals
Hello. Is there a need of adding some special functions to prevent my site from getting hacked? I use the following variables: $username = $_POST['username']; $password = $_POST['password']; And I'm validating the inputs that have been made to my HTML form: if(empty($username) OR empty($password)) { echo 'Please fill in the form correctly!'; } else { //prepared sql statements etc. } My question now is whether I need to use the htmlspecialchars() or any similiar function to avoid that someone can inject some code. Would it be possible for someone to edit my PHP code with the $_POST superglobal? Or do I only need to use those functions whenever I print something to the page?
14 Réponses
+ 1
MarkusS So, in fact I just need to use those functions on the variables that have been typed in to my form by the user that will be used later in any output such as a comment section where the username is displayed for example? Any other variables that the user submitted through my form that just need a validation and are only stored in my database but never displayed don‘t need those functions, right?
Can you confirm that my current code snippet from above has no vulnerablities until now?
So nobody could for example edit my PHP script with the username input field from my form?
+ 1
That is correct. I would also add that since you're going to store stuff in a database (which I should have recognized), you should also use the mysqli_real_escape_string function in order to prevent sql injections.
+ 1
Always be careful and never think of your site as foolproof. I haven't proved it safe, only that I can't figure out a way to exploit it.
+ 1
MarkusS I‘m using prepared statements for inserting and checking data inside my database so does that mean that there is no need to use mysqli_real_escape_string? Although, I want to be safe and use these functions on every input from the user.
+ 1
Since they're going to get hashed right away, I think you'll be fine. I manged to find a php login system on github you might want to take a look at for inspiration
https://gist.github.com/shep517/1756326
+ 1
MarkusS Thanks for the github link! Will definitely have a look at it. The password that the user writes into the login form will be verified using the password_verify function since the password_hash function adds a salt to the password and then hashes it.
But I think there‘s no need to use the functions since I only use the password_verify function on that user input from the login form.
0
Htmlspecialchars is not for security. To transmission important and sensitive data use post method. It can not be edited
0
Ali Shekari I mean that I don‘t want others to be able to edit my PHP script through the Post/Get superglobals. I know that Post is for sensitive data and I meant Htmlspecialchars in regard to prevent XSS.
0
I would recommend you dont send the sensitive data anywhere before running it through strip_tags and stripslashes.
0
MarkusS so should I run every Post/Get superglobal through these functions before processing them and validating them if they match for example the patterns of a correct mail address?
As long as I dont echo Post/Get superglobals there should be no security threads or are there?
0
Post superglobal can not be edited by others
0
All variables would be unnecessary. Only the ones after obtaining the user inputted fields like username and password (and comments if thats a thing on your site)
0
I think so, but I'm not quite sure as mysqli isnt my strong side yet
0
MarkusS What is with passwords?
They‘ll never get displayed on the web page and only the hash of it is going to be stored in the database. So is there any reason to run it through these functions?