0

PHP security - POST and GET Superglobals

Hello. Is there a need of adding some special functions to prevent my site from getting hacked? I use the following variables: $username = $_POST['username']; $password = $_POST['password']; And I'm validating the inputs that have been made to my HTML form: if(empty($username) OR empty($password)) { echo 'Please fill in the form correctly!'; } else { //prepared sql statements etc. } My question now is whether I need to use the htmlspecialchars() or any similiar function to avoid that someone can inject some code. Would it be possible for someone to edit my PHP code with the $_POST superglobal? Or do I only need to use those functions whenever I print something to the page?

14th Jul 2019, 9:07 PM
Niklas
14 odpowiedzi
+ 1
MarkusS So, in fact I just need to use those functions on the variables that have been typed in to my form by the user that will be used later in any output such as a comment section where the username is displayed for example? Any other variables that the user submitted through my form that just need a validation and are only stored in my database but never displayed don‘t need those functions, right? Can you confirm that my current code snippet from above has no vulnerablities until now? So nobody could for example edit my PHP script with the username input field from my form?
14th Jul 2019, 9:47 PM
Niklas
+ 1
That is correct. I would also add that since you're going to store stuff in a database (which I should have recognized), you should also use the mysqli_real_escape_string function in order to prevent sql injections.
14th Jul 2019, 10:00 PM
MarkusS
MarkusS - avatar
+ 1
Always be careful and never think of your site as foolproof. I haven't proved it safe, only that I can't figure out a way to exploit it.
14th Jul 2019, 10:02 PM
MarkusS
MarkusS - avatar
+ 1
MarkusS I‘m using prepared statements for inserting and checking data inside my database so does that mean that there is no need to use mysqli_real_escape_string? Although, I want to be safe and use these functions on every input from the user.
14th Jul 2019, 10:05 PM
Niklas
+ 1
Since they're going to get hashed right away, I think you'll be fine. I manged to find a php login system on github you might want to take a look at for inspiration https://gist.github.com/shep517/1756326
15th Jul 2019, 9:13 AM
MarkusS
MarkusS - avatar
+ 1
MarkusS Thanks for the github link! Will definitely have a look at it. The password that the user writes into the login form will be verified using the password_verify function since the password_hash function adds a salt to the password and then hashes it. But I think there‘s no need to use the functions since I only use the password_verify function on that user input from the login form.
15th Jul 2019, 2:23 PM
Niklas
0
Htmlspecialchars is not for security. To transmission important and sensitive data use post method. It can not be edited
14th Jul 2019, 9:10 PM
Ali Shekari
Ali Shekari - avatar
0
Ali Shekari I mean that I don‘t want others to be able to edit my PHP script through the Post/Get superglobals. I know that Post is for sensitive data and I meant Htmlspecialchars in regard to prevent XSS.
14th Jul 2019, 9:17 PM
Niklas
0
I would recommend you dont send the sensitive data anywhere before running it through strip_tags and stripslashes.
14th Jul 2019, 9:17 PM
MarkusS
MarkusS - avatar
0
MarkusS so should I run every Post/Get superglobal through these functions before processing them and validating them if they match for example the patterns of a correct mail address? As long as I dont echo Post/Get superglobals there should be no security threads or are there?
14th Jul 2019, 9:19 PM
Niklas
0
Post superglobal can not be edited by others
14th Jul 2019, 9:21 PM
Ali Shekari
Ali Shekari - avatar
0
All variables would be unnecessary. Only the ones after obtaining the user inputted fields like username and password (and comments if thats a thing on your site)
14th Jul 2019, 9:31 PM
MarkusS
MarkusS - avatar
0
I think so, but I'm not quite sure as mysqli isnt my strong side yet
14th Jul 2019, 10:12 PM
MarkusS
MarkusS - avatar
0
MarkusS What is with passwords? They‘ll never get displayed on the web page and only the hash of it is going to be stored in the database. So is there any reason to run it through these functions?
15th Jul 2019, 5:03 AM
Niklas