PHP Security - Form Processing Server Side Data Filtering

When PHP programmers create a form with javascript client side filtering to collect information from web users, but most of them forgotten or ignore to do server side data filtering. The reasons given by them are simply because it is not important or it is too time consuming to write long PHP code to get the job done.

They do not know how critical it is until you see the following example. You will later appreciate the necessity of data filtering.

Consider a html form located at http://www.secure.com/form.html, with a select options, which confirms user do accept the terms and conditions or not :

<form action="process.php" method="POST">
	<select name="accept_terms">
		<option value="accept">Accept</option>
		<option value="refuse">Refuse</option>
	</select>
	<input type="submit"/>
</form>

Now imagine a attacker edit the above html and saves it as follows into their local box :

<form action="http://www.secure.com/process.php" method="POST">
	<input type="text" name="accept_terms">
	<input type="submit"/>
</form>

The form can be manipulated as desired, all the attacker needs is a web browser to post the form with the absolute URL where process.php resides.

This simple step will make it easy to eliminate client side restrictions. In this example, the attacker do not have to accept the terms and conditions. With a very simple procedure, any user can create a form that can be used to submit any data to the URL that processes the form.

Post a comment Post a CommentTrackback URI Trackback URI

XML RSS 2.0 feed for these comments

This entry (permalink) was posted on Sunday, February 24th, 2008 at 4:46 PM by Kelvin and categorized in php, security.

Post a Comment

*Required
*Required (Never published)
 
« Bash by example - Introduction
Fedora Linux - Disable the system “beep” sound »
Home