User input cannot be trusted. Malicious
user can always supply the application with unexpected data. As such
malformed input data can cause undesired application actions, it is
important to filter all user input and validate that it matches the
intended patterns.
In the context of PHP applications,
typical user input are URL parameters, HTTP post data, and cookie
values. PHP makes these user input values available for the
application via the following global arrays:
• $_GET – data from get requests
• $_POST – post request data
• $_COOKIE – cookie information
• $_FILES – uploaded file data
• $_SERVER – server data
• $_ENV – environment variables
• $_REQUEST – combination of GET,
POST, and COOKIE
If the feature Register Global is
turned on, PHP also creates global variables for the con-tents of the
above arrays. It is strongly recommended to turn this feature off,
however if it is turned on, the values of these global input
variables must be treated as user input too. See section 2.3 for more
information about Register Global.
Depending on the scenario, it might be
necessary to consider data from sources like files or databases as
user input too. This might for example be necessary if the
application fetches data from third party databases.
In order to ensure that all user input
is filtered before it is used in the application; it is advisable to
adhere to the following guidelines:
• Use variable names that make clear
whether the contained user input is already vali-dated or not. For
example store the filtered data in variables with the prefix
“clean_”.
• Make sure that the application
exclusively use these clean variables for accessing user input.
Especially input arrays like $_GET should never be used as input for
any function other than validation functions.
• Always initialize all clean
variables. Otherwise attackers might be able to write their own
values into these variables if the Register Globals feature is turned
on. That way is would be possible to bypass any filtering mechanisms.
Moreover, the global array $_REQUEST
should not be used for accessing user input. It hides the source of
its contents. Scripts accessing data from $_REQUEST cannot determine
whether this data originates for example from server environment
variables, GET requests or POST requests. This knowledge is sometimes
necessary in order to determine what kind of filtering is necessary.
Useful tools for validating user input
are PHP’s cast operators. They convert the data type of variable
values. As all user input to PHP scripts is supplied as string, these
operators can be used for converting input parameters to their
destination type. The following cast operators are the most useful
with respect to filtering user input:
• (int), (integer) – cast to
integer
• (bool), (boolean) – cast to
boolean
• (float), (double), (real) – cast
to float
• (string) – cast to string
Other useful functions are the
character type functions. They check for example whether a string
consists of only alphanumeric characters. PHP provides various of
these functions that check for different character classes. The
following list contains especially useful examples with respect to
input filtering:
• ctype_alnum()
• ctype_alpha()
• ctype_digit()
More specialized methods for validating
user input are presented in the following sections of this paper.
Recommendations:
• Do not trust user input. Validate
it carefully.
• Access user input only via the
global arrays $_GET, $_POST, etc.
• Use a dedicated naming convention
for variables that contain the filtered input.
• Make sure only these variables are
used for accessing user input throughout the application. Filtering
functions should be the only exception.
• Always initialize all variables
that store clean user input.
• Use cast operators for converting
user input to the desired type.
For more help & guide line ask
question with our Dedicated
PHP Developer or well known PHP
Development Company
