In case of user submitted text, when outputting to the page, what text filter do you use both in input and output?
As I understand it, using $this->input->post('something',true) will clean XSS content from the input data, so there is no other thing to do to be secure? Something like htmlspecialchars(), strip_tags(), etc.?
Also i would like to know if for example htmlspecialchars() is good to use, why CI security library doesn't applyes htmlspecialchars() by default to the passed string?
You should use the form_validation library. You can do rule based checking and filtering. This is a much more robust way of validating input data.
Here are the built in rules and any defined function that takes one parameter can be used as a filter/rule.
required
matches
min_length
max_length
exact_length
greater_than
less_than
alpha
alpha_numeric
alpha_dash
numeric
integer
decimal
is_natural
is_natural_no_zeroetc
valid_email
valid_emails
valid_ip
valid_base64
Kinda depends on what you're doing with this input, but most likely you're going to want to run the string through htmlspecialchars() also.
To my understanding, you would like to store user submitted text in a database, and then later display it on a page -- kind of like a basic commenting system or something. You just don't want any naughty/incomplete HTML characters breaking your page when outputting it.
Whenever you have user submitted data, you want to utilize the form_validation library to clean it up and sanitize it as much as possible as a good security measure. If it goes to your database, you should use Active Records or Query Binding to get additional security from Codeigniter, such as escaping the strings, etc.
Let me show my solution on submitting and outputting user's input on a website. There are probably better ways to do this, but this will get the job done.
<?php
/*Controller
**************************************************/
class Something extends CI_Controller {
function comments_or_whatever() {
//Required -> trim value -> max_length of 100 -> strip HTML tags -> remove additional HTML entities missed by strip tags
$this->form_validation->set_rules('input_1', 'The First User Input', 'required|trim|max_length[100]|xss_clean|strip_tags|callback__remove_html_entities');
$this->form_validation->set_rules('input_2', 'The Second User Input', 'trim|exact_length[11]|xss_clean|strip_tags|callback__remove_html_entities');
if ($this->form_validation->run() == FALSE) {
//form didn't validate.. try again display error messages
$this->load->view('your_view');
}
} else {
$input_1 = $this->input->post('input_1');
$input_2 = $this->input->post('input_2');
$submission_array = array(
'db_field_1' => $input_1,
'db_field_2' => $input_2
);
$this->load->model('comments');
$result = $this->comments->submit_comments_or_whatever($submission_array);
if ($result['is_true'] == TRUE) {
//creates a temporary flash message and redirects to current page
//if on a windows server use 'refresh' instead of 'location'
$this->session->set_flashdata('message', '<div class="message">'.$result['message'].'</div>');
redirect('something', 'location');
} else {
$data['message'] = $result['message'];
$this->load->view('your_view', $data);
}
}
}
// Very important to get rid calling HTML Entities via HTML number codes such as < etc. Strip_tags does not do this.
// This is privately called during validation from the callback__remove_html_entities custom callback
function _remove_html_entities($submission) {
$submission = preg_replace("/&#?[a-z0-9]{2,8};/i","",$submission);
return $submission;
}
}
/* Model
****************************************/
class Comments extends CI_Model {
function submit_comments_or_whatever($submission_array) {
// Active record escapes string and does additional security
$query = $this->db->insert('comments', $submission_array);
if ($query == TRUE) {
$data['is_true'] = TRUE;
$data['message'] = 'Your message has been successfully shared!';
return $data;
} else {
$data['is_true'] = FALSE;
$data['message'] = 'Sorry, but there was an error dude inserting your message into the database.';
return $data;
}
}
}
/* View -> your_view.php
****************************************/
<?php echo validation_errors('<div class="message">', '</div>'); ?>
<?php echo $this->session->flashdata('message'); ?>
<?php if (!empty($message)) echo '<div class="message">'.$message.'</div>'; ?>
<?php echo form_open('something/comments_or_whatever'); ?>
<?php echo form_label('The First User Input', 'input_1'); ?><br>
<?php $input_1_form = array('name' => 'input_1', 'id' => 'input_1', 'value' => set_value('input_1')); ?>
<?php echo form_input($input_1_form); ?><br>
<?php echo form_label('The Second User Input', 'input_2'); ?><br>
<?php $input_2_form = array('name' => 'input_2', 'id' => 'input_2', 'value' => set_value('input_2')); ?>
<?php echo form_input($input_2_form); ?><br>
<?php echo form_submit('submit', 'Dude, submit my user inputed text!'); ?>
<?php echo form_close(); ?>
This code assumes you autoload the Form Validation, Sessions, and Database Libraries and the Form Helper. Now, all your user inputed data is stripped to a bare minimum of plain text using a custom Regular Expression call back during form validation. All naughty HTML characters are gone/sanitized, completely. You can now be worry-free to output the submitted data anywhere you'd like on a webpage without it breaking or being a security concern.
The problem with just doing HTMLSpecialChars() and html decode is it doesn't account for incomplete HTML tags. Hopefully this helps, best of luck dude, and as always, nothing is ever completely secure.
Related
I have a form that is mostly generated by a class named "buildform".
Now every part of the form validates itself on the position it is.
This looks like this:
echo $frm->create_input("customer_nr", "Customer Nr.", "text:empty:int");
The third attribute here are the conditions (here: text field, not empty only integer).
The function "create_input" calls some more function that are validating the form field directly on place when the form is submitted.
I do it this way for multiple reasons:
I can directly color the forms to red when there's an error
I only have to tell the form attributes one time instead of when creating it and validating.
This is really comfortable and until now has made creating forms very easy.
The validation errors for then the users will be stored in a class variable like this:
function add_err($n_errmsg) {
$this->errmsgs[] = $n_errmsg;
return;
}
At the end of the form I show the errors like this:
if(isset($_POST["sbm"])) {
$ret_err = $frm->ret_err();
if(!empty($ret_err)) {
echo $ret_err;
}
else {
// send success mail
}
}
This all works without any problems.
Now I had the idea to hide the form when it's submitted. But then I would have to make sure there are no errors before the form even is loaded!
I wanted to something like
else {
$hideform = true;
// send success mail
}
This currently is not possible as the errors are generated while "generating" the form fields.
If I move the errors to the top the errors are always "empty" there because the validation is done later below...
Do you have an idea how I can solve this?
Do I have to validate the forms before loading them or is there another way?
Thanks!
Best Regards
Toby
Ok, well there are a few ways to solve this.
Basically you are echoing the form html as you go along:
echo $frm->create_input(...);
echo $frm->create_input(...);
what you could do instead is save the html into a string:
$formhtml = '';
$formhtml .= $frm->create_input(...);
$formhtml .= $frm->create_input(...);
if($frm->ret_error()){
echo $formhtml;
//other logic
}else{
//send mail
}
Along the same lines, you could change your form class, so that this is done internaly, and add a show method:
private $html = '';
function create_input(...){
//retrun $ret;
$this->html .= $ret;
function show(){
echo $this->html;
}
$frm->create_input(...);
$frm->create_input(...);
if($frm->ret_error()){
$frm->show();
//other logic
}else{
//send mail
}
I am making a website in CodeIgniter and for one of these pages I need to insert information into a database, however every time I enter information into my form and submit it, the page refreshes like it had been submitted but nothing enters the database.
Controller:
public function insertjob()
{
$this->load->helper('form');
$data['title']="Add a new job";
$this->load->view("insertjob", $data);
}
public function addingjob()
{
$jobtype=$this->input->post('jobtype');
$jobinfo=$this->input->post('jobinfo');
$this->load->model("cmodel");
if($this->cmodel->addjob($jobtype, $jobinfo)){
$data['msg']="New job addition successful";
}else{
$data['msg']="There was an error please try again";
}
$this->load->view("confirmation",$data);
Model:
function addjob($jobtype,$jobinfo)
{
$newjob=array("jobtype"=>$jobtype,"jobinfo"=>$jobinfo);
return $this->db->insert('clientjobs', $newjob); exit;
View:
</p>
<?php
echo form_open('client/insertjob');
echo form_label('Job:', 'Job');
echo form_input('jobtype');
echo form_label('Job information:', 'Job information');
echo form_input('jobinfo');
echo form_submit('Add job', 'Submit Post!');
echo form_close();
?>
Try removing the exit from your model:
function addjob($jobtype,$jobinfo)
{
$newjob=array("jobtype"=>$jobtype,"jobinfo"=>$jobinfo);
return $this->db->insert('clientjobs', $newjob);
}
It's not neccessary and could be breaking the database class, as well as halting any execution for the application.
Here's your problem:
echo form_open('client/insertjob');
If you look at your HTML code in your browser, you'll see something like this:
<form action="client/insertjob">
There will probably be a whole bunch of other attributes in your form tag - they're not important for this answer.
That action attribute is telling the browser where to go after you click submit. Where is it going? Back to the insertjob method. But it needs to go to your addingjob method - that's where the database update is actually being done. So change the form_open call to:
echo form_open('client/addingjob');
As I see your are using 2 controller functions for posting, page 1 to page 2. You have error on form open you should post your data to addingjob not insertjob.
echo form_open('client/addingjob');
will fix your issue but I highly recommend you to use, one controller for form submit. Below code will send post to same url. And you could add some attributes on it.
<?php
$attributes = array('class' => 'form-horizontal');
echo form_open($this->uri->uri_string(),$attributes); ?>
i'm building a form + form validation class , and i also wanted to add captcha to this.
The captcha image is showing, however it itsn't storing anything in the $_SESSION.
I am using this captcha script:
https://github.com/gesf/captcha.class.php
Now in my controller i use this :
$data['regform']->addfield('user_captcha', 'Human verification', 'captcha', 'captcha' );
And that generates the following :
<label>
<span>Human verification</span>
<img name="user_captcha" src="http://www.websiteurl.com/dev/misc/captcha.php?c=1"><input type="text" name="user_captcha" value="" />
</label>
The image is showing like it should. However i'm not able to validate the input because it's not writing to the session. Now in the image file captcha.php it loads the class Captcha , and in this class constructor it tries to write to the session :
function Captcha($letter = '', $case = 5) {
$this->_capCase = $case;
if (empty($letter)) {
$this->StringGen();
} else {
$this->_capLength = strlen($letter);
$this->_capString = substr($letter, 0, $this->_capLength);
}
#session_start();
$_SESSION['asd'] = 'asd';
$_SESSION["CAPTCHA_HASH"] = sha1($this->_capString);
$this->SendHeader();
$this->MakeCaptcha();
}
My session always stays empty. But when i try the following :
<?php $_SESSION['bleh'] = 'asd'?>
<?php echo $form; ?>
It adds 'bleh' to the session like it should.
I really can't see why it won't write to the session..
could someone help me out ??
Thanks!!
Make sure, that session_start() is called before any output for every single page. As I can see, you are using # operator, that shuts up some errors. Can you remove it and tell us what does it output?
Also, your sessiaon_start() call is somewhere in the middle of the script. Perhaps there are some other output before that.
I've been searching about deleting db entries in Codeigniter and I finally created a solution that I think is secure. I would really appreciate any feedback! I'm not sure if I'm doing this right..
Advantages:
Uses POST request
ID of entry to be deleted is
validated
Uses CSRF protection (automatically
generated by Codeigniter)
In my example I'm deleting user submitted links (a DB table row contains a link title, link URL, an link description).
HTML: Database entires are contained within a form. Each entry has a form button with the respective link id in the id attribute.
<?php echo form_open('profile/remove_link'); ?>
<?php echo form_hidden('link_id', ''); //value will be populated via jquery ?>
<ul id="user_links">
<?php foreach($query as $row): ?>
<li><?php echo $row->link_title; ?></li>
<li><?php echo auto_link($row->link_url, 'url', TRUE); ?></li>
<li><?php echo $row->link_description; ?></li>
<button type="submit" class="remove" id="<?php echo $row->link_id ?>" value="remove">Remove Link</button>
<?php endforeach; ?>
</ul>
</form>
JQUERY: When user clicks on the remove button, the respective link id is added to the the hidden text input named link_id.
$(document).ready(function(){
$('.remove').click(function() {
var link_to_remove = $(this).attr("id");
$("input[name=link_id]").val(link_to_remove);
});
});
Upon clicking a remove button, it sends the id of link to be removed to controller profile and function remove_link
function remove_link()
{
$this->load->model('Profile_model');
$links_data['query'] = $this->Profile_model->links_read(); //get links from db to add in view
//Validation
$this->form_validation->set_rules('link_id', 'Link ID', 'trim|required|xss_clean|max_length[11]|numeric'); //validate link id
if ($this->form_validation->run() == FALSE) //if validation rules fail
{
$this->load->view('profile/edit_links_view', $links_data);
}
else //success
{
$link_id = $this->input->post('link_id'); //get id of link to be deleted
$seg = 'user_links'; //used to redirect back to user links page
$this->Profile_model->links_delete($link_id, $seg); //send link id to model function
}
}
MODEL
function links_delete($link_id, $seg)
{
$this->db->where('user_id', $this->tank_auth->get_user_id());
$this->db->where('link_id', $link_id);
$this->db->delete('user_links');
redirect("/profile/$seg/");
}
If the ids are unique integers in your database, you could remove these rules:
trim|xss_clean|numeric
And add this one:
is_natural_no_zero
Returns FALSE if the form element contains anything other than a natural number, but not zero: 1, 2, 3, etc.
The numeric rule allows some characters you probably don't want, like decimals and negative. Here's the source (one line):
return (bool)preg_match( '/^[\-+]?[0-9]*\.?[0-9]+$/', $str);
If for some reason you are echo'ing the input back in your HTML output before validating, or are just paranoid, then by all means: xss_clean it up. Otherwise it's not really needed, as I don't think there's any possible method of XSS attacks that only use a number.
Reference:
https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
http://ha.ckers.org/xss.html
Also, you might want to add a LIMIT 1 clause to your query, and definitely make sure to return a value (probably TRUE/FALSE) from your model so you know whether or not the query was successful, so you can give feedback to the user instead of assuming everything went well.
The only thing that I see wrong is that you don't validate who can and can't delete records. That's the only issue you should focus on. Permissions to check if the person sending the request of deletion is allowed to perform such operations. Other than that it's just a matter of preference.
I would suggest rewriting controller and model a bit to make the flow more logical and provide better performance:
controller:
function remove_link()
{
if ($this->input->post('link_id'))
{
//Validation
$this->form_validation->set_rules('link_id', 'Link ID', 'is_natural_no_zero');
if ($this->form_validation->run())
{
$seg = 'user_links'; //do you really need to assign it to variable ??
$this->load->model('Profile_model');
if ($this->Profile_model->links_delete($this->input->post('link_id')) //send link id to model function
{
redirect('/profile/user_links'); // redirect user in controller and only when model returns true
}else{
// inform user about error somehow, eg. by setting session flashdata and redirecting back to /profile/user_links
}
}
} // else statement here was a mistake as in case of form_validation failure nothing happened
$this->load->model('Profile_model');
$links_data['query'] = $this->Profile_model->links_read(); //get links from db to add in view
$this->load->view('profile/edit_links_view', $links_data);
}
model:
function links_delete($link_id)
{
$this->db->where('user_id', $this->tank_auth->get_user_id())
->where('link_id', $link_id)
->delete('user_links'); // you can chain methods without writing always $this->db->
return $this->db->affected_rows(); // returns 1 ( == true) if successfuly deleted
}
And as a side note in your jQuery code I suggest using $('#some_id') instead of $('input[name=XXXX]') - it saves some javascript code execution thus is faster
To practice PHP and MySQL development, I am attempting to create the user registration system for an online chess game.
What are the best practices for:
How I should handle the (likely) possibility that when a user tries to register, the username he has chosen is already in use, particularly when it comes to function return values? Should I make a separate SELECT query before the INSERT query?
How to handle varying page titles?($gPageTitle = '...'; require_once 'bgsheader.php'; is rather ugly)
(An excerpt of the code I have written so far is in the history.)
Do a separate SELECT to check whether the username is already in use before attempting to INSERT.
More importantly, I would suggest something like the following structure for the script you're writing. It has a strong separation of presentation logic (e.g. HTML) from your other processing (e.g. validation, database, business logic.) This is one important aspect of the model-view-controller paradigm and is generally considered a best-practice.
<?php
// The default state of the form is incomplete with no errors.
$title = "Registration";
$form_completed = false;
$errors = array();
// If the user is submitting the form ..
if ($_POST) {
// Validate the input.
// This includes checking if the username is taken.
$errors = validate_registration_form($_POST);
// If there are no errors.
if (!count($errors)) {
// Add the user.
add_user($_POST['username'], $_POST['password']);
// The user has completed.
$form_completed = true;
// Optionally you could redirect to another page here.
} else {
// Update the page title.
$title = "Registration, again!"
}
}
?>
<html>
<head>
<title>Great Site: <?= $title ?></title>
<body>
<?php if ($form_complete): ?>
<p>Thanks for registering!</p>
<?php else: ?>
<?php if (count($errors)): ?>
<ul>
<?php foreach ($errors as $error): ?>
<li><?= $error ?></li>
<?php endforeach; ?>
</ul>
<?php endif; ?>
<form method="post">
Username: <input type="text" name="username">
Password: <input type="password" name="password">
<input type="submit">
</form>
<?php endif; ?>
</body>
</html>
Well, one thing you can do instead of repeating code down near the bottom is this:
if( $result === true ) {
$gPageTitle = 'Registration successful';
$response = <p>You have successfully registered as ' . htmlspecialchars( $username ) . ' on this site.</p>';
} elseif( $result == 'exists' ) {
$gPageTitle = 'Username already taken';
$response = '<p>Someone is already using the username you have chosen. Please try using another one instead.</p>';
} else {
trigger_error('This should never happen');
}
require_once 'bgsheader.php';
echo $response;
require_once 'bgsfooter.php';
Also, you can return false rather than the string 'exists' in the function, not that it makes much difference.
Checking the error number isn't bad, I'm sure that's why it's an included feature. If you really wanted to do something different, you could check if there already is a user by that name by selecting the username. If no result exists, then insert the user, otherwise, give the error.
One thing I like to do with error handling on forms is save all the error strings into an array like $error['username'], $error['email'], etc., and then have it run through the error checking on each input individually to set all the error strings, and then have a function that does something like this:
function error($field)
{
global $error;
if(isset($error[$field]))
{
echo $error[$field];
}
}
and then call that after each field in the form to give error reporting on the form. Of course, the form page must submit to itself, but you could have all the error checking logic in a separate file and do an include if $_POST['whatever'] is set. If your form is formatted in a table or whatever, you could even do something like echo '<tr><td class="error">' . $error[$field] . '</td></tr>, and automatically insert another row directly below the field to hold the error if there is one.
Also, always remember to filter your inputs, even if it should be filtered automatically. Never pass post info directly into a DB without checking it out. I'd also suggest using the specific superglobal variable for the action, like $_POST rather than $_REQUEST, because $_REQUEST contains $_GET, $_POST, and $_COOKIE variables, and someone could feasibly do something strange like submit to the page with ?username=whatever after the page, and then you have both $_POST['username'] and $_GET['username'], and I'm not sure how $_REQUEST would handle that. Probably would make there be a $_REQUEST['username'][0] and $_REQUEST['username'][1].
Also, a bit about the page titles. Don't know if you have it set up like this but you can do something like this in your header:
$pageTitle = "My Website";
if(isset($gPageTitle))
{
$pageTitle .= "- $gPageTitle";
}
echo "<title>$pageTitle</title>";
Which would make the page load normally with "My Website" as the title, and append "- Username already exists" or whatever for "My Website - Username already exists" as the title when $gPageTitle is set.
I think the answer from Mr. Neigyl would require a separate trip to the database, which is not a good idea because it would only add performance overhead to yuor app.
I am not a PHP guru, but I know my way around it, although I don't recall the === operator. == I remember.
You could pass the function call directly into the IF statement.
if (addUser($username, $passwd));
I don't see anything wrong with using the $gPageTitle variable, but you will probably have to declare it "global" first and then use namespaces so you can actually access it within the "header.php" because "header.php" will not know how to address this page's variables.
Although I personally don't like messing with namespaces and I would rather call a function from the "header.php" and pass the page title into it
display_title($pgTitle);
or
display_title("Registration Successfull");
or
$header->display_title("Registration Successfull")
if you like OO style better
Let me know if that helps. :)
You should get into forms and allow your page to redirect to another page where you have there the 'insert username to database'.
Suppose the username entered is in a post variable such as $_POST['username'].
Have your database check where that username exist:
$res = mysql_query("SELECT * FROM table WHERE username='$_POST['username']'") or die(mysql_error());
if(mysql_num_rows($res) > 0) {
echo "Username exists.";
// more code to handle username exist
} else {
// ok here.
}
What is basically done is we check if your table already contains an existing username. mysql_num_rows($res) will return 0 if no username exist.