In this chapter we will introduce how to use PHP to verify form data submitted by the client.
We need to consider security when dealing with PHP forms. In this chapter we will demonstrate the secure processing of PHP form data. In order to prevent hackers and spam, we need to perform data security verification on the form. |
The HTML form described in this chapter contains the following input fields: Required and optional text fields, radio buttons, and submit buttons:
The above form validation rules are as follows:
Field | Validation rules |
---|---|
name | must. +can only contain letters and spaces |
must. + must be a valid email address (contains '@' and '.') | |
URL | Optional. If present, it must contain a valid URL |
Remark | Optional. Multi-line input fields (text fields) |
gender | must. Must choose one |
First let's take a look at the pure HTML form code:
The "Name", "E-mail", and "Website" fields are text input elements, and the "Remarks" field is a textarea. The HTML code looks like this:
"Name": <input type="text" name="name">E-mail: <input type="text" name="email">Website: <input type="text" name="website">Remarks : <textarea name="comment" rows="5" cols="40"></textarea>
The "Gender" field is a radio button and the HTML code looks like this:
Gender:<input type="radio" name="gender" value="female">Female<input type="radio" name="gender" value="male">Male
The HTML form code looks like this:
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
The form uses the method="post" method to submit data.
What is the $_SERVER["PHP_SELF"] variable? $_SERVER["PHP_SELF"] is a super global variable that returns the file name of the currently executing script and is related to the document root. |
Therefore, $_SERVER["PHP_SELF"] will send the form data to the current page instead of jumping to a different page.
What is the htmlspecialchars() method? The htmlspecialchars() function converts some predefined characters into HTML entities. The predefined characters are: & (ampersand) becomes & " (double quote) becomes " ' (single quote) becomes ' < (less than) becomes < > (greater than) become> |
The $_SERVER["PHP_SELF"] variable may be used by hackers!
When hackers use cross-site scripting HTTP links to attack, the $_SERVER["PHP_SELF"] server variable will also be embedded in the script. The reason is that cross-site scripting is appended to the path of the executable file, so the string $_SERVER["PHP_SELF"] will contain the JavaScript program code behind the HTTP link.
XSS is also called CSS (Cross-Site Script), a cross-site scripting attack. Malicious attackers insert malicious HTML code into a Web page. When a user browses the page, the HTML code embedded in the Web page will be executed, thereby achieving the special purpose of the malicious user. |
Specify the following form file name "test_form.php":
<form method="post" action="<?php echo $_SERVER["PHP_SELF"];?>">
Now, we use the URL to specify the submission address "test_form.php", and the above code is modified as follows:
<form method="post" action="test_form.php">
That would be fine.
However, consider that the user will enter the following address into the browser address bar:
http://www.codercto.com/test_form.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E
The above URL will be parsed into the following code and executed:
<form method="post" action="test_form.php/"><script>alert('hacked')</script>
A script tag has been added to the code, and an alert command has been added. This Javascript code will be executed when the page loads (the user will see a pop-up box). This is just a simple example of how the PHP_SELF variable can be exploited by hackers.
Please note that any JavaScript code can be added within the <script> tag! Hackers can use this to redirect the page to a page on another server. The page code file can protect malicious code. The code can modify global variables or obtain the user's form data.
$_SERVER["PHP_SELF"] can be avoided by using the htmlspecialchars() function.
The form code looks like this:
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
htmlspecialchars() converts some predefined characters into HTML entities. Now if the user wants to utilize the PHP_SELF variable, the result will be output as follows:
<form method="post" action="test_form.php/"><script>alert('hacked')</script>">
Attempt to exploit this exploit failed!
First, we process all data submitted by users through PHP's htmlspecialchars() function.
When we use the htmlspecialchars() function, the user attempts to submit the following text field:
<script>location.href('http://www.codercto.com')</script>
This code will not be executed as it will be saved as HTML escaped code like this:
<script>location.href('http://www.codercto.com')</script>
The above code is safe and can be displayed normally on the page or inserted into emails.
When the user submits the form, we will do the following two things:
Use the PHP trim() function to remove unnecessary characters (such as spaces, tabs, newlines) in user input data.
Use the PHP stripslashes() function to remove backslashes () from user input data
Next, let's write these filtering functions in a function we define ourselves, which can greatly improve the reusability of the code.
Name the function test_input().
Now, we can use the test_input() function to detect all variables in $_POST. The script code is as follows:
<?php//Define variables and set them to empty values by default $name= $email= $gender= $comment= $website= ""; if($_SERVER["REQUEST_METHOD"]== "POST"){ $name= test_input($_POST["name"]); $email= test_input($_POST["email"]); $website= test_input($_POST["website"]); $comment= test_input($_POST["comment"]); $gender= test_input($_POST["gender"]);} functiontest_input($data){ $data= trim ($data); $data= stripslashes($data); $data= htmlspecialchars($data); return$data;}?>
Note that when we execute the above script, we will use $_SERVER["REQUEST_METHOD"] to detect whether the form has been submitted. If REQUEST_METHOD is POST, the form will be submitted - and the data will be validated. If the form is not submitted validation will be skipped and shown blank.
The use of input items in the above examples is optional and can be displayed normally even if the user does not enter any data.
In the next chapter we will introduce how to validate the data entered by the user.