Data Filtering for PHP Security

Source: Internet
Author: User
Data Filtering for PHP Security: read data filtering for PHP Security. at the beginning of the guide, we have said that data filtering is the cornerstone of WEB application security in any language and platform. This includes testing the data input to the application and the data output from the application. a good software design can help developers: ensure that data filtering cannot be bypassed, ensure invalid "> <LINKhref ="

At the beginning of the guide, we said that data filtering in any language and platform is the cornerstone of WEB application security. This includes testing the data input to the application and the data output from the application. a good software design can help developers:

Make sure that data filtering cannot be bypassed,

Make sure that invalid information does not affect legal information, and

Identify the data source.

There are a variety of ideas on how to ensure that data filtering cannot be bypassed, and two of them are more common and provide higher level of protection than others.

Scheduling method
This method uses a single PHP script for scheduling (via URL ). Any other operations include or require when necessary. In this method, each URL needs to pass a separate GET variable for scheduling. This GET variable can be considered as a simpler design to replace the script name. For example:

Http:// Task = print_formdispatch.php is the only root file (Document root ). It allows developers to do two very important tasks:

At the beginning of dispatch. php, we implemented some global security processing and ensured that these processing could not be bypassed.

It is easy to determine where data filtering is necessary, especially for some special control flow operations.

Take the following example to further discuss the dispatch. php script:

If this is the only publicly accessible PHP script, it is certain that the design of this program ensures that the global security processing cannot be bypassed at the beginning. At the same time, developers can easily see the control process of specific tasks. For example, you do not need to browse the entire code to easily know: when $ form_valid is true, end. inc is unique to the user; because it is in process. before inc is included, it is initialized to false. it can be determined that process. inc's internal logic sets it to true; otherwise, the form is displayed again (related error messages may be displayed ).

If you use Directory-oriented files such as index. php (instead of dispatch. php), you can use URL address: /? Task = print_form.

You can also use ApacheForceType redirection or mod_rewrite to adjust the URL address:

Inclusion method
Another way is to use a separate module, which is responsible for all security processing. This module is included in the front-end (or very front-end) of all open PHP scripts ). Refer to the following script security. inc.

In this example, each submitted form is considered to contain the unique verification value of form, and security. inc independently processes the data to be filtered by 0 in the form. The HTML form to implement this requirement is as follows:

The $ allowed array is used to check which form variable is allowed. this list should be consistent before the form is processed. Process control determines what to execute, and process. inc is the place where the filtered data arrives.

To ensure that security. inc is always included in the beginning of each script, use auto_prepend_file.

Example of filtering
Creating a whitelist is very important for data filtering. Since it is impossible to give an example of every possible form data, some examples can help you have a general understanding of this.

The following code verifies the email address:

] + @ ([-A-z0-9] + \.) + [a-z] {2, }$/I '; if (preg_match ($ email_pattern, $ _ POST ['email']) {$ clean ['email '] =_ _ POST ['email'] ;}?> The following code ensures that the content of $ _ POST ['color'] is red, green, or blue:

The following code ensures that $ _ POST ['num'] is an integer ):

The following code ensures that $ _ POST ['num'] is a floating point number (float ):

Name conversion
In the previous example, an array $ clean is used. It is a good habit for developers to determine whether data has potential threats. Never save the data in $ _ POST or $ _ GET after verification. as a developer, you should always be skeptical about the data stored in the Super Global array.

It should be added that using $ clean can help you think about what else is not filtered, which is more like a whitelist. This improves the security level.

If you only save the verified data to $ clean, the only risk in data verification is that the referenced array element does not exist, rather than the unfiltered hazardous data.

Once the PHP script starts to be executed, it means that all HTTP requests have ended. In this case, the user has no chance to send data to the script. Therefore, no data can be input to the script (even when register_globals is enabled ). This is why initialization of variables is a good habit.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.