Web Security: Sanitizing Web Forms

Form mailers, guestbooks, message boards, weblogs – any website that takes input from a user and uses a server to process the input is susceptible to a malicious attack.

The ‘Unvalidated Input’ related attacks are the number one security flaw in web applications.

How do these attacks happen?

Here’s a basic HTML form that takes user input:

Our basic HTML form mailer:

Here’s the bad processform.php:

Instead of writing a nice one-liner about how I love a new cookie recipe, I put this in the ‘comments’ form on a home-rolled form mailer that did not validate user input:

When PHP is processing the ‘comments’ textarea, it runs across this code and executes it.

That’s bad news. Especially if Safe Mode isn’t enabled on the server. It’s even worse news if the app was running under root.

The same thing can happen with applications that pass variables through URLs.



A hacker could change the URL to:

http://foo.foo/database.cfm?id=4; [insert malicious SQL statements]

OWASP recommends the following:

  • Data type (string, integer, real, etc)
  • Allowed character set
  • Minimum and maximum length
  • Whether null is allowed
  • Whether the parameter is required or not
  • Whether duplicates are allowed
  • Numeric range
  • Specific legal values (enumeration)
  • Specific patterns (regular expressions)

Whew! All of that form validation is tedious. I don’t advocate doing massive amounts of work for small homebrew projects—using PHP’s strip_tags() function is adequate.

Our more secure form mailer handling using strip_tags:

Now the mailcious code will not be executed – it will just be emailed to me@mysite.com like any other message.

This technique does not guarantee security. However, the technique is very easy and very reasonable precaution to implement while developing web applications.


About andyhillky
I'm cool.

Comments are closed.

%d bloggers like this: