Stupid Browser Tricks with PHP and JavaScript By Chris Winikka Isn’t JavaScript Validation Enough? Some people turn off JavaScript Some people have bad intentions PHP is the only way to ensure that the information from a form is… not empty in the correct format not filled with nasty, evil code ▪ with sharp pointy teeth Why even use JavaScript? convenience ▪ the user finds out something is missing before sending it off (before leaving the form page) ▪ it might catch a mistake in an email address less processor time ▪ If the php file catches an error, it has two main options: ▪ It has to send the user back to the form page, or ▪ It gives a warning and forces the user to use the back button ▪ If you catch problems with JavaScript before running the processor, the php file may only have to be run once PHP, like all high-level computer languages has functions built-in functions ▪ these are handy functions that the makers of php thought you might find useful user-defined functions ▪ you get to create your own What is a function? function is reusable code if there’s anything you want to do more than one time, you should write a function for it You already used the date() function you provided some codes the function used those codes to format the date and time According to OWASP.org, there are 10 main security flaws The top 2 flaws to prepare for are: Cross-site Scripting Flaws (XSS): 1. ▪ ▪ Injection Flaws: 2. ▪ ▪ Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data. There are other flaws to be concerned with, but we won’t cover those because… occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc. We are not learning how to do passwords & password encryption We are not learning how to do file uploads For the most part our simple applications are not big targets For more information on security, visit the Open Web Application Security Project (OWASP) website Validate Validate Validate Make sure the data Is in the correct format ▪ A number is an integer ▪ A name is in the form of a string ▪ An email is in the format of an email Is not empty Does not have any code you don’t want it to have The first step in validation is making sure variables aren’t empty Unfortunately, a field filled with spaces is not technically empty That’s why you need the trim() function How it works: Pass it a variable and It removes white spaces before or after a field entry (in the variable) Do it like so… $name = trim($name); empty() – checks to see if a variable is empty or not Pass it a variable If the variable has no value (it’s empty), it returns True ▪ “Yes, it is empty” If the variable does have a value (not empty), it returns False ▪ “No, it’s not empty” The empty() function in its natural habitat Typically, you use the empty() function to check to see if it is not empty ▪ For this, you use the special NOT code, “!” ▪ Place the exclamation mark (NOT) in front of the function Example: ▪ if (!empty($variable)) { echo ‘<p>It’s not empty</p> } else { echo ‘<p>It is empty</p> } ▪ In plain English, if(!empty($variable)) means “If variable is NOT empty,…” ▪ The keyword, “else” is like saying, “otherwise…” Render command codes useless with the addslashes() function Add slashes will add a slash in front of the following characters: ▪ ▪ ▪ ▪ single quote (') double quote (") backslash (\) NULL Why is this important? ▪ Look at the following: ▪ SELECT * FROM users WHERE name='$username' AND pass='$password'; ▪ If a user enters the following for his/her password… ▪ ' OR '1'='1 ▪ To the database, the code now looks like this… ▪ SELECT * FROM users WHERE name='known_user' AND pass='' OR '1'='1'; ▪ My question to you is: Is 1 equal to 1? ▪ The answer is, “yes” ▪ The user now has password privileges (didn’t need to know the password to get it to work Adding slashes renders that useless Note: You can also remove the slashes with… The stripslashes() function Note also: this is not necessary as much with an email processor, but is critical for use with a database Use the preg_match() function No, it is not a paternity test It stands for perform a regular expressions match How it Works: int preg_match ( string $pattern , string $subject [, array &$matches [, int $flags [, int $offset ]]] ) You put in a pattern (called a regular expression) ▪ A regular expression, or regex for short, is a pattern describing a certain amount of text. Put in a subject (the variable you want to check) Optional: $matches – this is a variable that will capture the results of the search Optional: flags – PREG_OFFSET_CAPTURE this changes the output of the function ▪ You’re welcome to research what this does and try to figure it out. ▪ But you’re on your own for that ▪ Good luck with that! Optional: offset – this is in the form of a number and allows you to start the search from a different spot What it Does (in plain English): It returns the number of times $pattern matches If there are any errors, it returns false Check to see if php is in a phrase Note the slashes surrounding the word The i after php indicates it’s a case insensitive search Check for a whole word The \b stands for a word boundary It’s placed on both sides of the word, so it will only match the word “web” (spaces on both sides) <?php if (preg_match("/\bweb\b/i", "PHP is the web scripting if (preg_match("/php/i", "PHP is the web scripting language of choice.")) { language of choice.")) { echo "A match was found."; "A match was found."; } else echo { echo "A{ match was not found."; } else } echo "A match was not found."; ?> } Examine the Pattern and see if you can figure out the regular expression For reference, read Regular Expressions Quick Start Guide $email_pattern = '/^[^@\s<&>]+@([-a-z0-9]+\.)+[az]{2,}$/i'; if (preg_match($email_pattern, $_POST[‘email'])) { $email = $_POST[‘email']; } else { echo '<p>There was a problem with your email address</p>'; } The specialcharacters() function: this converts certain characters from the character to their html entities Example: $name = specialcharacters($name) ▪ & becomes &amp; ▪ < becomes &lt; ▪ > becomes &gt; Quote Style: you can add the quote style to the function call ▪ For example specialcharacters($name, ENT_QUOTES)) ▪ ENT_QUOTES ▪ Single quotes ‘ become &#39; ▪ Double quotes “ become &quot; ▪ ENT_COMPAT only translates double quotes (not single quotes) ▪ Note, this is the default mode ▪ ENT_NOQUOTES neither single nor double quotes are translated The htmlentities() function works just like special characters, but all characters that have an html entity will be translated In addition to the special characters, all special entities in a particular character set get translated ▪ © becomes &copy; ▪ / becomes &#47; ▪ Etc. This renders all html tags useless, so links, nasty javascript, & other meanies can’t work The quote style option is exactly the same as the specialcharacters() function You also have a character set that you can pass to the function depending on what characters you want translated Default will work just fine Your form processor should make use of a variety of validation checks Make sure no fields are empty Trim each variable with the trim() function Check to make sure they are not empty using the empty() function Check the email format use preg_match() function (see previous slide) Check to make sure integers are indeed integers (if you are asking for a number) This isn’t necessary for the Feedback page Sanitize your variables Use the htmlentities() function With databases, use the addslashes() method Note: for hopefully obvious reasons, don’t sanitize your email variable or it won’t work as an email (the preg_match() function did that) If there’s any problem with the form (it’s invalid)… Notify the user which fields if any are empty ▪ Let the user know were empty Notify the user if the email is not in the correct format Send the user back to the form If there are no errors… Notify the user if the form was submitted properly Send the results using the mail() function Send a confirmation email In order to write our form processor, we are going to create our own function to keep track of errors Let’s call it “errorCheck()” Goal: We want this function to… check to see if a field is empty check to see if the email field is in the incorrect format If either is the case, we want to add the field name to the list of errors return the list of errors When writing our own functions, we need to… decide what it’s going to do come up with a name errorCheck() decide what information the function needs (this is called parameters) we need a list ($errors) we need a form field ($var) we need the name of the variable ($name) ▪ if a field is empty, how could we add it to the errors? decide what information the function will produce return the list of errors using the return statement write our code capture the results through a function call create a variable that will receive the results of the function Formula: $variable = function($parameter1, $parameter2, etc.) $errors = errorCheck($errors, $_POST[‘name’], ‘name’) First of all, write your function definition before you call it before you call it, you need to have values to send to the function (called “arguments”) Errors ▪ we need to create this variable first: ▪ $errors = array(); Each field ▪ these come from the form when you click the submit button ▪ $_POST[‘name’] Field name ▪ you will provide these in the form of a written out string ▪ ‘name’ Goal: use preg_match to check email format Plan the function: Receives: ▪ $email Performs: ▪ regular expression check Returns: ▪ false if it fails the test ▪ true if it passes the test Call the function: Where is the best, most logical place to call the function? Goal: render all special characters that could run a command harmless Plan the function: Receives: ▪ Variable ($var) Performs: ▪ Create a list ($pattern) of potentially harmful characters ▪ Create a list ($replacement) of html character entities ▪ Runs the preg_replace() function (http://us2.php.net/preg_replace) Returns: ▪ Cleaned up variable Call the function Only call it if ▪ there are no empty variables AND ▪ the email format is correct Call it ▪ after you printed the correct results ▪ Before you run the email function Make sure nothing is empty Make sure the email works If there are no empty fields Or the email is incorrect: Notify user there was a problem with the form If there are errors ▪ Display all empty fields If the email is incorrect ▪ Notify the user that it’s incorrect Include a link back to the form page Else (no problems) Notify the user it was a success Sanitize all variables Run the mail() function (http://us3.php.net/mail) GENERAL CONCEPTS Validation Concepts: Why validate? What validation includes PHP v. JavaScript Validation PHP Functions Built-in Functions User-defined Functions PHP BUILT-IN FUNCTIONS Trim() Empty() Preg_match() Preg_replace() html_entities() Htmlspecialcharacters() Add_slashes() Strip_slashes() Mail()