stupid browser tricks with php and javascript by chris winikka
TRANSCRIPT
Stupid Browser Tricks with PHP and JavaScriptBy Chris Winikka
Isn’t JavaScript Validation Enough? Some people turn off JavaScript Some people have bad intentions
PHP is the only way to ensure that the information from a form is… not empty in the correct format not filled with nasty, evil code
▪ with sharp pointy teeth Why even use JavaScript?
convenience▪ the user finds out something is missing before sending it off (before
leaving the form page)▪ it might catch a mistake in an email address
less processor time▪ If the php file catches an error, it has two main options:
▪ It has to send the user back to the form page, or ▪ It gives a warning and forces the user to use the back button
▪ If you catch problems with JavaScript before running the processor, the php file may only have to be run once
PHP, like all high-level computer languages has functions built-in functions▪ these are handy functions that the makers of php thought
you might find useful user-defined functions ▪ you get to create your own
What is a function? function is reusable code if there’s anything you want to do more than one
time, you should write a function for it You already used the date() function
you provided some codes the function used those codes to format the date
and time
According to OWASP.org, there are 10 main security flaws The top 2 flaws to prepare for are:
1. Cross-site Scripting Flaws (XSS): ▪ occur whenever an application takes user supplied data and sends it to
a web browser without first validating or encoding that content. ▪ XSS allows attackers to execute script in the victim's browser which
can hijack user sessions, deface web sites, possibly introduce worms, etc.
2. Injection Flaws:▪ Injection occurs when user-supplied data is sent to an interpreter as
part of a command or query. ▪ The attacker's hostile data tricks the interpreter into executing
unintended commands or changing data. There are other flaws to be concerned with, but we won’t
cover those because… We are not learning how to do passwords & password
encryption We are not learning how to do file uploads For the most part our simple applications are not big targets
For more information on security, visit the Open Web Application Security Project (OWASP) website
Validate Validate Validate Make sure the data
Is in the correct format▪ A number is an integer▪ A name is in the form of a string▪ An email is in the format of an email
Is not empty Does not have any code you don’t want it
to have
The first step in validation is making sure variables aren’t empty
Unfortunately, a field filled with spaces is not technically empty
That’s why you need the trim() function
How it works: Pass it a variable and It removes white spaces before or after a
field entry (in the variable) Do it like so… $name = trim($name);
empty() – checks to see if a variable is empty or not Pass it a variable If the variable has no value (it’s empty), it returns True
▪ “Yes, it is empty” If the variable does have a value (not empty), it returns False
▪ “No, it’s not empty” The empty() function in its natural habitat
Typically, you use the empty() function to check to see if it is not empty▪ For this, you use the special NOT code, “!”▪ Place the exclamation mark (NOT) in front of the function
Example:▪ if (!empty($variable)) {
echo ‘<p>It’s not empty</p>}else { echo ‘<p>It is empty</p>}
▪ In plain English, if(!empty($variable)) means “If variable is NOT empty,…”▪ The keyword, “else” is like saying, “otherwise…”
Render command codes useless with the addslashes() function Add slashes will add a slash in front of the following characters:
▪ single quote (') ▪ double quote (") ▪ backslash (\) ▪ NULL
Why is this important?▪ Look at the following:
▪ SELECT * FROM users WHERE name='$username' AND pass='$password';▪ If a user enters the following for his/her password…
▪ ' OR '1'='1▪ To the database, the code now looks like this…
▪ SELECT * FROM users WHERE name='known_user' AND pass='' OR '1'='1';▪ My question to you is: Is 1 equal to 1?
▪ The answer is, “yes” ▪ The user now has password privileges (didn’t need to know the password to
get it to work Adding slashes renders that useless
Note: You can also remove the slashes with… The stripslashes() function
Note also: this is not necessary as much with an email processor, but is critical for use with a database
Use the preg_match() function No, it is not a paternity test It stands for perform a regular expressions match
How it Works: int preg_match ( string $pattern , string $subject [, array
&$matches [, int $flags [, int $offset ]]] ) You put in a pattern (called a regular expression)
▪ A regular expression, or regex for short, is a pattern describing a certain amount of text.
Put in a subject (the variable you want to check) Optional: $matches – this is a variable that will capture the results of
the search Optional: flags – PREG_OFFSET_CAPTURE this changes the output
of the function▪ You’re welcome to research what this does and try to figure it out.▪ But you’re on your own for that▪ Good luck with that!
Optional: offset – this is in the form of a number and allows you to start the search from a different spot
What it Does (in plain English): It returns the number of times $pattern matches If there are any errors, it returns false
Check to see if php is in a phrase Note the slashes surrounding the word The i after php indicates it’s a case insensitive
search Check for a whole word
The \b stands for a word boundary It’s placed on both sides of the word, so it will only
match the word “web” (spaces on both sides)<?php
if (preg_match("/php/i", "PHP is the web scripting language of choice.")) { echo "A match was found.";} else { echo "A match was not found.";}?>
if (preg_match("/\bweb\b/if (preg_match("/\bweb\b/i", "PHP is the web scripting language of choice."))i", "PHP is the web scripting language of choice.")) { { echo "A match was found."; echo "A match was found.";} else {} else { echo "A match was not found."; echo "A match was not found.";}}
Examine the Pattern and see if you can figure out the regular expression
For reference, read Regular Expressions Quick Start Guide
$email_pattern = '/^[^@\s<&>]+@([-a-z0-9]+\.)+[a-z]$email_pattern = '/^[^@\s<&>]+@([-a-z0-9]+\.)+[a-z]{2,}$/i';{2,}$/i';
if (preg_match($email_pattern, $_POST[‘email'])) {if (preg_match($email_pattern, $_POST[‘email'])) {
$email = $_POST[‘email'];$email = $_POST[‘email'];
}}
else {else {
echo '<p>There was a problem with your email echo '<p>There was a problem with your email address</p>';address</p>';
}}
The specialcharacters() function: this converts certain characters from the character to their html entities Example: $name = specialcharacters($name)▪ & becomes &▪ < becomes <▪ > becomes >
Quote Style: you can add the quote style to the function call ▪ For example specialcharacters($name, ENT_QUOTES))▪ ENT_QUOTES ▪ Single quotes ‘ become '▪ Double quotes “ become "
▪ ENT_COMPAT only translates double quotes (not single quotes)▪ Note, this is the default mode
▪ ENT_NOQUOTES neither single nor double quotes are translated
The htmlentities() function works just like special characters, but all characters that have an html entity will be translated In addition to the special characters, all special entities in
a particular character set get translated▪ © becomes ©▪ / becomes /▪ Etc.
This renders all html tags useless, so links, nasty javascript, & other meanies can’t work
The quote style option is exactly the same as the specialcharacters() function
You also have a character set that you can pass to the function depending on what characters you want translated Default will work just fine
Your form processor should make use of a variety of validation checks
Make sure no fields are empty Trim each variable with the trim() function Check to make sure they are not empty using the empty()
function Check the email format
use preg_match() function (see previous slide) Check to make sure integers are indeed integers (if you
are asking for a number) This isn’t necessary for the Feedback page
Sanitize your variables Use the htmlentities() function With databases, use the addslashes() method Note: for hopefully obvious reasons, don’t sanitize
your email variable or it won’t work as an email (the preg_match() function did that)
If there’s any problem with the form (it’s invalid)… Notify the user which fields if any are empty▪ Let the user know were empty
Notify the user if the email is not in the correct format
Send the user back to the form If there are no errors…
Notify the user if the form was submitted properly
Send the results using the mail() function Send a confirmation email
In order to write our form processor, we are going to create our own function to keep track of errors Let’s call it “errorCheck()”
Goal: We want this function to… check to see if a field is empty check to see if the email field is in the incorrect format If either is the case, we want to add the field name to
the list of errors return the list of errors
When writing our own functions, we need to… decide what it’s going to do come up with a name
errorCheck() decide what information the function needs (this is called
parameters) we need a list ($errors) we need a form field ($var) we need the name of the variable ($name)
▪ if a field is empty, how could we add it to the errors? decide what information the function will produce
return the list of errors using the return statement
write our code capture the results through a function call
create a variable that will receive the results of the function Formula: $variable = function($parameter1, $parameter2,
etc.) $errors = errorCheck($errors, $_POST[‘name’], ‘name’)
First of all, write your function definition before you call it
before you call it, you need to have values to send to the function (called “arguments”) Errors ▪ we need to create this variable first:▪ $errors = array();
Each field ▪ these come from the form when you click the submit
button▪ $_POST[‘name’]
Field name ▪ you will provide these in the form of a written out string▪ ‘name’
Goal: use preg_match to check email format
Plan the function: Receives:▪ $email
Performs:▪ regular expression check
Returns:▪ false if it fails the test▪ true if it passes the test
Call the function: Where is the best, most logical place to call
the function?
Goal: render all special characters that could run a command harmless
Plan the function: Receives:
▪ Variable ($var) Performs:
▪ Create a list ($pattern) of potentially harmful characters▪ Create a list ($replacement) of html character entities▪ Runs the preg_replace() function preg_replace() function (http://us2.php.net/preg_replace)
Returns:▪ Cleaned up variable
Call the function Only call it if
▪ there are no empty variables AND ▪ the email format is correct
Call it ▪ after you printed the correct results▪ Before you run the email function
Make sure nothing is empty Make sure the email works If there are no empty fields Or the email is
incorrect: Notify user there was a problem with the form If there are errors▪ Display all empty fields
If the email is incorrect▪ Notify the user that it’s incorrect
Include a link back to the form page Else (no problems)
Notify the user it was a success Sanitize all variables Run the mail() function mail() function (http://us3.php.net/mail)
GENERAL CONCEPTS
Validation Concepts: Why validate? What validation includes PHP v. JavaScript
Validation PHP Functions
Built-in Functions User-defined Functions
PHP BUILT-IN FUNCTIONS
Trim() Empty() Preg_match() Preg_replace() html_entities() Htmlspecialcharacters
() Add_slashes() Strip_slashes() Mail()