PHP Chapter 9 (Security Issues)

PHP Security - Form Elements

If you have things like textboxes and text areas on your forms, then you need to do some security checking on the data that comes in. That's because of things like Cross-Site Scripting. This is when somebody enters scripts into your textboxes to launch an attack on your site. Take this simple form as an example:
<title>Test Attack</title>
$first_name = $_POST['first_name'];
echo $first_name;
<Form Method = "Post" action ="testSecurity.php">
<input type = "text" name = "first_name" value ="test name">
<input type="submit" name="Submit" value="Submit">
This form is one of the files you download. It can be found in the scripts folder and is calledtestSecurity.php.
Load it up and you'll see that it's just a textbox and a Submit button. Click the button, and you should see "test name" printed on the page.
Now, click inside the textbox and enter the following Javascript:
<SCRIPT>alert("Scary Script!")</SCRIPT>
Click the Submit button, and then watch what happens. You should see this (you need Javascript enabled in your browser):
Security Form
It's just an alert box. But it could have been something worse!
Another thing someone could do, especially if you have a forum, is to enter HTML directly into your textboxes. They could flood your forum with links to harmful or undesirable web sites. Try this as an example. Delete everything from your textbox, and enter this:
<A HREF ="nastysite">A Nasty Site</A>
When you click Submit this time, you should see the following:
Security Form 2
This time, a HTML hyperlink displays above a comments text area. If that was your forum, guess where the link would be?
To stop this kind of thing happening, there are a number of techniques you can use. We'll explore them in the next few parts.


You can use the inbuilt PHP function htmlspecialchars( ) to convert certain HTML into their respective symbols. (See the previous lesson for why you want to do this.) For example, take the following HTML tag:
<B>Bold text</B>
On a web page, that just gives you Bold text. If you enter it into a textbox, and don't convert, then the browser renders it as HTML – in other words, it gives you bold text. The same is true of this:
<A HREF ="nastysite">A Nasty Site</A>
This unconverted HTML will turn into an hyperlink. That's because things like left and right pointy brackets are considered to be HTML. The browser sees the code above, and turns it into a hyperlink. It DOESN'T display the left and right pointy brackets. If you actually wanted a left point bracket on your page, you'd use the HTML special character for this symbol:
And this, essentially, is what the htmlspecialchars( ) function does – turns the HTML into the special character codes.
As an example, change your PHP script from the previous lesson from this:
$first_name = $_POST['first_name'];
echo $first_name;
to this:
$first_name = $_POST['first_name'];
$first_name = htmlspecialchars( $first_name );
echo $first_name;
Run your code again, and see what happens. You should see this display in the browser:
Consequence of using htmlspecialchars
Now it's not treating the hyperlink as HTML - it's turning it into plain text.
The new line in the script is this:
$first_name = htmlspecialchars($first_name);
So in between the round brackets of htmlspecialchars( ) you type the name of the variable you want to convert to special characters. PHP takes care of the rest.

htmlentities( )

A function similar to htmlspecialchars( ) is htmlentities( ). Instead of the above, you can do this:
$first_name = $_POST['first_name'];
$first_name = htmlentities( $first_name );
echo $first_name;
The difference between the two is that htmlentities( ) will check for non English language characters, such as French accents, the German umlaut, etc. So if you think your attacker might launch an attack in a language that is not English, then use this.
Now we'll see how to strip HTML tags altogether.

PHP strip_tags

A third security option for your HTML forms is to use the strip_tags( ) function. (See the previous lessons for why you want to do this.) It will, as its name suggests, strip all HTML for you. You can, however, tell this function to ignore HTML that you consider harmless, or that you want to include. Here's the syntax:
strip_tags( $string, html_tags_to_ignore )
So the first thing you need to provide the strip_tags( ) function with is the string of text you're trying to check. The second thing, html_tags_to_ignore, is optional. If you leave this off then the function will strip all tags. Here's two example to try:
$first_name = $_POST['first_name'];
$first_name = strip_tags( $first_name );
echo $first_name;
The new line is set up to strip all HTML from the variable called $first_name. When the script is run, it will look like this:
Using strip_tags
As you can see, only the text of the HTML is left – A Nasty Site.
If it would be OK for people to enter things like bold text or italics, then you'd set up the function like this:
$first_name = $_POST['first_name'];
$first_name = strip_tags( $first_name, "<B>" );
echo $first_name;
So the HTML you want to include goes after a comma, and between quote marks. In the code above, we're allowing the HTML bold tag through. Here's what the text area, and the result looks like:
Before clicking Submit:
strip_tags example 2
After clicking Submit:
strip_tags example 3
So the HTML in the first picture has been allowed through. In the second picture, you can see that the text is now in bold.
When you have text coming from a form, you should always use a security technique to thwart an attack. However, it's naïve to think we can thwart every attack, and a determined and skilful hacker could probably defeat you. But if you take sensible security measure, you should be able to defend yourself against most attacks. It's well worth doing more research on the subject. search Google for the phrase PHP Security.
In the next section, we'll take a look at opening and working with files in PHP.