Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Web application security
1. Preventing Multiple
Submissions
Pengaturcaraan PHP
Pengaturcaraan PHP
More Secure Form Validation
The golden rule of validating any data received by a PHP page is to
assume that it's invalid until it passes the right tests indicating
otherwise. At a bare minimum, you should
Use the superglobals (e.g., $_POST['name']) rather than the
registered globals ($name).
Check text, password, and text area form inputs for values using
empty().
Check other form inputs for values using isset().
1
2. Pengaturcaraan PHP
A better way to validate
data is to see if it conforms
to a certain type (like an
integer). An even more
exacting method of form
validation requires the use
of regular expressions. You
can also use JavaScript to
perform basic validation on
the client (within the Web
browser) before the data is
sent to the server.
Pengaturcaraan PHP
A common question I see is how to prevent someone from submitting the
same form multiple times. Whether a user repeatedly submits a form on
accident or on purpose, such occurrences can be a minor nuisance or a
major problem for your Web site. There are many different ways to
prevent multiple submissions, and I'll discuss two options here.
2
3. Pengaturcaraan PHP
First, if you are already using sessions, an easy solution is to create a
session variable indicating whether a specific form has been submitted or
not.
Pengaturcaraan PHP
The premise is this: a generated identifier will be stored in the HTML form
(as a hidden input). This value will be inserted into the database along with
the other submitted information. To prevent repeated submissions, this
identifier can be stored in the database only once. A user wishing to submit
the form again will have to reload the HTML form so that another unique
identifier is created
3
7. Pengaturcaraan PHP
Step 2
After the initial PHP tag, define what form inputs are expected.
Pengaturcaraan PHP
Step 3
Assign the received variable names to a new array.
7
8. Pengaturcaraan PHP
Step 4
Create a conditional that checks if the two arrays are the same.
Pengaturcaraan PHP
Step 5
After the mysql_close() line, complete the $allowed == $received
conditional
8
10. Pengaturcaraan PHP
For the most part, form validation is rather minimal, often just
checking if a variable has any value at all. In many situations, this
really is the best you can do.
Pengaturcaraan PHP
PHP supports many types of data: strings, numbers (integers and floats),
arrays, and so on. For each of these, there's a specific function that checks if a
variable is of that type. You may already be familiar with the is_numeric()
function, and is_array() is a great for confirming a variable's type before
attempting to use it in a foreach loop.
Function Checks For
is_array() Arrays
is_bool() Booleans (TRUE, FALSE)
is_float() Floating-point numbers
is_int() Integers
is_null() NULLs
is_numeric() Numeric values, even as a string (e.g., "20")
is_resource() Resources, like a database connection
is_scalar() Scalar (single-valued) variables
is_string() Strings
10
11. Pengaturcaraan PHP
Step 3
Cast all the variables to a specific type.
JavaScript Form
Validation
Pengaturcaraan PHP
11
12. Pengaturcaraan PHP
JavaScript is not a true security
measure in itself, but rather an
added level of security and a
convenience to your users. Because
JavaScript is a client-side technology
(whereas PHP is server-side),
incorporating it into your pages can
save users the hassle of having to
send the form data back to the
server before seeing if there are
problems.
Instead, you can use JavaScript to
immediately run through some tests
and then, if the data passes, send
the form information along to PHP.
Pengaturcaraan PHP
12
13. Pengaturcaraan PHP
Step 2
Create a JavaScript section and begin a function
Pengaturcaraan PHP
Step 3
Validate that the user entered a name.
13
14. Pengaturcaraan PHP
Step 4
Repeat the process for
the email address and
the URL.
Pengaturcaraan PHP
Step 5
Validate that a URL category was selected.
14
15. Pengaturcaraan PHP
Step 7
Complete the HTML head, begin the body, and start the form.
Pengaturcaraan PHP
Alternatively, you can check for empty fields by seeing if their length —
the number of characters entered — is less than or equal to 0. The code
would be:
15
16. Database Security and
Encryption
Pengaturcaraan PHP
Pengaturcaraan PHP
Encryption
MySQL has several encryption and decryption functions built into the
software. You should be familiar with the SHA() function, which is often used
to encrypt passwords stored in a database. Another function, ENCRYPT(),
is like SHA() in that it encrypts a string but differs in that you can add a salt
parameter to help randomize the encryption process.
16
17. Pengaturcaraan PHP
Both the SHA() and ENCRYPT() functions create an encrypted string that
cannot be decrypted. This is a great safety feature because it means that
stored information cannot be retrieved in readable form.
Pengaturcaraan PHP
If you require data to be stored in an encrypted form that can be decrypted,
you'll need to use either ENCODE() and DECODE() or AES_ENCRYPT()
and AES_DECRYPT(). These functions also take a salt argument, which
helps to randomize the encryption.
17
18. Pengaturcaraan PHP
Pengaturcaraan PHP
While using ENCRYPT() and DECRYPT() can add a level of security to
your Web applications by encrypting and decrypting sensitive data, there's
still room for improvement. For starters, the AES_ENCRYPT() function is a
more secure option and is recommend if you are using MySQL 4.0.2 or
later. Its syntax is the same as that of the ENCODE() function:
18