2.2 Basic Security Considerations
Let's just come right out and say it: you should never trust the data that is sent from the user to your app. It is your job as a developer to make sure that your application continues to run successfully, and it's up to you to keep yourself, your company, and your users safe. In this lesson, I'll give you some of the basics of securing your PHP form-handling code.
1.Introduction3 lessons, 15:15
2.Handling Form Data5 lessons, 36:42
3.Conclusion1 lesson, 01:21
2.2 Basic Security Considerations
Now that you know how to handle the data from a form post in PHP. The very next thing that I always want you to start thinking of is security, security, security. Now, the best thing that you can possibly do is to really never trust your end user. I know that sounds kind of harsh but it's really the reality of the world that we live in. So you always wanna practice defensive programming whenever possible. And anytime when you are allowing input from a user on the front end to send data to you, you always have to be incredibly careful. There's two things right now that I know are going to be wrong with this particular page. The first thing is, we are just kind of leaving everything open as far as the data that's being sent in. And then we're just displaying it on the page. Now, yes, before I just entered in some data like maybe I entered in my name, Derek, and then hit Submit, and we see that. And because we're actually just echoing this out on the screen, what we're actually doing is we're taking whatever the user is putting in here and putting it on the screen. Well, that's fine if they're being nice. But what if they're not being nice? What if they're doing something a little bit more malicious. And say, maybe they're going to enter in the comment box here a script tag, something that says, alerts, and end the script like that. What happens if we were to submit this right now? Well, I'm gonna hit Submit, and you're gonna see we're gonna get an error. Now, depending on what browser you're using and the version of that browser, a lot of the later versions will just show you errors or will kind of like skip over that because they're trying to help protect you. But you really can't rely on the browser, so you either gonna see something like this where it says this page isn't working, and Chrome detected unusual code. And you're gonna see this error code at the bottom, ERR_BLOCKED_BY_XSS_AUDITOR. So there's actually something running in chrome that's making sure that there is no really any bad input being injected into your page from the end user. So, you might either see this or because of what I typed in here, I typed in a script tag. If you have an older version that maybe doesn't have that cross site scripting auditor or maybe you've disabled it, you will probably get a pop-up. A little alert box that says and you might say, well, why is that a big deal? Well, it's a big deal because that means this page is susceptible to cross site scripting. And just because all I'm doing right now is showing an alert box, doesn't mean that somebody that has much more malicious intent can't inject some other bad code in here. That's either going to send your data over to another website. So maybe if this was a login page or I'm sending in personally identifiable information, they can be bundling that information up, and using a script, sending it somewhere else. And now all of a sudden, your users email addresses and passwords or credit card information or whatever can be sent to other sites, as well as a whole slew of other bad things. So you really wanna make sure that whenever you’re dealing with data on your website, just like this, that you do whatever you can to protect yourself, your end users, and your application. So how do we protect ourselves in this case? Well, the way that we do that is we simply have to make sure that when somebody sends in data, we are kind of cleaning it up a little bit, so that it's not going to be executed as script like that. So, the way that we're gonna handle that is when we are getting this information up here, we're gonna use a special function called HTML special characters. Now what this does is it's going to go ahead and remove any sort of HTML kind of special characters, open and close angle brackets, things like these, greater than and less than signs. Things that are HTML special characters, it's going to get removed. So, let's go ahead and copy this, and we'll go ahead and put these on all three pieces of our data here. And go ahead and save that. So now if I save this, and I just go back to my index page, and I try that same trick again. I can say, script, alert, hello, and let's go ahead and close this off, script. Now if I hit Submit, it's actually going to submit it through and we just get the data down here and we lose that problem. So, really what this is doing is it's converting that information, that HTML, those script tags that are coming into the application and being processed. It's stripping all of that out and it's really just making it raw text. So, you can feel fairly confident in displaying it. And not actually running any extra code that you don't want to. Now, there's a second spot in our code right now that's gonna be problematic that people with malicious intent can start to exploit. And that's this little guy right here, where we're actually trying to be clever to save ourselves some work later on when we are defining this action. And we are using this super global to figure out where we are right now. Now there is another trick that some hackers or whatever you want to call them, can take advantage of and be able to run scripts on your page again. So, really at this point, we wanna do a similar thing where we are using this alert. But this time, we have to be a little bit more crafty. So really, what's happening here? Like I said, this is looking for whatever page you are on right now. And if everything goes according to plan, it's just index.php. Now I wanna show you how a malicious user can take advantage of this. So, if I were to put some additional information on here like say, /hello, or something like that. This is gonna execute, but if I go ahead and I look at the page source, you're gonna see that it appended that on the end of the action here. Well, if I got a little crafty and maybe ended this form begin element a little bit early, and added some additional information onto the end of this. Say, another script tag, I could go into a URL encoder/decoder and I could maybe throw this in there. So I want to stick this on the end of that URL. So as you can see, I'm going to close off that open form tag a little early and then stick a script in there. So if I were to go to URL encoder site and just put this in here. I can encode that, and it's gonna give me this gobbledygook, and I am going to go ahead and copy that. If i were to come over back to my form here, and simply put this on the end of it, paste it in there, and hit return. You're gonna see once again that we have a bit of a problem here. So if I come in here and take a look at View Page Source, this is the problem right here. So what I wound up doing was I encoded this and I closed off this form a little early and then threw the script on the end here. And so once again, Chrome was trying to help me protect myself from myself. But as you can see, this is another problem. So how do we fix that? Well, once again, we do the same thing that we did before, and we're simply gonna say, HTML special characters, we're gonna use that function again. Just like that, we'll go ahead and save. So, let's come back here again, and let's refresh the page. And it goes right back, so once again, this is getting tossed in here but we're not executing any code. And everything should seem to work okay from that point on. So now, these are just a couple of little tricks to make sure that you're handling the input from the end user in a more secure fashion. So, HTML special characters is going to be your friend, anytime you are dealing with forms, when you are retrieving data from the end user, and hopefully wanting to display it back to them on your page.