PHP form spoofing and validation

StackOverflow https://stackoverflow.com/questions/15617252

Question

I've been reading about form spoofing and just couldn't understand why is it so important to prevent it when we can assure that the passed value(s) are properly validated? Perhaps I'm missing something here, but here's an example:

example.org/form.html:

<form method="post" action="post.php">
    <input type="text" name="content" value="something">
    <input type="submit" name="post" value="Post">
</form>

example.org/post.php:

if (isset($_POST['content']))
{
    $content = filter_var($_POST['content'], FILTER_SANITIZE_STRING);
    //use $content as a sanitized variable, pass it to a database, etc.
}

A malicious user could simply change the input field in form.html to, for example, <textarea name="content">something here</textarea>, but how does that affect anything? We ensure that the tags are stripped from the string in the post.php script anyway.

So here's my question: is it safe to assume that, with proper input validation, PHP form spoofing should be of little to no danger in terms of security? What else could the malicious user pass to the script with the name="content" attribute (besides textarea, select and all other tags) that could effectively cripple the database or something? Because if there's nothing else they can do, why use tokens?

Was it helpful?

Solution 2

Forms in specific grant several attack vectors.

1) sql injection attack

Unvalidated data can contain sql code, which can modify data, drop data or read data (depending on the application) within your whole databse.

2) cross site request forgery (XSRF)

If you do not make sure, that the data, you receive actually comes from your site (ie with a session persisted token), other sites can copy your webpage and act as a proxy for all requests.

The reason for doing this is, that they can then make copies of the transmitted data. This can be used for fishing for example.

3) cross site script injection

Even if the data itself does no harm to your database and comes from your website, the input can contain javascript, which will be executed every time the content is displayed in your site. (typically can be tested with alert(1) or similar).

This can be prevented by stripping javascript away.

OTHER TIPS

The danger is if you are using any of the $_POST content in something like a SQL query (SQL Injection), or putting the input directly into an exec(...) call (not good practice anyways), etc. As long as you are cleaning the input (validation / scrubbing) there is no danger. The key rule is:

Never trust input from a user.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top