Jump to content

Better security measures for php forms?

malakiahs

By malakiahs
in PHP Coding Help

 Share

Recommended Posts

malakiahs Newbie

malakiahs

Posted
Posted

I have a form that after is filled out and submitted the user is redirected to another page where the form is displayed.

 

The way I'm doing this is by inserting the values to the database first and then pulling them out from the database to display the array in the redirected page.

 

So that no one else sees other user's information, I am using a unique and encrypted token and storing it in both a SESSION value and in the database; I create this token and assign it to the session variable only if there are no errors in the form. In addition, I'm picking up the insert ID and also storing it as a session value as well.

 

Before displaying anything on the next page, where the user is redirected to, it checks for the SESSION token, else the user is redirected to the previous page.

 

On the next page, when I need to select the values from the database I include in my select query something such as "SELECT * FROM table WHERE (token='_SESSION['token'] TOKEN AND form_id='$_SESSION['form_id']) LIMIT 1" (Please note that this might not be the right syntax for the query it is just the gist of it).

 

Now, my questions!

 

Is this secure enough to prevent anyone from trying to see someone else's information? I'm afraid that with the current method it might be vulnerable to an SQL injection, even though i'm using a prepared mysql statement, which sanitizes all the input.

 

Or should I use method 2,

Which is to store all the information of the user from the form into the SESSION array and display the values of the session, instead of fetching the values from the database.

 

Or is there a different way of doing this?

 

Any comments, will be greatly appreciated.

Thank you in advance for your time and help.

Link to comment
Share on other sites
sunfighter Newbie

sunfighter

Posted
Posted

The man just filled out your form. He's looking at the information. He knows what that information is. Why do you have to show it to him again?

 

The main thing here is sanitizing the input before you put it into your database.

Things to read

http://php.net/manual/en/security.database.sql-injection.php

http://www.readwriteweb.com/hack/2010/09/php-security-sanitizing-string.php

http://net.tutsplus.com/tutorials/php/sanitize-and-validate-data-with-php-filters/

 

Hope these help you.

PS you can still repost the form info to him if you want, the way you said, select from the db.

Link to comment
Share on other sites
malakiahs Newbie

malakiahs

Posted
  • Author
Posted

They need to be able to print what was submitted for verification purposes.

 

This form does not require the use of apostrophes, so i'm doing a preg_match of only letters and numbers, in every input, and not allowing the form to go through if there is an apostrophe.  I am also using a prepared statement for mysql, which will take care of the sanitation, if an apostrophe were to slip through.

 

What I'm worried about is data being crossed from person to person if two forms were submitted at the same time. Or someone hacking the page where I'm displaying back the input that the user submitted, and see other user's information. 

Link to comment
Share on other sites
marcbraulio Member

marcbraulio

Posted
Posted

Sessions are unique to each user and because they are unrelated to any other user there is no chance of a mix up, regardless if multiple users submit the information at the same time. If I was you, I would call a session destroy after the information is displayed back to the user, just in case. If you have no need to store their information than just use sessions instead of using the database. In that case, you can't rely on prepared statements to do the sanitizing for you.

Link to comment
Share on other sites
kicken Prolific Member

kicken

Posted
Posted

Or should I use method 2,

Which is to store all the information of the user from the form into the SESSION array and display the values of the session, instead of fetching the values from the database.

 

I would do that. Just shove $_POST into your session under a key, then pull the values out of there.  That way there is no way for a user to access anything other than what they submitted.

 

Link to comment
Share on other sites
malakiahs Newbie

malakiahs

Posted
  • Author
Posted

Sessions are unique to each user and because they are unrelated to any other user there is no chance of a mix up, regardless if multiple users submit the information at the same time. If I was you, I would call a session destroy after the information is displayed back to the user, just in case. If you have no need to store their information than just use sessions instead of using the database. In that case, you can't rely on prepared statements to do the sanitizing for you.

 

Thank you for your reply.  I forgot to mention that there is an administrative side to this form, where the administrators logging in to get a list of all the forms that have been submitted.  They have to see all the data of each form when they click on it.  Therefore, I still have to store the information somewhere for later retrieval.  I don't have a problem with this phase since I will be using the auto number key to retrieve the data from the forms submitted.

 

What worries me is to find out what the best method is to display the user's data back so that he can print it.  I still have to store the information in a database, I can't get around that. 

 

What puzzles me is which is a better method,  to retrieve the information from the database and display it to the user or should I store the information in his session and not worry about pulling the records from the database?

Link to comment
Share on other sites
malakiahs Newbie

malakiahs

Posted
  • Author
Posted

I would do that. Just shove $_POST into your session under a key, then pull the values out of there.  That way there is no way for a user to access anything other than what they submitted.

 

Thank you for your reply.  That's what I am afraid of, of users being able to see other information if I do a fetch from the database and then display it.  Now, is it possible for the $_SESSION variable to hold that many data for hundreds of users?

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.