views:

72

answers:

3

Hi,

How to do Php Security check for input user fields and input user treatment(please if you can solve example1+2)?

Example1: check if user insert url or something else:

<label>url: </label>
<input type="text">

Example2: check if user insert html or something else

<label>paste html: </label>
<textarea></textarea>

thanks

+2  A: 

USE regex to validate your input

see

http://www.webcheatsheet.com/php/regular_expressions.php

http://articles.sitepoint.com/article/regular-expressions-php

http://www.roscripts.com/PHP_regular_expressions_examples-136.html

http://regular-expressions.info

Starx
Not only should nobody ever, under any circumstances attempt to validate or parse html/xml using regular expressions, I can't believe you missed http://www.regular-expressions.info/
Kris
@kris, included thanks
Starx
@Kris - OK... why not?
Jack Webb-Heller
@Jack, because it is very widely regarded a very bad idea. xml/html is not just text and parsing xml/html with regex is slow and unless you are a rockstar regex expert, your regex is going to suck. For simpler text though, regex is the shizzle
Kris
@Jack : recursive encapsulation, ton of tags, ton of attributes ... and the code need to be maintainable.
h3xStream
+2  A: 

For string filtering/validating we use RegExp and for html filtering/validating we use DOM extension

Anpher
You should provide a regex (it's easy to make a broken one) / Do you have any code sample of validation using the DOM api? This seems ambitious.
h3xStream
A: 

1. For the validation of URLs :

$validUrl = strpos($url, "http://") === 0;
if(!$validUrl) $url = "http://".$url;

When the link is return to the user, use htmlentities().

2. For the validation of HTML code, use a lib like http://htmlpurifier.org/.

<?php
require_once 'htmlpurifier/HTMLPurifier.auto.php';

$purifier = new HTMLPurifier();
$clean_html = $purifier->purify($_GET['dirty_html']);
echo $clean_html;
?>

With the input :

<img src="test.gif" onload="alert('xss')"/>

The result is :

<img src="test.gif" alt="test.gif" />
h3xStream
Thanks,does simple dom have filtering like html purifier?
Yosef
what about if user insert www.yahoo.com or yahoo.com your code not work
Yosef
For the URLs, you should force "http://" otherwise links like "jAvAsCrIpT://%0Aalert('xss')" can be passed
h3xStream
Filtering HTML goes beyond matching certain tags. Many HTML tags support js events that can be malicious. Support HTML as input only if necessary.
h3xStream