Is this the safest way to handle a form PHP [closed]

问题

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.

Closed 7 years ago.

I was just wondering if this is the safest and best way to handle a form submission, i am trying to find the most "safest" and presented for my coding views,

PHP

<?php
if(isset($_POST['submit'])) {
 //Handle the form here with many $_POST['namehere']
}
?>

HTML

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
<label>Email</label>
     <input name="email" type="text">
<label>Password</label>     
     <input type="password" name="password">
<label>Submit</label>     
     <input type="submit" name="submit">
</form>

Would this be deemed as the only way possible to do this and the most secure ?

回答1:

What you have there is just a form. It's neither secure nor insecure. What defines whether or not a form is secure is how you transmit the data to the server and how you handle the input on the server side.

A secure login form...

• posts its content to the server via HTTPS (SSL)
• does proper validation of all inputs server side
• doesn't allow for SQL injection
• uses a hidden field with a properly validated anti CSRF token
• uses a server with a hardened Apache/PHP installation

About the PHP_SELF XSS exploit:

• The article Jack links in his comment suggest a string that actually doesn't work
• Under certain circumstances* there is a possibility for this XSS attack, the question is, how easily can it be exploited? The vulnerability is client side so it can't be exploited directly, you need to engineer something around it (reflected attack), say a fake email action where I pretend to be your site and provide a link for you to login while letting you post your credentials to my site. Or a stored attack but if I'm able to do that, your site has a bigger problem than PHP_SELF XSS.
• Sure, the best thing is just in case avoiding the use of PHP_SELF and replace it with htmlspecialchars($_SERVER['SCRIPT_NAME']) for example.

* Circumstances

• The exploit doesn't work with most modern PHP frameworks, even if they're not protecting and really using PHP_SELF, because the url including the attack string would not match any allowed url route.
• Browsers have started implementing XSS protection. E.g. the exploit doesn't work in Chrome/WebKit and IE8+ but it works in Firefox, at the time of writing.
• Small, private sites are very very unlikely to be a target of such an attack, since it takes some effort to engineer one. Targets are usually social networks and similar sites.

回答2:

To beef up the security of your form, you should look into using XSRF keys/tokens. These will make it much harder for requests from sites outside your domain to succeed in calling your script.

http://en.wikipedia.org/wiki/Cross-site_request_forgery

http://query7.com/preventing-csrf-in-php

回答3:

You can improve a few points!

1. Don´t use PHP_SELF

Leave the action-formtag empty

<form action='' method='post'>

2. Escape the SQL-chars

If you want to work with databases you should escape the SQL-chars from the String. Use:

[mysql_real_escape_string($string)][1]

Check the values for data types

If you have a from field that only expects full numbers you should delete all letters. You can change the type of a PHP-variable by writing the wanted type in brackets in front of the variable like this:

$number=(int) $value;

回答4:

This is hard to answer, because there's not much code to go by, however:

Don't use PHP_SELF

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">

Don't do this, or at least sanitize the value, because using the raw value leaves the site open to XSS attacks! Posting to yourself can be done simply like this:

<form action="" method="POST">

Alternatively, use an absolute (and static) URI as the form destination.

Addendum

Don't let others talk you into thinking that you're somehow magically protected against it because you're hosting a small site, using some framework xyz or that some browsers will stop it. Find out for yourself and take appropriate action.

On SSL

If you submit sensitive data, you should use SSL! Anything else is a joke in comparison.

On CSRF

Forms that cause a state change in your site and use cookies to perpetuate sessions should be protected by CSRF tokens; the token must be part of the form submissions and are regenerated once used.

On SQL injection

Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.

Tidbits (not actually related to security)

if(isset($_POST['submit'])) {
 //Handle the form here with many $_POST['namehere']
}

This code assumes you will always have a submit button on your form that's called submit. A more generic approach is to use this condition:

if ($_SERVER['HTTP_METHOD'] === 'POST') {
    // something was submitted
    if (isset($_POST['email'], $_POST['password']) {
        // email and password submitted
        // you may still wish to verify whether a "valid" email was given
    }
}

来源：https://stackoverflow.com/questions/15051891/is-this-the-safest-way-to-handle-a-form-php