Reputation: 1841
Data Validation and Security: From user input to browser output – PHP/MySQL/JavaScript
I am trying to understand the steps I have to follow in order for data to be input and output securely on a website. This is what I understood so far:
**
Procedure
**
1)User inputs data
2)This data is validated using JavaScript. If data doesn’t match the structure you requested, send an error message.
3)The data is also validated using PHP in case the JavaScript is disabled or not supported by the browser. The PHP validation will almost be identical to the JavaScript one. If data doesn’t match the requested structure, send an error message.
4)Open a connection with the database (PDO method)
5)Check input data against your database using prepared statements (PDO method) and return an error message if required [for example if the data is an email address then we cannot have 2 users with the same email address/ Error message: This email address is already registered. If you are already registered please login or use another email address to register].
6)After all checking is done [client-side (JavaScript) and server-side (PHP)], use prepared statements to insert un-escaped data into the database.
7)When data is requested and must be displayed on the web browser, only then escape (output) data, to prevent XSS.
**
Security
**
A)The PHP script will use session_regenerate_id when there is a change in the level of privilege (from logged in to logged out and via versa) – mitigate session fixation
B)SSL will be used to minimize the exposure of data between the client and the server
C)The form will have a hidden field nesting an anti-CSRF token, that will be checked against the one stored in the session – mitigate CSRF
D)Passwords will be stored after hashing them with Bcrypt hashing algorithm (with a proper salt)
E)(2)+ (3) validation will use Regular Expressions. I understand that, a wrong Regular Expression can cause many errors. Are there any general accepted Regular Expressions for validating email address, passwords, etc?
**
Questions:
**
1)Do I understand the input/output procedure correctly? Am I doing something wrong?
2)I know that security-wise you can never be 100% protected. What else should I do? Is something I write above wrong?
Thanks in advance.
Upvotes: 3
Views: 648
Answers (1)
Reputation: 157880
- Yes, you understand it all right in general.
- That's, as you noted yourself, is an endlessly open topic. There are thousands vectors. Some of them are
include injection(never include or read a file taken blindly from user input),eval(avoid this operator as a hot iron),upload injectionis alone a wide topic with multiple issues (in short, always verify input data format)
As of regexps - oh, yes. Just try google.
Upvotes: 3
Related Questions
- validating user input using regex to prevent an sql injection
- Is the regular expression enough or I need some more checks?
- What methods to use for PHP Field Validation
- PHP Data Validation/Input Security
- Data filtering, sanitation, and validation for HTML-allowed inputs
- MySQL Security with PHP, javascript, and HTML?
- client and server side validation
- Javascript Validation database
- Safety precautions while doing html form processing using javascript, PHP, MySQL
- Comprehensive server-side validation