How do I limit the actions of a PHP file to its directory only?

Question

TL;DR

I'm using a PHP form to output directly to a PHP file. I realized it's a big security risk. Please tell me how to filter out any tags from the user's input, and limit the actions of the PHP file to its own directory (so as to minimize the damage in case of a compromise).

DETAILS

I have a page where I can collect feedback from customers using a PHP form, then output the results onto another PHP page where members of my team can read them.

<?php

if($_POST['CUSTFEEDBACK']) {
$addition = '<div class="FDBKbox">' . $_POST['CUSTFEEDBACK'] . '</div>';
$file_open = fopen("FDBKCOLLECTION.PHP", "a+"); 
fwrite($file_open, $addition);
fclose($file_open);
}

?>

<form action="<?=$PHP_SELF?>" method="POST">

<textarea name="CUSTFEEDBACK" style="width:100%;max-height:250px;">
</textarea>

<br>
<input type="submit" name="button" value="Submit Feedback">

</form>

Then it occurred to me that someone with access to both of these pages can also put in malicious code, open and rewrite other files from my server simply by adding PHP code, or execute XSS codes using my form.

Since then, I've changed the form action to <form action="<?=$PHP_SELF?>" method="POST"> to prevent XSS codes. However, other methods still pose a great risk for me.

At the moment, I'm using Javascript to replace any < or > in the textarea with a space. I also put a full-page div on top of the page with a script that gives it a "display:none" property so that the page will be unusable if Javascript is disabled. However, I soon found out that using an old browser (IE 8 and below), the browser simply ignored the script to replace tags. Using Javascript for site security was probably a bad idea to begin with, but I'll have to make do with it for now.

$(document).on('change',':text,textarea', function () {
    if (this.value.match(/[<>]/g)) {
        this.value = this.value.replace(/[<>]/g, '');
    }
});

I did some googling, and found some answers with methods like "escape" the tags, or using PHP to sanitize the form. However, I'm still relatively new to PHP and these all sound pretty intimidating at the moment (and I have no idea where to put those codes in).

Please tell me how I can remove any kind of tags from the form input (I'm not interested in any kind of markup in the textarea).

As a failsafe, how can I limit the actions of a PHP file to its own directory. This is so that in case of an unfortunate event, the damage could be minimized and all my other files can be protected.

If anyone could give me some pointers, that'll be greatly appreciated!

---

Side question, I'm currently studying PHP on codeacademy.com does anyone have suggestions for other good websites to learn PHP?

Answer 1

There is no silverbullet solution for this. You will need to mix and match. Some points that might be helpful:

• As suggested use open_basedir This limits the files that can be accessed by PHP to specified directory tree

• You might not want to use strip_tags because it strips out all PHP tags and this behavior cannot be overridden. You might be better off regexing the tags - only thing to watch out for is that you do not strip PHP open/close tags along with it.

Edit: As pointed out in your comment, if you are creating a single monolithic PHP file, then you can strip_tags and then add PHP tags to the beginning and end.

• Once you have this stripped out version, you want to make sure that it is still a valid PHP code. You can exec php -l <filename> and examine the output to see if syntax errors are present Trivia: Between versions 5.0.1 to 5.0.5, PHP had a function called php_check_syntax using which you could check syntax of one PHP file from another.

Finally it is not recommended at all to have such a system anywhere in production. For testing/academics/research etc its fine. In production - not so fine.