How to Prevent Attacks With Proper Input Handling (Part 2)

Part 2 of this article is aimed at demonstrating how to code a accept-list validation class in PHP. We will start with a classic example of request routing where a HTTP GET request will include a “page=” parameter which will instruct the server which page the user is requesting and an empty “?action” parameter which will instruct the sever-side application which HTTP POST data to expect in the request. However, this model of input validation can be modified to handle other forms of HTTP GET and POST attribution to specify the data request.

Let’s start with the basics of compiling the accept-lists for GET and POST. This is specified as a config file as shown below. The configuration is setup as constants that hold arrays. This does a couple things. Firstly, it makes the values global and they can be access from anywhere in the application code. Secondly, it prevents them from being altered which adds some limited security to the application.

This method also allows the values to be looped through when inspecting the GET and POST arrays. Each expected value is contained in a sub-array. The sub array’s first value is the string that must match the attribute or key of the GET or POST item. The second value is a string that specifies a data-type so that the sanitizer class will know how to evaluate the item. The third value in the array includes additional information on how to handle each specific type of data.

Each array held in the “ALLOWED_POST_PAIRS” constant array first specifies a matching GET flag (parameter with no value) that corresponds with the expected fields in the POST data. This flag would be set in the “action” parameter in a HTML form tag, or specified directly in the GET line data if you are passing POST form data by API.

Here is a comment section that can be included in the file that specifies all the parameters for configuring the setup for your sites specific request method fields.

The controller code below can be included early in your process flow. It includes the configuration files, including a login configuration file for this simple example, instantiates the sanitizer class object, and then validates or sanitizes the $_GET and $_POST arrays, returning scoped variables. The validateGetInput() function will return False if the data does not strictly validate to the expected values. However, the santizePostInput() function will clean the data and return the array with an additional “errors” parameter attached with details on the errors found as an array of error messages. This allows you to handle the errors individually by severity. The $_GET and $_POST arrays are also global by nature and therefore accessible everywhere in the subsequent code of the application. So, to mitigate this security vulnerability, the $_GET and $_POST globals are returned as scoped PHP variables. They must then be passed explicitly to each function in the application. For applications that will not allow the $_GET and $_POST to operate as scoped variables, you can simply return to the $_GET and $_POST variables respectively.

Finally, the Sanitizer class is included below, which contains the functions required to validate and sanitize the input.

A very minimal index.php file here is included that requires the controller file. All the files specified can be put into the same directory and access the index.php file.

If you want to run some test data through this sanitizer, you can do that by modifying the sanitizer_controller.php as below, and download the sample test data.

Leave a comment

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.