.jpg "php security")
Code for Working With $_GET Variables
<?php
if (isset($_GET['day'])&&isset($_GET['date'])&&isset($_GET['year'])) {
$day = $_GET['day'];
$date = $_GET['date'];
$year = $_GET['year'];
if(!empty($day)&&!empty($date)&&!empty($year)) {
echo 'It is '.$day.' '.$date.''.$year;
}else {
echo 'Fill in all fields.';
}
}
?>
<form action = "index.php" method="GET">
Day:<br><input type="text" name="day"><br>
Date:<br><input type="text" name="date"><br>
Year:<br><input type="text" name="year"><br><br>
<input type="submit" value="submit">
</form>
Output (Screenshot1 , Screenshot2 ):-
 |
| Screenshot1 |
 |
| Screenshot2 |
This example if you want to see in Working with form , $_GET Variables , $_POST variables . In this example we had user input and echo out the variables.
Now This articles deals with security of the form data. If i want to extracting data from database or submitting data to database then extracting it back and any thing use to submitted. There is always chance the people unwanted things with your codes or with your web application may be now
For Examples Let see Screenshots3 and Screenshot4
 |
| Screenshot3 |
 |
| Screenshot4 |
You can see the output to the page has now been formatted depending upon what user input in. Now the reasons it is dangerous because of iframe attribute.
<iframe src="pagehere"></iframe>
Output Screenshot5 and Screenshot6
 |
| Screenshot5 |
 |
| screenshot6 |
Now you can see what happen is we written this html tags and its echo down to the page. Therefore we have processing html on the page. We don't want our user to do this and there is simple way to do this there is simple and easiest way to protect against this.
Code for html entities for security
<?php
if (isset($_GET['day'])&&isset($_GET['date'])&&isset($_GET['year'])) {
$day = htmlentities($_GET['day']);
$date = htmlentities($_GET['date']);
$year = htmlentities($_GET['year']);
if(!empty($day)&&!empty($date)&&!empty($year)) {
echo 'It is '.$day.' '.$date.''.$year;
}else {
echo 'Fill in all fields.';
}
}
?>
<form action = "index.php" method="GET">
Day:<br><input type="text" name="day"><br>
Date:<br><input type="text" name="date"><br>
Year:<br><input type="text" name="year"><br><br>
<input type="submit" value="submit">
</form>
Output
 |
| screenshot7 |
 |
| Screenshot8 |
 |
| Screenshot9 |
What we do is when we declare our variables $day, $date and $year. We can also include this wrapped function means $_GET to take variable user inputted to the form before that call function html entities. What htmlentities does shown in screenshots. As you can see screenshot7 is the page source its html tags of iframe. So, with html entities what we actually doing Now you can see screenshot8 its just displaying text the user type not an html tags it will convert html tags to normal text.
So, thats basic security around your form. Its ensure that your user does not change background change color of background by iframe.
No comments:
Post a Comment
Thanks For Comment Will get you Soon..