Using eregi_replace To Filter PHP Programming Form Data

Despite healthy IDS and various factors of your Network Security, filtering your form feedback and web requests using PHP Programming is still vital. Hackers may submit malicious data to your PHP Server such as SQL Injection, PHP Code Snippets, and other creatively destructive data. The vast majority of web server vulnerabilities result from poor PHP Programming by novice PHP Programmers. They defeat the efforts of the Network Security specialists who don’t perform PHP Code Reviews in addition to standard Network Security practices.

A regular HTML web page won’t make receipt of data and can be considered  innocuous. PHP scripts, however, are quite capable of making receipt of data from web users and hackers. Every single PHP Script MUST be written with the assumption that it might be attacked. A novice PHP Programmer may write a script that handles Global Variables and create security vulnerabilities, especially for older versions of PHP. Global Variables should be turned OFF and not used by your PHP Scripts.  Older box packages using PHP Programming may have been written on older versions of PHP and require global variables. Rather than turning on global variables, you should discard the box package and find another, or write your own.

More important that script that inadvertently handle user or hacker data, it is the scripts and forms intended for data handling that must be carefully programmed. PHP Programs that are written to receive and manipulate data must have Data Cleansing integrated into every page head. Yet more important are the scripts that connect to MySQL databases, since MySQL storage must be closely guarded from hackers. Else, you may find yourself exposed to the world as inkompeetahnt like TJX (TK Maxx) who had 45.7 million credit card numbers stolen amongst other data.

The question posed is how to accept data from forms and hackers, but prevent malicious execution of SQL Injections, PHP Code Snippets, and other bad data. There are a number of methods that can be employed for such purposes, and the most effective is the eregi_replace() command in PHP Programming. This simple command is designed to look for patterns in the supplied strings or variables, and replace them with the supplied string.

The first case involves the desired receipt of standard data types such as names, phone numbers, credit card numbers and similar alphanumeric strings with basic other characters. It’s uncommon for names to contain hyphens, but common that they contain the space character. Phone number entry varies from only having numbers 8005551234 to having old fashion delimiters (800) 555-1234 to having new age delimiters 800.555.1234. In any case, you can accept a limited set of alphanumeric and other character sets. eregi_replace() allows you to define the characters you want to accept, and can replace any disallowed characters with a new character. Disallowed characters can be replaced with nothing at all, which results in effective elimination of disallowed characters.

At this point, there must be consideration of what characters are “disallowed” and which are “allowed.” This depends on your PHP Server, PHP Programming, and each variable being passed. A person’s name should not contain  non-alpha characters (A-Z and a-z). In some cases, the Space Character should be allowed and the hyphen allowed in others. In contrast, names won’t contain characters like ” ‘ : ; $ # @ etc. If a hacker were to submit his name as HTTP://WWW.HARMFULSCRIPTS.COM to your server, your website might create an active link to his harmful scripts. Else, the hacker might submit Javascript that could execute when your user browses your site. Worse yet, a chunk of MySQL Code might be passed to the PHP Parser, which might try to execute that code. If MySQL Code were executed (MySQL Injection), your MySQL Database might become compromised.

Note that there are two similar commands eregi_replace() and ereg_replace(). The first contains the letter i and does not discern between upper case and lower case characters, allowing you to define your search patterns more broadly. The ereg_replace() does discern between upper case and lower case, providing more refined control when programming PHP. The choice between these two commands is up to the knowledgeable PHP Programmer and is based on the PHP Program being created.

Your PHP Programs might need to accept characters that other PHP Programs don’t need. If you intend to make receipt of actual scripts or web addresses, which contain otherwise disallowed characters, you can choose between character substitution and character “slashing.” Character substitution may totally deform the original code, and recreating it may not be possible. Removing http:// from submitted web addresses is straight forward, but what if you want to receive and distribute code with 500 lines? Character substitution becomes a bad choice. Although another subject, the addslashes() command is a better choice. This puts a slash character in front of any illegal character, effectively preventing PHP or MySQL execution. Instead, they treat the slashed characters as plain text instead of potential code. When the disabled code is to be displayed to the user, the slashes are removed and the code re-enabled. Another method is using the htmlspecialchars() command, which converts illegal characters into the ASCII version. For exmaple, the space character is encoded as %20, which won’t be interpreted as code by the PHP Program or the PHP Server.

Whichever methods the PHP Programmer uses, they must be used carefully and craftfully. PHP Programmers must have a solid understanding of both Network Security and how hackers think. Naive or sophomoric use of Network Security procedures to protect PHP Programs can result in both data loss and the creation of security vulnerabilities. Regardless of how effective the PHP Programmer thinks the scripts have become, they should be tested thoroughly for vulnerabilities and successful operation before deployment. There is nothing worse than PHP Programs that don’t work correctly and the presence of security vulnerabilities, except for data loss and a compromised Online business.

One thought on “Using eregi_replace To Filter PHP Programming Form Data

Leave a Reply