Geeklog Developers Tool and Filtering Incoming Data Best Practices
As developers, it's important that we protect our applications and data from all the possible attacks or hostile data that can be entered from a form, URL or Cookie as example. There is a golden rule to not trust any incoming data and only accept data in the expected format. In addition to just testing for numeric data or valid data, there are numerous attacks that we now need to defend against - these attacks include:
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgeries (CRSF)
- SQL Injection
- SPAM attacks
We also need to escape any quotes before the data is inserted into the database. The PHP addslashes() does this for us but we need to check the PHP setting for magic_quotes is off ( a very unpopular feature where some servers may have this setting either way - and if On will automatically add slashes ' before all quotes - so in that case, we don't want to add another set of slashes. We also need to remove these slashes when we read the data back from the database and want to display the data - are we having fun yet.
If you need to allow quote's in your incoming data for this field, then you will want to call the PHP function htmlspecialchars($field_value) and if needed the addslashes() to convert the quotes and other special characters into equivalent HTML entities (symbols) that represent the character. This will prevent them from being interpreted and abused by a potential attacker but preserved for display.
You would also optionally call the other Geeklog functions to filter bad words, allowable HTML tags.
Geeklog is a great application development framework and I hope this test script is useful to other developers as your explore how best to filter your incoming data.