Search code examples
phpjavascriptsecurityflat-file

how to properly secure form - flat file database

My form saves user inputs (inputs+textarea) into a flat file database. I found lots of examples Googleing on how to create a flat file database, but no one is properly covering some good basics on how to properly secure form from XSS and other malicious attacks.

I know the best way is to have (Ex:) an SQL database... but that's not the case.

So far I know (this could be wrong! correct me if it is) :

  • Preferably use .php files to store data (inside <?php ...data... ?>) instead of .txt files
  • If possible drop an .htaccess with a deny from all inside the database folder
  • Validate via php your inputs and textarea before submission. (But how to do that exactly??? I mean... what's the best way?)
  • validate properly your fields (php) (How exactly... some practices are only for sql databases, not for ffdb...)
  • I'm looking something like mysql_real_escape_string but good enough for ffdb

What are your thoughts? I appreciate your help

Solution

  • Dunno where did you get it, but by using

    • .php files to store data (inside ) instead of .txt files

    you can be definitely sure that it will ALLOW anyone whatever attack they wish,

    • drop an .htaccess with a deny from all inside the database folder

    makes absolutely no sense,

    So, it seems the only issue is

    • how to properly secure form from XSS

    and it is solved by using htmlspecialchars()

    here is an example of such a script I wrote long time ago in a galaxy far, far away...
    Feel free to ask if something looks unclear.

    <?php
if ($_SERVER['REQUEST_METHOD']=='POST') { 
  // iterating over POST data
  foreach($_POST as $key => $value) { 
    //first we are doing non-destructive modifications
    //in case we will need to show the data back in the form on error
    $value = trim($value); 
    if (get_magic_quotes_gpc()) $value = stripslashes($value); 
    $value = htmlspecialchars($value,ENT_QUOTES); 
    $_POST[$key] = $value; 
    //here go "destructive" modifications, specific to the storage format
    $value = str_replace("\r","",$value);
    $value = str_replace("\n","<br>",$value);
    $value = str_replace("|","&brvbar;",$value);
    $msg[$key] = $value;
  } 
  //various validations
  $err=''; 
  if (!$msg['name']) $err.="You forgot to introduce yourself<br>"; 
  if (!$msg['notes']) $err.="You forgot to leave a comment!<br>"; 
  //and so on
  //...
  // if no errors - writing to the file
  if (!$err) { 
    $s  = $msg['name']."|".$msg['email']."|".$msg['notes']."|".time()."\n"; 
    $fp = fopen("gbook.txt","a"); 
    fwrite($fp,$s); 
    fclose($fp); 
    //and then redirect
    Header("Location: ".$_SERVER['PHP_SELF']); 
    exit; 
  } 
  //otherwise - show the filled form
} else { 
  //if it was not a POST request
  //we have to fill variables used in form
  $_POST['name'] = $_POST['email'] = $_POST['notes'] =''; 
} 
?> 
<html> 
<head></head> 
<body> 
<? if ($err): ?><font color=red><b><?=$err?></b></font><? endif ?> 
<form method="POST">
Name: <input type="text" name="name" value="<?=$_POST['name']?>"><br> 
Email: <input type="text" name="email" value="<?=$_POST['email']?>"><br> 
Notes: <textarea rows="3" cols="30" name="notes"><?=$_POST['notes']?></textarea><br> 
<input type="submit" name="submit"> 
</form> 
</body> 
</html>

    it will produce a so-called pipe-delimited format like this

    name1|email1|comment
name2|email2|comment

    you can read it using file()+explode()