(PHP) Validation, Security and Speed - Does my app have these?
- by Devner
Hi all,
I am currently working on a building community website in PHP. This contains forms that a user can fill right from registration to lot of other functionality. I am not an Object-oriented guy, so I am using functions most of the time to handle my application. I know I have to learn OOPS, but currently need to develop this website and get it running soon.
Anyway, here's a sample of what I let my app. do:
Consider a page (register.php) that has a form where a user has 3 fields to fill up, say: First Name, Last Name and Email. Upon submission of this form, I want to validate the form and show the corresponding errors to the users:
<form id="form1" name="form1" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<label for="name">Name:</label>
<input type="text" name="name" id="name" /><br />
<label for="lname">Last Name:</label>
<input type="text" name="lname" id="lname" /><br />
<label for="email">Email:</label>
<input type="text" name="email" id="email" /><br />
<input type="submit" name="submit" id="submit" value="Submit" />
</form>
This form will POST the info to the same page. So here's the code that will process the POST'ed info:
<?php
require("functions.php");
if( isset($_POST['submit']) )
{
$errors = fn_register();
if( count($errors) )
{
//Show error messages
}
else
{
//Send welcome mail to the user or do database stuff...
}
}
?>
<?php
//functions.php page:
function sql_quote( $value )
{
if( get_magic_quotes_gpc() )
{
$value = stripslashes( $value );
}
else
{
$value = addslashes( $value );
}
if( function_exists( "mysql_real_escape_string" ) )
{
$value = mysql_real_escape_string( $value );
}
return $value;
}
function clean($str) {
$str = strip_tags($str, '<br>,<br />');
$str = trim($str);
$str = sql_quote($str);
return $str;
}
foreach ($_POST as &$value)
{
if (!is_array($value))
{
$value = clean($value);
}
else
{
clean($value);
}
}
foreach ($_GET as &$value)
{
if (!is_array($value))
{
$value = clean($value);
}
else
{
clean($value);
}
}
function validate_name( $fld, $min, $max, $rule, $label ) {
if( $rule == 'required' )
{
if ( trim($fld) == '' )
{
$str = "$label: Cannot be left blank.";
return $str;
}
}
if ( isset($fld) && trim($fld) != '' )
{
if ( isset($fld) && $fld != '' && !preg_match("/^[a-zA-Z\ ]+$/", $fld))
{
$str = "$label: Invalid characters used! Only Lowercase, Uppercase alphabets and Spaces are allowed";
}
else if ( strlen($fld) < $min or strlen($fld) > $max )
{
$curr_char = strlen($fld);
$str = "$label: Must be atleast $min character & less than $max char. Entered characters: $curr_char";
}
else
{
$str = 0;
}
}
else
{
$str = 0;
}
return $str;
}
function validate_email( $fld, $min, $max, $rule, $label ) {
if( $rule == 'required' )
{
if ( trim($fld) == '' )
{
$str = "$label: Cannot be left blank.";
return $str;
}
}
if ( isset($fld) && trim($fld) != '' )
{
if ( !eregi('^[a-zA-Z0-9._-]+@[a-zA-Z0-9._-]+\.([a-zA-Z]{2,4})$', $fld) )
{
$str = "$label: Invalid format. Please check.";
}
else if ( strlen($fld) < $min or strlen($fld) > $max )
{
$curr_char = strlen($fld);
$str = "$label: Must be atleast $min character & less than $max char. Entered characters: $curr_char";
}
else
{
$str = 0;
}
}
else
{
$str = 0;
}
return $str;
}
function val_rules( $str, $val_type, $rule='required' ){
switch ($val_type)
{
case 'name':
$val = validate_name( $str, 3, 20, $rule, 'First Name');
break;
case 'lname':
$val = validate_name( $str, 10, 20, $rule, 'Last Name');
break;
case 'email':
$val = validate_email( $str, 10, 60, $rule, 'Email');
break;
}
return $val;
}
function fn_register() {
$errors = array();
$val_name = val_rules( $_POST['name'], 'name' );
$val_lname = val_rules( $_POST['lname'], 'lname', 'optional' );
$val_email = val_rules( $_POST['email'], 'email' );
if ( $val_name != '0' ) { $errors['name'] = $val_name; }
if ( $val_lname != '0' ) { $errors['lname'] = $val_lname; }
if ( $val_email != '0' ) { $errors['email'] = $val_email; }
return $errors;
}
//END of functions.php page
?>
OK, now it might look like there's a lot, but lemme break it down target wise:
1. I wanted the foreach ($_POST as &$value) and foreach ($_GET as &$value) loops to loop through the received info from the user submission and strip/remove all malicious input.
I am calling a function called clean on the input first to achieve the objective as stated above. This function will process each of the input, whether individual field values or even arrays and allow only tags and remove everything else. The rest of it is obvious.
Once this happens, the new/cleaned values will be processed by the fn_register() function and based on the values returned after the validation, we get the corresponding errors or NULL values (as applicable).
So here's my questions:
1. This pretty much makes me feel secure as I am forcing the user to correct malicious data and won't process the final data unless the errors are corrected. Am I correct?
Does the method that I follow guarantee the speed (as I am using lots of functions and their corresponding calls)? The fields of a form differ and the minimum number of fields I may have at any given point of time in any form may be 3 and can go upto as high as 100 (or even more, I am not sure as the website is still being developed). Will having 100's of fields and their validation in the above way, reduce the speed of application (say upto half a million users are accessing the website at the same time?). What can I do to improve the speed and reduce function calls (if possible)?
3, Can I do something to improve the current ways of validation?
I am holding off object oriented approach and using FILTERS in PHP for the later. So please, I request you all to suggest me way to improve/tweak the current ways and suggest me if the script is vulnerable or safe enough to be used in a Live production environment. If not, what I can do to be able to use it live?
Thank you all in advance.
