Page 358 - Open Soource Technologies 304.indd

P. 358

Web Technologies-I

Notes include ‘/inc/logic/process.inc’;
}

break;
}

?>
In this example, each form that is submitted is expected to have a form variable named form
that uniquely identifies it, and security.inc has a separate case to handle the data filtering for
that particular form. An example of an HTML form that fulfills this requirement is as follows:
<form action=”/receive.php” method=”POST”>
<input type=”hidden” name=”form” value=”login” />
<p>Username:
<input type=”text” name=”username” /></p>
<p>Password:
<input type=”password” name=”password” /></p>

<input type=”submit” />
</form>
An array named $allowed is used to identify exactly which form variables are allowed, and
this list must be identical in order for the form to be processed. Control flow is determined
elsewhere, andprocess.inc is where the actual data filtering takes place.

A good way to ensure that security.inc is always included at the top of every
PHP script is to use the auto_prepend_file directive.

Filtering Examples

It is important to take a whitelist approach to your data filtering, and while it is impossible
to give examples for every type of form data you may encounter, a few examples can help to
illustrate a sound approach.
The following validates an email address:

<?php

$clean = array();

$email_pattern = ‘/^[^@\s<&>]+@([-a-z0-9]+\.)+[a-z]{2,}$/i’;

if (preg_match($email_pattern, $_POST[‘email’]))
{
$clean[‘email’] = $_POST[‘email’];
}

352 LOVELY PROFESSIONAL UNIVERSITY

353 354 355 356 357 358 359 360 361 362 363