Jump to content
huseyin

Any Security Steps Needed Beyond PW-Sanitizer?

Recommended Posts

Hello,

if you deal with user input (Form data, Url variables etc) are your using only PW Sanitizer api or any more actions?

Share this post


Link to post
Share on other sites

As there is no answer... 

My english knowladge is limited. Probably you did not understand the question. 

Will try to (re)explain. 

How do you user input data sanitize? Is only PW sanitizer enough or what is your strategy against xss? 

Share this post


Link to post
Share on other sites

Hi huseyin,

1. Use the appropriate Sanitizer methods to test user input from post and get. Depending on the circumstance, you'll either want to validate (reject it completely if there's something wrong with it), or filter/sanitize it (accept it but strip out unwanted characters). If doing both filter and validate, do your validation AFTER your filtering.

2. Even more important than step #1 is to use escaping on your output. This means using htmlspecialchars() or htmlentities() or $sanitizer->entities() when you output any field from the database or user input to the page (if you have htmlentities setup on your field's output formatting, then you can skip this step for those fields). Even if you mess up on the filter/validation from #1, as long as you've escaped all of the html, you should be ok. 

3. When using user input (get or post variables) inside ProcessWire selector strings, use the Sanitizer::selectorValue() method on the value first. Even better, just use Selector Arrays since selectorValue can sometimes strip out characters (quotes and commas) that you actually want to search for.

4. If you're using any SQL directly, you must use prepared statements to bind any user input, which automatically escapes the input for SQL.

5. For protection against Cross Site Request Forgery (CSRF), use ProcessWire's SessionCSRF class when building custom forms. See https://processwire.com/api/ref/session-c-s-r-f/ for details on how to use this.

6. Don't use GET for secret data (passwords, security codes, etc). That data can get picked up by browser extensions or appear in server logs that might get compromised.

7. Use SSL/https on your whole site.

  • Like 12
  • Thanks 1

Share this post


Link to post
Share on other sites

Hello @thetuningspoon,

Thank very much for your reply. These are realy very good informations. 

I have read them a few times. I am sure i will read some times. 

Thank you again... 

Share this post


Link to post
Share on other sites

Happy to help! Let me know if you want me to go into more detail on any of these and I will do my best.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...