Can an attacker send the $_POST method any bilberda, bypassing the form? For example, I expect to receive $_POST['userName'] and $_POST['userEmail'] , and I receive $_POST['iAm'] and $_POST['coolHacker'] . In that case, if the field names are critical for me, and then I use them in my script - this can disrupt its work. In order not to work directly with the $_POST array, is it advisable to process it in the following way?

 $formData = ['field1Name' => '', 'field2Name' => '']; foreach ($formData as $fieldName => $value) { if (isset($_POST[$fieldName])) { $formData[$fieldName] = $_POST[$fieldName]; } }
  • Obviously, it all depends on what exactly is next in your script - andreymal
  • @andreymal, in fact, I am interested in, can an attacker send the $ _POST method any bilberda, bypassing the form? - Roman Andreev
  • One of the security principles is not to trust any incoming data. If any predefined fields are expected, then you need to accept them for processing. If the field is intended for email, then it is validated that it is a valid address. If this is the name, then filter the incoming data for the presence of a script, tags, etc. As a result, what is left and goes further along the code. If something is wrong, then we execute and issue an error. - MAX
  • @RomanAndreev can of course, but it’s not at all a fact that it will affect anything if the script doesn’t touch this script - andreymal
  • @MAX for your information very."(),:;<>[]".VERY."very@\\\\\\ \"very<script>alert(1)</script>".unusual@strange.example.com is quite a valid email address according to RFC :) - andreymal

2 answers 2

I would advise you to use the array_intersect_key function, it looks more beautiful:

 $fields = ['field1Name', 'field2Name']; $formData = array_intersect_key($_POST, array_flip($fields));

The result will be the same, but less code.

Regarding the question - can it add? Easy, just change the source code of the page or, if through curl, add parameters.

  • Thanks, but still it does not answer my main question :) - Roman Andreev
  • @RomanAndreev supplemented the answer, you can easily do it - if you answer in a nutshell) - Yaroslav Molchan

The issue of security in the project should be implemented more globally. With this approach, you will definitely make a mistake somewhere. Saw the project as you like, and then separately engage in security. Find all data gateways and add validators to prevent non-target data from being processed.

  • 2
    Пилите проект как угодно, а потом - in this way you can get into a situation where you have to do everything from scratch. - vp_arth
  • Найдите все шлюзы данных - the problem is that in php "data gateways" are superglobal variables ($ _ GET / $ _ POST / $ _ REQUEST / $ _ COOKIE etc.). If you do not restrict access to them in advance, you will have to look for a long time. - vp_arth 7:08 pm