PHP Form Hijacking
by Nirmala[ Edit ] 2010-09-02 12:36:40
PHP Form Hijacking
Following things can be done for preventing your PHP Form from Hijacking
1. Make register_globals to off to prevent Form Injection with malicious data.
2. Make Error_reporting to E_ALL so that all variables will be intialized before using them.
3. Make practice of using htmlentities(),strip_tags(), utf8_decode() and addslashes() for filtering malicious data in php
4. Make practice of using mysql_escape_string() in mysql.
5. Follow good client side data validation practices with regular expressions before submitting data to the server.
6. Form Submission Key Validation: A singleton method can be used to generate a Session form key & validating form being submitted for the same value against hidden form key params.
7. Escape data which is being passed into sql query using mysql_real_escape_string() function.
8. Also input data must be filtered before being passed into sql query using proper validation methods and use of htmlentities() function
