Results 1 to 9 of 9
  1. #1
    Join Date
    Jun 2012
    Posts
    228
    Plugin Contributions
    0

    Default Security Measures Best Practice for Proceesing Form inputs

    I have a custom form seeking name, address, phone number and several other parameters. What ZC security functions should be used to protect the database and code against spam and other forms of attack?
    Thanks,
    Dave

    zc155f, many add-ons and custom code, php 7.1.x

  2. #2
    Join Date
    Jul 2012
    Posts
    15,334
    Plugin Contributions
    17

    Default Re: Security Measures Best Practice for Proceesing Form inputs

    Seeking the information may not be as much of an issue as what is done with or what is returned as a result of processing the provided information, though all such avenues are important to consider/address.

    For one, there is the zen_draw_form function which intends to link the provided information to the session to validate that the information was provided from the site and not an external source. There is the use of 'post' as the method of communication. There is the use of a SSL. There is sanitization of the data that has been provided (if something is expected to be an integer, then cast the data to an integer). There is data validation (if area being served has a zip code and the zip code can only be made of numbers, then prevent undesirable characters from being included in the data). Before using user entered data to access the database, be sure to sanitize it noting that there are some things/entries that could use the word 'null' either in all lowercase or all uppercase or perhaps entered as a mix and be sure to handle such entry as expected/desired.

    Generally speaking, if entry of the information is to evoke a response based on "proper" entry then false/incorrect entries of any portion of the data should return the same response as a false entry of any other part of the data otherwise brute force techniques are easier to complete. E.g. if a user were to enter a login name with an incorrect password then identifying that the only issue is the password positively identifies the login name is correct and only the password needs to be discovered. Instead the recommendation generally is to identify that there is a problem with the combination which would also be output if the username was incorrect but a correct password for someone were entered.

    Potentially have the individual be logged in to enter the data (limits attempts to those that have gotten past the login process).

    These I think are many ways to at least make a basic effort to safely/securely collect the information.

    Would recommend further description of "plans" to get more specific recommendations.
    ZC Installation/Maintenance Support <- Site
    Contribution for contributions welcome...
    Upgraded to Zen Cart V1.5.3 from V1.5.1 from V1.5.0 from V1.3.9h

  3. #3
    Join Date
    Feb 2006
    Location
    Tampa Bay, Florida
    Posts
    7,470
    Plugin Contributions
    283

    Default Re: Security Measures Best Practice for Proceesing Form inputs

    That Software Guy. My Store: Zen Cart Modifications
    Available for hire - See my ad in Services
    Plugin Moderator, Documentation Curator, Chief Cook and Bottle-Washer.

  4. #4
    Join Date
    Jun 2012
    Posts
    228
    Plugin Contributions
    0

    Default Re: Security Measures Best Practice for Proceesing Form inputs

    mc12345678,
    summarizing your suggestions:
    zen_draw_form - yes
    $_POST - yes
    SSL - yes
    sanitization - yes, using zen_db_prepare_input; no (not yet) cast integers
    data validation - yes
    null treatment - no
    logged-in - yes

    Plans are to store data in database new table and process later using phpMyAdmin

    Questions: Is zen_db_prepare_input sufficient sanitization? Should I and can I use admin sanitization on store side? Do you mean by null treatment that every entry should be checked for any form of null and flag error if found i.e, part of data validation?

    Thanks for your advice and hope to see answers to my questions when you can.
    Dave

  5. #5
    Join Date
    Jan 2004
    Posts
    65,671
    Blog Entries
    7
    Plugin Contributions
    244

    Default Re: Security Measures Best Practice for Proceesing Form inputs

    Instead of zen_db_prepare_input, which despite its name is not fit for storing to db; use zen_db_input() ... or use $db->bindVars() and cast to specific type.
    No, the admin sanitization stuff doesn't work catalog-side.

    https://docs.zen-cart.com/dev/code/database_querying
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  6. #6
    Join Date
    Jul 2012
    Posts
    15,334
    Plugin Contributions
    17

    Default Re: Security Measures Best Practice for Proceesing Form inputs

    Do you mean by null treatment that every entry should be checked for any form of null and flag error if found i.e, part of data validation?


    One of the "articles" that I've come across either as a reference by a poster here or some sort of research was that it is possible that someones real last name is Null and as such, they should be permitted to type that in and it not get stored "oddly". In recent versions of Zen Cart there has been a data type that supports allowing entering a name such as that: stringIgnoreNull. Otherwise, if you use the bindVars method to cast a variable to a string, depending on the version if the string contains 'null' or 'NULL' then the entire string basically becomes the SQL equivalent of null regardless of how much content there is.
    ZC Installation/Maintenance Support <- Site
    Contribution for contributions welcome...
    Upgraded to Zen Cart V1.5.3 from V1.5.1 from V1.5.0 from V1.3.9h

  7. #7
    Join Date
    Feb 2006
    Location
    Tampa Bay, Florida
    Posts
    7,470
    Plugin Contributions
    283

    Default Re: Security Measures Best Practice for Proceesing Form inputs

    That has got to be an XKCD cartoon. Like Little Bobby Tables.

    https://xkcd.com/327/
    That Software Guy. My Store: Zen Cart Modifications
    Available for hire - See my ad in Services
    Plugin Moderator, Documentation Curator, Chief Cook and Bottle-Washer.

  8. #8
    Join Date
    Jun 2012
    Posts
    228
    Plugin Contributions
    0

    Default Re: Security Measures Best Practice for Proceesing Form inputs

    Hilarious!

  9. #9
    Join Date
    Feb 2006
    Location
    Tampa Bay, Florida
    Posts
    7,470
    Plugin Contributions
    283

    Default Re: Security Measures Best Practice for Proceesing Form inputs

    There was a story about a wise guy who got NULL for his license plate and it had the opposite of the intended effect.

    https://www.wired.com/story/null-lic...r-ticket-hell/
    That Software Guy. My Store: Zen Cart Modifications
    Available for hire - See my ad in Services
    Plugin Moderator, Documentation Curator, Chief Cook and Bottle-Washer.

 

 

Similar Threads

  1. Replies: 5
    Last Post: 14 Dec 2017, 03:33 PM
  2. Best practice for running PHP ?
    By PatF in forum Installing on a Linux/Unix Server
    Replies: 1
    Last Post: 10 Feb 2011, 01:23 AM
  3. Replies: 3
    Last Post: 5 Jun 2009, 09:24 PM
  4. Best practice for finding out 'what does what'?
    By budfox in forum General Questions
    Replies: 6
    Last Post: 19 Aug 2007, 07:05 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR