Publishers of technology books, eBooks, and videos for creative people

Home > Blogs > Validate, Validate, Validate: Five Critical E-Commerce Security Tips in Five Days

Validate, Validate, Validate: Five Critical E-Commerce Security Tips in Five Days

The security of an e-commerce site depends upon so many things: the hosting involved, keeping all the software updated, using secure passwords, and so forth. But when it comes to the software you write--the Web application itself--the most fundamental security concept is that incoming data is validated, validated, and validated. In this post, Larry Ullman writes about what that means, from the concept to the implementation.

What data needs to be validated and how should you best do so: those are the key questions when it comes to developing your Web application. In terms of what, the answer is all data coming from an external source: the URL (data found in $_GET), from forms (data found in $_GET or $_POST), and from cookies (data found in $_COOKIE). Most developers know to validate the first two categories but aren't aware of the need to validate cookie data. Cookies can be easily manipulated by users, so it's critical not to assume that a cookie has the same value that the site would have given it. For sites with even stricter security needs, the Web application could also validate data coming from the database or the session, rather than assuming such data is okay, just because it was presumably validated prior to being stored.

How you go about validating data is much more straightforward than many developers realize. It all comes down to how specific the site can be about the data's possible value. For example, if an administrator must log in using a specific username, then validation is a simple comparison:

if (isset($somevar) && ($somevar == 'somevalue')) { // Okay!
With that validation, it really doesn't matter if the user provides a different value, or even a different type of value (e.g., a number), because the equality test will catch it. The same goes for values that should be coming from "controlled" form elements: checkboxes, select menus, and radio buttons. You can just validate those against the expected (i.e., allowed values). An easy way to do this is to use the in_array() function:
$allowed = array('Mr.', 'Mrs.', 'Ms.', 'Dr.');
if (isset($title) && in_array($title, $allowed)) { // Okay!
This approach is simple and reliable, but sites can rarely validate data in that way.

Most validations will begin by first breaking data into one of two types: numbers or strings. The is_numeric() function confirms that a variable has a numeric value, even if that variable is technically a string. Numbers are often validated by range, too: greater than 0, less than X, etc. You can validate such data using comparison operators:
if (isset($somenum) && is_numeric($somenum) && ($somenum > 21)) { // Okay!
If you're running PHP 5.3 or greater, you can use the new (-ish) Filter extension. See the PHP manual's page for this extension, if you can use it.

Strings are the trickiest to validate as they can have the widest range of values and be the most dangerous (allowing, for starters, for Cross-Site Scripting attacks). Email addresses and URLs are the rare strings that must adhere to a specific syntax. For these, the Filter extension is the best tool for the validation job (again, if you're using PHP 5.3 or later). If you can't use the Filter extension, you'll need to use regular expressions (you can find the appropriate patterns to use by quickly searching online).

But many strings don't adhere to a specific syntax, including names, addresses, comments, forum postings, and so forth. In such cases, no comparison operator can help and a regular expression isn't the best solution, either. When you can't validate data to a standard, there's still one thing you can do: prevent inadmissible characters from being submitted. The best tool in the arsenal is PHP's strip_tags() function. This function will strip out any PHP code, HTML, and JavaScript from a submitted string. Applying it to a string won't insure the string has a quality value but will guarantee that the string won't cause security problems down the line. This function has an optional second argument that lets you list what HTML tags are acceptable. But using that argument, you can allow for style-related tags but still deny more problematic and dangerous ones.

And that's the quick guide to validating data in PHP. It's really much easier than one might be inclined to think. File all the site's data into one of two types: data that must adhere to a specific type or syntax and data without those limitations that must just be sanctified. Apply the appropriate techniques, outlined above, and then get a good night's sleep knowing you properly applied validation to your site.