{"id":28870,"date":"2024-04-16T14:57:35","date_gmt":"2024-04-16T13:57:35","guid":{"rendered":"https:\/\/nelkodev.com\/blog\/practicas-esenciales-para-fortalecer-la-seguridad-en-formularios-php\/"},"modified":"2024-06-03T18:39:19","modified_gmt":"2024-06-03T17:39:19","slug":"practicas-esenciales-para-fortalecer-la-seguridad-en-formularios-php","status":"publish","type":"post","link":"https:\/\/nelkodev.com\/en\/blog\/essential-practices-to-strengthen-security-in-php-forms\/","title":{"rendered":"Essential Practices to Strengthen Security in PHP Forms"},"content":{"rendered":"<p>In the world of web development, security is a crucial aspect that should not be underestimated, especially when it comes to web forms. PHP, being one of the most popular programming languages for web development, offers various tools and techniques to secure the data entered in forms. Below, I will describe best practices for strengthening the security of your PHP forms.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_80 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #ffffff;color:#ffffff\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewbox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #ffffff;color:#ffffff\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewbox=\"0 0 24 24\" version=\"1.2\" baseprofile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/nelkodev.com\/en\/blog\/essential-practices-to-strengthen-security-in-php-forms\/#%C2%BFPor_que_es_Importante_la_Seguridad_de_los_Formularios\" >Why is Form Security Important?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/nelkodev.com\/en\/blog\/essential-practices-to-strengthen-security-in-php-forms\/#Validacion_y_Saneamiento_de_Datos_de_Entrada\" >Validation and Sanitation of Input Data<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/nelkodev.com\/en\/blog\/essential-practices-to-strengthen-security-in-php-forms\/#Validacion_de_Lado_del_Cliente_vs_Validacion_de_Lado_del_Servidor\" >Client Side Validation vs. Server Side Validation<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/nelkodev.com\/en\/blog\/essential-practices-to-strengthen-security-in-php-forms\/#Como_Implementar_la_Validacion_del_Lado_del_Servidor\" >How to Implement Server-Side Validation<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/nelkodev.com\/en\/blog\/essential-practices-to-strengthen-security-in-php-forms\/#Evitar_Inyecciones_SQL_Usando_Consultas_Preparadas\" >Avoid SQL Injections Using Prepared Queries<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/nelkodev.com\/en\/blog\/essential-practices-to-strengthen-security-in-php-forms\/#Implementacion_de_CSRF_Tokens\" >CSRF Token Implementation<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/nelkodev.com\/en\/blog\/essential-practices-to-strengthen-security-in-php-forms\/#Como_Generar_y_Validar_CSRF_Tokens\" >How to Generate and Validate CSRF Tokens<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/nelkodev.com\/en\/blog\/essential-practices-to-strengthen-security-in-php-forms\/#Codificacion_de_Salida_para_Evitar_XSS\" >Output Encoding to Avoid XSS<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/nelkodev.com\/en\/blog\/essential-practices-to-strengthen-security-in-php-forms\/#Configuracion_Segura_de_PHP\" >PHP Secure Configuration<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/nelkodev.com\/en\/blog\/essential-practices-to-strengthen-security-in-php-forms\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"%C2%BFPor_que_es_Importante_la_Seguridad_de_los_Formularios\"><\/span>Why is Form Security Important?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Web forms are common entry points for attacks, as they are often the first interaction users have with your application. Without proper security measures, attackers can exploit vulnerabilities to conduct SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and other attacks. Protecting your forms is vital to prevent data manipulation and protect the privacy of your users.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Validacion_y_Saneamiento_de_Datos_de_Entrada\"><\/span>Validation and Sanitation of Input Data<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"Validacion_de_Lado_del_Cliente_vs_Validacion_de_Lado_del_Servidor\"><\/span>Client Side Validation vs. Server Side Validation<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Starting with client-side validations can improve the user experience by offering instant feedback. However, never rely solely on these types of validations, as they can be easily circumvented. Server-side validation in PHP is crucial to avoid malicious data injections.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"Como_Implementar_la_Validacion_del_Lado_del_Servidor\"><\/span>How to Implement Server-Side Validation<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Use predefined functions in PHP like <code>filter_input()<\/code> y <code>filter_var()<\/code> that help you verify and clean the data. Example:<\/p>\n<pre><code class=\"&quot;language-php&quot;\">$name = filter_input(INPUT_POST, &#039;name&#039;, FILTER_SANITIZE_STRING); if (empty($name)) { $errors[] = &quot;The name is required.&quot;; }<\/code><\/pre>\n<h3><span class=\"ez-toc-section\" id=\"Evitar_Inyecciones_SQL_Usando_Consultas_Preparadas\"><\/span>Avoid SQL Injections Using Prepared Queries<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>One of the most effective ways to protect your application from SQL injections is by using prepared statements. Libraries like PDO (PHP Data Objects) make this task easier:<\/p>\n<pre><code class=\"&quot;language-php&quot;\">$pdo = new PDO(&#039;mysql:host=example.com;dbname=database&#039;, &#039;username&#039;, &#039;password&#039;); $stmt = $pdo-&gt;prepare(&quot;INSERT INTO Users (name, email) VALUES (?, ?)&quot;); $stmt-&gt;execute([$name, $email]);<\/code><\/pre>\n<h2><span class=\"ez-toc-section\" id=\"Implementacion_de_CSRF_Tokens\"><\/span>CSRF Token Implementation<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>A CSRF token is a secret, unique token that is verified on every request sent to the server. It is one of the most effective measures against cross-site application forgery.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Como_Generar_y_Validar_CSRF_Tokens\"><\/span>How to Generate and Validate CSRF Tokens<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ol>\n<li>Generate a token and pass it to a form:<\/li>\n<\/ol>\n<pre><code class=\"&quot;language-php&quot;\">session_start(); if (empty($_SESSION[&#039;token&#039;])) { $_SESSION[&#039;token&#039;] = bin2hex(random_bytes(32)); }<\/code><\/pre>\n<ol start=\"&quot;2&quot;\">\n<li>Make sure every form submitted to your server includes the generated token:<\/li>\n<\/ol>\n<pre><code class=\"&quot;language-html&quot;\"><form method=\"post\">\n    &lt;input type=&quot;hidden&quot; name=&quot;csrf_token&quot; value=&quot;\"&gt;<\/code><\/pre>\n<ol start=\"&quot;3&quot;\">\n<li>Verify the token when you receive the request:<\/li>\n<\/ol>\n<pre><code class=\"&quot;language-php&quot;\">if (!hash_equals($_SESSION[&#039;token&#039;], $_POST[&#039;csrf_token&#039;])) { \/\/ Handle it as an invalid request }<\/code><\/pre>\n<h2><span class=\"ez-toc-section\" id=\"Codificacion_de_Salida_para_Evitar_XSS\"><\/span>Output Encoding to Avoid XSS<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>When displaying user-entered data, be sure to encrypt it to prevent XSS attacks. PHP offers functions like <code>htmlspecialchars()<\/code> that can be used for this purpose.<\/p>\n<pre><code class=\"&quot;language-php&quot;\">echo htmlspecialchars($user_input, ENT_QUOTES, &#039;UTF-8&#039;);<\/code><\/pre>\n<h2><span class=\"ez-toc-section\" id=\"Configuracion_Segura_de_PHP\"><\/span>PHP Secure Configuration<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Modifying PHP settings can significantly increase the security of your application. Review and adjust file directives <code>php.ini<\/code> as <code>session.cookie_httponly<\/code> y <code>expose_php<\/code>.<\/p>\n<p>To learn more about how to properly configure PHP for security, you can visit the following <a href=\"https:\/\/nelkodev.com\/en\/\">link<\/a>.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>PHP form security is a critical aspect of secure web development. By implementing data validation and sanitization, using CSRF tokens, protecting against SQL Injection and XSS, and adjusting PHP settings, you can effectively protect your forms and data. For any questions or expansion of what was discussed, do not hesitate to contact me through <a href=\"https:\/\/nelkodev.com\/en\/contact\/\">my contact page<\/a>. <\/p>\n<p>Protecting our forms means protecting the integrity of our systems and the trust of our users, so it&#039;s worth investing the time in implementing these practices.<\/p>","protected":false},"excerpt":{"rendered":"<p>In the world of web development, security is a crucial aspect that should not be underestimated, especially when it comes to web forms. PHP, being one of the most popular programming languages for web development, offers various tools and techniques to secure data entered into forms. Below, I will describe the most common [\u2026]<\/p>","protected":false},"author":1,"featured_media":28871,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[420,2206,1907],"tags":[205,1450,492,1989,60,15,168,1008,18],"class_list":["post-28870","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","category-php","category-pruebas-de-seguridad","tag-blog","tag-esenciales","tag-formularios","tag-fortalecer","tag-para","tag-php","tag-practicas","tag-pruebas","tag-seguridad"],"_links":{"self":[{"href":"https:\/\/nelkodev.com\/en\/wp-json\/wp\/v2\/posts\/28870","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nelkodev.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nelkodev.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nelkodev.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nelkodev.com\/en\/wp-json\/wp\/v2\/comments?post=28870"}],"version-history":[{"count":0,"href":"https:\/\/nelkodev.com\/en\/wp-json\/wp\/v2\/posts\/28870\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nelkodev.com\/en\/wp-json\/wp\/v2\/media\/28871"}],"wp:attachment":[{"href":"https:\/\/nelkodev.com\/en\/wp-json\/wp\/v2\/media?parent=28870"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nelkodev.com\/en\/wp-json\/wp\/v2\/categories?post=28870"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nelkodev.com\/en\/wp-json\/wp\/v2\/tags?post=28870"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}