I’m creating a Magento module that saves user-input data to an xml file (held on the server for later use – think business card orders). I’m wondering how secure my process is, and what (if any) security issues might come up. I’ll note that I’m hosting this site with a company that specializes in pci-compliant servers and is, additionally, running under CHROOT.

I have some legacy flash files that do the entry (there’s a number of them, or I’d just recreate them). These are printing orders, so they need to accept all manner of special characters (and thus, doesn’t do too much in the way of validation).

From there:
$.ajax -> processor.php ->

    /* grab params */
    if (isset($_POST)) {
        foreach ($_POST as $key => $value) {
            $params[$key] = filter_var($value, FILTER_SANITIZE_STRING);
        }
    }

    /* build xml */
    $xml = new DOMDocument('1.0', 'UTF-8');
    $xml_root = $xml->createElement('Root');
    foreach ($params as $key => $value) {
        $xml_node = $xml->createElement( $key );
        if(!empty($value) && $value != 'undefined'){
            $xml_node->appendChild( $xml->createTextNode( $value ));
        }
        $xml_root->appendChild($xml_node);
    }
    $xml->appendChild($xml_root);

    /* create filename */
    $d = new DateTime('now');
    $date = str_replace(" ", ".",$d->format('Y-m-d G:i:s'));
    $keyvar = preg_replace('/[^a-zA-Z0-9-]/', '', $params['keyVar']);
    $filename = str_replace(" ", "", $params['template'].".".$date.".".$keyvar.".xml" );
    $file = $_SERVER['DOCUMENT_ROOT'].'/media/customer/orders/'.$filename;

    /* write it */
    $xml->save($file);

Then I just pass a reference of the file (but not the location) back to the client to be attached to the order.

So: no includes; vars are sanitized (still allowing for special characters); unique file name; file saved to unknown location (via the front-end).

The system is going to be scrutinized by IT security, I just want to catch anything prior to that review.

Am I missing anything?