I am close to launching a website that i have been working on for some time now and i plan on carrying out a significant review of security .
I understand that one of the biggest areas of concern from a security point of view is how you handle user input (fields / forms etc.)
I don't expect anyone to reply with tonnes of information on each, as the internet is full of help and advice BUT the one downside of the internet is 'how up to date' the information is (don't want to use / implement out dated practices) or the 'integrity' of the advice, especially in relation to this subject'.
So what are your key best practices for each of the following:
1 - Validating Input
2 - Sanitizing Input
Thanks in advance for your help...
I've just spent a couple of months slapping my head of the desk on this question (being largely self-taught it is my best recourse). Lessons I have learned so far:
I run server-side validation on all input using htmlspecialchars(), strip_tags() and stripslashes() - nested in that order like so:
For emails, I use something like:
$name = htmlspecialchars(strip_tags(stripslashes($message['First'])), ENT_COMPAT, 'UTF-8');
For good measure I also use checkdnsrr() on the filtered email address ($clean). Opinion is divided on that last function since it relies on a registry of valid domain names so it is liable to miss out some obscure but nonetheless valid addresses. Then again, email validation is a very hairy area with no absolute solution so opinion tends to be divided on any approach you might consider.
$sanitised = filter_var($email, FILTER_SANITIZE_EMAIL);
$clean = filter_var($sanitised, FILTER_VALIDATE_EMAIL);
My thoughts are that it's best left to the brains behind PHP and HTML5 who, I trust, have given the matter all due consideration.