SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Addict
    Join Date
    Mar 2009
    Posts
    268
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Validating forms the right way

    I'm aware that using 'mysql_real_escape_string' should no longer be encouraged for sanitizing input data and have began making the steps to moving to PDO. But what about form validation? Simply making sure that contact details are safe. Are there any good, easy to understand tutorials around that any poster on here would recommend to be viewed and used in real life projects?

    Many thanks

  2. #2
    Community Advisor bronze trophy
    fretburner's Avatar
    Join Date
    Apr 2013
    Location
    Brazil
    Posts
    1,412
    Mentioned
    45 Post(s)
    Tagged
    12 Thread(s)
    Hi freakystreak,

    I came across this nettuts article on how to Sanitize and Validate Data with PHP filters the other day while looking for a good resource to share with another SPF member, which seems to give a good grounding.

    I'd also recommend checking out this slide deck from PHP security expert Chris Shiflett on The Evolution of Web Security which has a lot of advice and examples in PHP.

  3. #3
    SitePoint Addict
    Join Date
    Mar 2009
    Posts
    268
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks so much for the links. Appreciate the reply

  4. #4
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,836
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    1. Use built in functions where appropriate eg, is_numeric()
    2. Where built in functions are not available use validation filters where possible.
    3. Where neither of those is available then use regular expressions.

    Make sure that the field contains a valid value before you copy it out of the $_POST array into a local field.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  5. #5
    SitePoint Evangelist
    Join Date
    May 2006
    Posts
    436
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by freakystreak View Post
    I'm aware that using 'mysql_real_escape_string' should no longer be encouraged for sanitizing input data and have began making the steps to moving to PDO. But what about form validation? Simply making sure that contact details are safe. Are there any good, easy to understand tutorials around that any poster on here would recommend to be viewed and used in real life projects?

    Many thanks
    mysql_real_escape_string was never for sanitising but rather to prevent a query failing if it contained certain characters (single quotes). This happens to prevent prevent injections but is not a security feature per se.

    Check out fretburner link; the PHP filters are pretty good though sometimes you may need to add a bit of your own sanitising in there.

  6. #6
    SitePoint Guru bronze trophy
    Join Date
    Dec 2003
    Location
    Poland
    Posts
    930
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Yes, I agree that mysql_real_escape_string is not meant for sanitising and whether you use this or PDO doesn't make any difference on security as long as you use the tools properly. But yes, the old mysql extension is deprecated so it's a good idea to move to PDO or mysqli.

    However, I personally dislike PHP's filter functions. While they are a good idea they are very poorly implemented. The specific filters often don't do what they should be doing, for example FILTER_SANITIZE_NUMBER_FLOAT or FILTER_SANITIZE_NUMBER_INT can result in corrupted numbers like ++++039430--23.

    FILTER_SANITIZE_STRING for me doesn't make sense as it always strips html tags. I have made so many sites and online systems and I haven't come up across a single case where I would want or need to strip tags of user submitted input - with the proper escaping of output this is not necessary for security at all. However, I think FILTER_SANITIZE_STRING should be able to remove stuff like unprintable control characters or sanitize corrupted strings in multi-byte Unicode character sets - such important stuff is lacking there. I have tried these functions and have no need to touch them again, especially that in 90% they replicate what other functions are already doing. Good idea, flawed execution.

    For validating/sanitizing I use:

    is_numeric()
    ctype_digit()
    (int)
    (float)
    preg_match()
    substr()
    mb_substr()
    strlen()
    mb_strlen()
    trim()
    <, >, ==

    and a combination of other similar methods.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •