For example, I have a FORM and it returns two variables. Do I still need to make them look like this?
if (isset($_POST['submit'])) {
$admin = trim(stripslashes($_POST['admin']));
$password = trim(stripslashes($_POST['password']));
You should be using prepared statements. You should still sanitize the submitted data eg is is within the size/length range that you expect, is it of the type that you expect, etc
Also, never check if a form was posted by checking the submit buttons; this doesnât work in some older versions of IE. Instead, check one of the [required] fields of the form, or even better, check that the request is a POST request
if ($_SERVER['REQUEST_METHOD'] === 'POST')
{
// etc
}
1 Like
You are asking about two totally unrelated things.
Your question has the same relevance as asking if you still have to eat cheese if you wear a green shirt.
A better option would to check a hidden type if you want to ensure older versions of IE work:
<input type="hidden" name="action" value="enter"> <!-- Inside the form -->
$submit = filter_input(INPUT_POST, 'action', FILTER_SANITIZE_SPECIAL_CHARS);
if ( isset($submit) && $submit == 'enter') {
// Process form:
}
Why is that better? Both suggestions I offered work perfectly well and donât need any extra markup to work, whereas your solution does.
That comparison is sanitising the field - it is discarding all values from the field except âenterâ. No further sanitisation is required for that field.