Trimming Form Values

I have a create account form with the fields…

  • First Name
  • Email
  • Password
  • Re-enter Password

Should I trim the $_POST values before I use RegEx and assign the values to variables, or is it better to assume that if there are spaces that the user intended them?! :-/

Debbie

DD,

IMHO, spaces at the start or end (the function of trim()) is illogical so I’d vote with you to trim(). To be sure, you might want to consider trim() on the login, too.

Regards,

DK

What kinds of things should I be checking for when cleaning up form-data? (Beyond obvious RegEx things like a Name shouldn’t have numbers in it.)

I’ve seen people using…

[INDENT]- TRIM()

  • HTML Special Characters

  • mysqli_real_escape_string

[/INDENT]

Debbie

use that before outputting the field into a web page

that is unnecessary as if you are using mysqli you can use prepare/bind and avoid the whole issue of sql injection completely. If you were using the old mysql interface then you’d use mysql_read_escape_string on values you are using in SQL queries so as to minimise the possibility of sql injection.

Your validation on input fields should check that the content makes sense for whatever the field is supposed to contain.

Is there any reason to not use Prepared Statements?

Debbie

Using prepared statements require you to alter your thinking slightly, that’s all.

It used to be that it required you to check your hosting, whereas now it is starting to turn the other way, you have to actually go through some pain to NOT use something with prepared statements.

While you may “use them from now on”, you might end up with legacy code using the old mysql_* functions.

But to me that risk is well worth taking, get started as soon as you can, don’t worry about going back and changing any old code yet. You can use both together, it is not ideal but it is OK.

Here is a discussion and comment on why moving to prepared statements and away from legacy mysql_* functions might be a good idea.

http://www.phpclasses.org/blog/post/153-The-Plot-to-Kill-PHP-MySQL-Extension.html

I dont hold with everything said, but it might provide you with another POV

I never trim() those values, because users never type extra spaces when registering to my websites.