Validating forms the right way

I’m aware that using ‘mysql_real_escape_string’ should no longer be encouraged for sanitizing input data and have began making the steps to moving to PDO. But what about form validation? Simply making sure that contact details are safe. Are there any good, easy to understand tutorials around that any poster on here would recommend to be viewed and used in real life projects?

Many thanks

Hi freakystreak,

I came across this nettuts article on how to Sanitize and Validate Data with PHP filters the other day while looking for a good resource to share with another SPF member, which seems to give a good grounding.

I’d also recommend checking out this slide deck from PHP security expert Chris Shiflett on The Evolution of Web Security which has a lot of advice and examples in PHP.

Thanks so much for the links. Appreciate the reply

  1. Use built in functions where appropriate eg, is_numeric()
  2. Where built in functions are not available use validation filters where possible.
  3. Where neither of those is available then use regular expressions.

Make sure that the field contains a valid value before you copy it out of the $_POST array into a local field.

mysql_real_escape_string was never for sanitising but rather to prevent a query failing if it contained certain characters (single quotes). This happens to prevent prevent injections but is not a security feature per se.

Check out fretburner link; the PHP filters are pretty good though sometimes you may need to add a bit of your own sanitising in there.

Yes, I agree that mysql_real_escape_string is not meant for sanitising and whether you use this or PDO doesn’t make any difference on security as long as you use the tools properly. But yes, the old mysql extension is deprecated so it’s a good idea to move to PDO or mysqli.

However, I personally dislike PHP’s filter functions. While they are a good idea they are very poorly implemented. The specific filters often don’t do what they should be doing, for example FILTER_SANITIZE_NUMBER_FLOAT or FILTER_SANITIZE_NUMBER_INT can result in corrupted numbers like ++++039430–23.

FILTER_SANITIZE_STRING for me doesn’t make sense as it always strips html tags. I have made so many sites and online systems and I haven’t come up across a single case where I would want or need to strip tags of user submitted input - with the proper escaping of output this is not necessary for security at all. However, I think FILTER_SANITIZE_STRING should be able to remove stuff like unprintable control characters or sanitize corrupted strings in multi-byte Unicode character sets - such important stuff is lacking there. I have tried these functions and have no need to touch them again, especially that in 90% they replicate what other functions are already doing. Good idea, flawed execution.

For validating/sanitizing I use:

<, >, ==

and a combination of other similar methods.