MIPS64 Posted November 1, 2012 Share Posted November 1, 2012 Does it matter if I validate the post variables before or after I sanitize? So sanitize first (using prepared statements so no mysql_real_escape_string)? if (isset($_POST['submit'])) { $username = trim(htmlspecialchars($_POST['username])); if (strlen($username) < 3) { echo 'Username must be at least 3 characters'; } insert data next or if (isset($_POST['submit'])) { if (strlen($_POST['username']) < 3) { echo 'Username must be at least 3 characters'; } $username = trim(htmlspecialchars($_POST['username])); insert data next Quote Link to comment Share on other sites More sharing options...
MDCode Posted November 1, 2012 Share Posted November 1, 2012 I would do it after validation since there's no security risk in validating like you are first. Quote Link to comment Share on other sites More sharing options...
Barand Posted November 1, 2012 Share Posted November 1, 2012 You sanitise just before you use it in your queries. If it's invalid there's no point in even using it. Ergo, validate first. Quote Link to comment Share on other sites More sharing options...
Psycho Posted November 1, 2012 Share Posted November 1, 2012 You sanitise just before you use it in your queries. If it's invalid there's no point in even using it. Ergo, validate first. +1 To expand on Barands' response let me provide an illustration of why you should validate first. Let's say you have a field where you want to enforce a minimum character length of 6. If the user inputs "o'kay" (5 characters) and you sanitize first (using mysql_real_escape_string() or something similar), the value will pass the validation because the apostrophe will be escaped and the result will be "o\'kay" (6 characters). By the same token, if you have a field where you want to allow an apostrophe but not the backslash, sanitizing first can result in a valid input being rejected. Quote Link to comment Share on other sites More sharing options...
MIPS64 Posted November 2, 2012 Author Share Posted November 2, 2012 Great responses. Thank you. Quote Link to comment Share on other sites More sharing options...
haku Posted November 2, 2012 Share Posted November 2, 2012 Note that if your validation queries the database with the submitted data (for example, to confirm that a submitted username actually exists), you will need to sanitize inside your validation. Quote Link to comment Share on other sites More sharing options...
Christian F. Posted November 2, 2012 Share Posted November 2, 2012 That's more verification than validation, as with validation you just want to make sure that the input conforms to the acceptable pattern. So validation should/must happen before the data is used in any way, including verification against other data. Other than that, it's a good point: Never forget about output escaping. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.