MIPS64 Posted November 1, 2012 Share Posted November 1, 2012 Does it matter if I validate the post variables before or after I sanitize? So sanitize first (using prepared statements so no mysql_real_escape_string)? if (isset($_POST['submit'])) { $username = trim(htmlspecialchars($_POST['username])); if (strlen($username) < 3) { echo 'Username must be at least 3 characters'; } insert data next or if (isset($_POST['submit'])) { if (strlen($_POST['username']) < 3) { echo 'Username must be at least 3 characters'; } $username = trim(htmlspecialchars($_POST['username])); insert data next Link to comment https://forums.phpfreaks.com/topic/270174-validate-before-or-after-sanitizing/ Share on other sites More sharing options...
MDCode Posted November 1, 2012 Share Posted November 1, 2012 I would do it after validation since there's no security risk in validating like you are first. Link to comment https://forums.phpfreaks.com/topic/270174-validate-before-or-after-sanitizing/#findComment-1389406 Share on other sites More sharing options...
Barand Posted November 1, 2012 Share Posted November 1, 2012 You sanitise just before you use it in your queries. If it's invalid there's no point in even using it. Ergo, validate first. Link to comment https://forums.phpfreaks.com/topic/270174-validate-before-or-after-sanitizing/#findComment-1389417 Share on other sites More sharing options...
Psycho Posted November 1, 2012 Share Posted November 1, 2012 You sanitise just before you use it in your queries. If it's invalid there's no point in even using it. Ergo, validate first. +1 To expand on Barands' response let me provide an illustration of why you should validate first. Let's say you have a field where you want to enforce a minimum character length of 6. If the user inputs "o'kay" (5 characters) and you sanitize first (using mysql_real_escape_string() or something similar), the value will pass the validation because the apostrophe will be escaped and the result will be "o\'kay" (6 characters). By the same token, if you have a field where you want to allow an apostrophe but not the backslash, sanitizing first can result in a valid input being rejected. Link to comment https://forums.phpfreaks.com/topic/270174-validate-before-or-after-sanitizing/#findComment-1389423 Share on other sites More sharing options...
MIPS64 Posted November 2, 2012 Author Share Posted November 2, 2012 Great responses. Thank you. Link to comment https://forums.phpfreaks.com/topic/270174-validate-before-or-after-sanitizing/#findComment-1389491 Share on other sites More sharing options...
haku Posted November 2, 2012 Share Posted November 2, 2012 Note that if your validation queries the database with the submitted data (for example, to confirm that a submitted username actually exists), you will need to sanitize inside your validation. Link to comment https://forums.phpfreaks.com/topic/270174-validate-before-or-after-sanitizing/#findComment-1389495 Share on other sites More sharing options...
Christian F. Posted November 2, 2012 Share Posted November 2, 2012 That's more verification than validation, as with validation you just want to make sure that the input conforms to the acceptable pattern. So validation should/must happen before the data is used in any way, including verification against other data. Other than that, it's a good point: Never forget about output escaping. Link to comment https://forums.phpfreaks.com/topic/270174-validate-before-or-after-sanitizing/#findComment-1389586 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.