Jump to content

Cleaning web form input....

trg86

By trg86
in PHP Coding Help

 Share

Recommended Posts

trg86 Member

trg86

Posted
Posted (edited)

Okay, I would like your opinion. I am in the process of rewriting my web form processor and I wanted to ask if this line of code is sufficient for making sure the input is clean. ( i.e. cutting any malicious attempt from a user filling out the form ) Please keep in mind that the form data is only sent in an email, no MySQL database involved.

 

This is an example of code of just one of the inputs from the form, so you have a reference of what I programmed and asking about. Thanks!

 

$name =  stripslashes(trim($_POST['name']));

Edited by trg86
Link to comment
https://forums.phpfreaks.com/topic/287349-cleaning-web-form-input/
Share on other sites
ginerjm Prolific Member

ginerjm

Posted
Posted

stripslashes does have a purpose, but it is not necessarily for handling user input, unless you have magic quotes on.  One thing that can be used on input is addslashes or one of the *_real_escape_string functions, if you are not use pdo, or many of the functions to strip html tags, and validate input.

 

You'll get an authoritative discourse shortly from one of the wizards on the forum soon I'll bet.

Andy-H Advanced Member

Andy-H

Posted
Posted (edited)

Filtering user input requires different implementations depending on what you will be doing with the data, i.e. if you're writing data to a persistence layer, you should use methods appropriate to the persistence layer and abstraction layer that you're using, a few examples:

 

PDO:

// create database handle
$stmt = $dbh->prepare('SELECT * FROM users WHERE username = ? LIMIT 1');
$stmt->execute(array($_POST['username'])); // we don't need to escape here as PDO prepared statements escape parameters for us

 

mysql_* (which is deprecated, and will be moved into an extension, use PDO or MySQLi or something)

// connect to database
$result = mysql_query("SELECT * FROM users WHERE username = '". mysql_real_escape_string($_POST['username']) ."' LIMIT 1");

 

HTML

<?= echo htmlspecialchars($_POST['username'], ENT_QUOTES, 'UTF-8'); ?>
<?= echo htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8'); // replace with your character encoding ?>

FYI: I would recomment htmlentities here as it translates all entities

 

For a plain-text email, you won't need to escape your data, for a HTML email, you would escape it the same as you escape HTML output

Edited by Andy-H
trg86 Member

trg86

Posted
  • Author
Posted (edited)

I do have it programmed as an HTML email. Would I make the htmlentities the same encoding as the php file itself or the same encoding at the html email that is being created?

 

$name =  htmlentities($_POST['name'], ENT_QUOTES, 'UTF-8');

 

That is now how I have it set, to clean the input data. UTF-8 is the encoding of the document itself.

Edited by trg86
.josh Advanced Member

.josh

Posted
Posted

If you really have no intention of storing it in a database or flatfile, and really are just going to send an email and forget about it, then you don't really need to filter or otherwise scrub the input for malicious code.

 

However, unless you want the spambots to start using your form as a proxy to send out spam, I highly recommend you scrub the input of spammy type content.

trg86 Member

trg86

Posted
  • Author
Posted

Another quick question. I do eventually plan on having the data sent to a database as well, but also still e-mailing as well. I know I need to clean the data before it is sent to the database and I have it cleaning the data for the email as well. Below is a snippet of code from one of the fields, I wanted to make sure I can do it the way that I am in this line. i.e. 'mysql_real_ecape_string' and 'html_entities' on the same line like this. Let me know if it is incorrect.

 

$name =  mysql_real_escape_string, htmlentities($_POST['name'], ENT_QUOTES, 'UTF-8');

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.