Jump to content

Cleaning web form input....


trg86

Recommended Posts

Okay, I would like your opinion. I am in the process of rewriting my web form processor and I wanted to ask if this line of code is sufficient for making sure the input is clean. ( i.e. cutting any malicious attempt from a user filling out the form ) Please keep in mind that the form data is only sent in an email, no MySQL database involved.

 

This is an example of code of just one of the inputs from the form, so you have a reference of what I programmed and asking about. Thanks!

 

$name =  stripslashes(trim($_POST['name']));

Edited by trg86
Link to comment
Share on other sites

It appears as if I am misinformed about the use of stripslashes, thank you for the feedback.

 

What would you reccommend to clean the inputs of any malicious data? I only have it sending in an email, no database or anything.

Link to comment
Share on other sites

stripslashes does have a purpose, but it is not necessarily for handling user input, unless you have magic quotes on.  One thing that can be used on input is addslashes or one of the *_real_escape_string functions, if you are not use pdo, or many of the functions to strip html tags, and validate input.

 

You'll get an authoritative discourse shortly from one of the wizards on the forum soon I'll bet.

Link to comment
Share on other sites

Filtering user input requires different implementations depending on what you will be doing with the data, i.e. if you're writing data to a persistence layer, you should use methods appropriate to the persistence layer and abstraction layer that you're using, a few examples:

 

PDO:

// create database handle
$stmt = $dbh->prepare('SELECT * FROM users WHERE username = ? LIMIT 1');
$stmt->execute(array($_POST['username'])); // we don't need to escape here as PDO prepared statements escape parameters for us

 

mysql_* (which is deprecated, and will be moved into an extension, use PDO or MySQLi or something)

// connect to database
$result = mysql_query("SELECT * FROM users WHERE username = '". mysql_real_escape_string($_POST['username']) ."' LIMIT 1");

 

HTML

<?= echo htmlspecialchars($_POST['username'], ENT_QUOTES, 'UTF-8'); ?>
<?= echo htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8'); // replace with your character encoding ?>

FYI: I would recomment htmlentities here as it translates all entities

 

For a plain-text email, you won't need to escape your data, for a HTML email, you would escape it the same as you escape HTML output

Edited by Andy-H
Link to comment
Share on other sites

I do have it programmed as an HTML email. Would I make the htmlentities the same encoding as the php file itself or the same encoding at the html email that is being created?

 

$name =  htmlentities($_POST['name'], ENT_QUOTES, 'UTF-8');

 

That is now how I have it set, to clean the input data. UTF-8 is the encoding of the document itself.

Edited by trg86
Link to comment
Share on other sites

If you really have no intention of storing it in a database or flatfile, and really are just going to send an email and forget about it, then you don't really need to filter or otherwise scrub the input for malicious code.

 

However, unless you want the spambots to start using your form as a proxy to send out spam, I highly recommend you scrub the input of spammy type content.

Link to comment
Share on other sites

Another quick question. I do eventually plan on having the data sent to a database as well, but also still e-mailing as well. I know I need to clean the data before it is sent to the database and I have it cleaning the data for the email as well. Below is a snippet of code from one of the fields, I wanted to make sure I can do it the way that I am in this line. i.e. 'mysql_real_ecape_string' and 'html_entities' on the same line like this. Let me know if it is incorrect.

 

$name =  mysql_real_escape_string, htmlentities($_POST['name'], ENT_QUOTES, 'UTF-8');

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.