Best & Most Secure way for Form Validation

[Rommeo]

What is the best way for form validation before inserting the data into db?  ( Let's say the field is textarea which is the "Bio" part of the user & html tags are allowed)

According to w3schools, this may be enough;

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

But some say " mysqli_real_escape_string " is needed also, so should i add that one too?

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  $data = mysqli_real_escape_string($dblink,$data);
  return $data;
}

So as a newbie, I m wondering the best and most secure way for validation before inserting the data into db.

Thanks in advance.

[ginerjm]

Read up on using "prepared queries".  You can find it in the php manual under the mysqli or PDO interface.

mysqli:   http://php.net/manual/en/mysqli.prepare.php

PDO:  http://php.net/manual/en/pdo.prepare.php

BTW - what you have shown is not really form validation.  It is merely preparation of the values to be inserted into a query.  Validation should have already occurred by the time your code gets to this point.  You need to check that values actually exist and that they are "valid" - hence the term validation.  Numeric entries need to have actual numbers in them and be in the range of expected values.  Code entries (eg, 'Y' or 'N') need to be correct; the method needs to be the correct one for your form (is it a POST?) and you need to be sure that all of your expected inputs are present.  If not, return the form and its contents to the user to try again. 

 

PS - W3schools is definitely NOT the place to be learning from.

Edited August 8, 2018 by ginerjm

[Barand]

You mean "w3Fools.com"?

The only valid code in your function is the trim();

stripslashes() is only required if you are using "magic quotes" and they were dropped over 10 years ago.

htmlspecialchars() is an output function not an inpput validation function.

You should use a prepared statement and pass the input variables as parameters, thus completely separating query and user input. I would seriously recommend you use PDO intead of mysqli - it makes life much easier.

Instead of, say,

$result = $mysqli->query("SELECT password FROM user WHERE username = '$uservar' ")

you would have

$stmt = $mysqli->prepare("SELECT password FROM user WHERE username =? );
$uservar = trim($uservar);
$stmt->bind_param('s', $uservar);
$stmt->execute();
$stmt->bind_result($password);

Or, with PDO

$stmt = $pdo->prepare("SELECT password FROM user WHERE username =? ");
$stmt->execute( [ trim($uservar) ] );

 

[Rommeo]

Thank you for your replies, I ll definitely search more about using PDO.

But for my case now, I have a script that my customer has sent me and that was coded ages ago by anyone else that we can not reach now. And my customer is saying that sometimes the script gives errors, and when I check the code, I could not find any check process before inserting the data into db. I m not gonna change the whole script, as a favor and for to help him I just want to add the functions to secure the script and since I m not a php expert, I just wondered what should I write before inserting the text into db? I don't know if i just write "mysqli_real_escape_string" would be enough?..Well this is what I wonder actually.

[ginerjm]

So - what have you done to get rid of the errors?  Do you have any to show us?  Them and the specific lines involved?

[farluper]

A strange thing because bind_result on php version 7 crashes mysql error and on php 5 works ok

[Rommeo]

2 hours ago, ginerjm said:

So - what have you done to get rid of the errors?  Do you have any to show us?  Them and the specific lines involved?

lol, the question is very simple: "if i just write "mysqli_real_escape_string" would be enough?..Well this is what I wonder actually.". I have no time for chatting -sorry.

[Barand]

6 hours ago, Rommeo said:

the best and most secure way

That was the question and we told you. What you are now asking is for a way to safely avoid doing it the best and most secure way. And we have no more time to waste either.

[Rommeo]

The question is still "if i just write "mysqli_real_escape_string" would be enough?..Well this is what I wonder actually."..

Well I m not able to re-code everything, as I said this is just a favor that I m doing for my customer. So now my question is still: if i just write "mysqli_real_escape_string" would it be enough?.. If you think you are wasting time, you don't need to reply Barand, I'm not forcing you, thank you for the suggestions in your first post though.

[Barand]

If you insist on doing it that way, mysqli_real_escape_string()  should replace htmlspecialchars(). And as stated, only stripslashes() if you have magic_quotes set to put them (slashes) in automaticaly when data sent tp the page..

[Rommeo]

Thank you so much Barand, I really appreciate it. 

[ginerjm]

But what about the "form validation" that you put in your topic's title?  You're not doing any of that yet?  The things being discussed so far have nothing to do with 'form validation'.

[Psycho]

20 hours ago, Rommeo said:

The question is still "if i just write "mysqli_real_escape_string" would be enough?..Well this is what I wonder actually."..

Well I m not able to re-code everything, as I said this is just a favor that I m doing for my customer. So now my question is still: if i just write "mysqli_real_escape_string" would it be enough?.. If you think you are wasting time, you don't need to reply Barand, I'm not forcing you, thank you for the suggestions in your first post though.

Wait. What is/are the error(s)? No way to tell if any function will or will not work to solve an error without knowing the specific error and what code is causing it.