Jump to content

Best & Most Secure way for Form Validation


Rommeo

Recommended Posts

What is the best way for form validation before inserting the data into db?  ( Let's say the field is textarea which is the "Bio" part of the user & html tags are allowed)

According to w3schools, this may be enough;

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

But some say " mysqli_real_escape_string " is needed also, so should i add that one too?

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  $data = mysqli_real_escape_string($dblink,$data);
  return $data;
}

So as a newbie, I m wondering the best and most secure way for validation before inserting the data into db.

Thanks in advance.

Link to comment
Share on other sites

Read up on using "prepared queries".  You can find it in the php manual under the mysqli or PDO interface.

mysqli:   http://php.net/manual/en/mysqli.prepare.php

PDO:  http://php.net/manual/en/pdo.prepare.php

BTW - what you have shown is not really form validation.  It is merely preparation of the values to be inserted into a query.  Validation should have already occurred by the time your code gets to this point.  You need to check that values actually exist and that they are "valid" - hence the term validation.  Numeric entries need to have actual numbers in them and be in the range of expected values.  Code entries (eg, 'Y' or 'N') need to be correct; the method needs to be the correct one for your form (is it a POST?) and you need to be sure that all of your expected inputs are present.  If not, return the form and its contents to the user to try again. 

 

PS - W3schools is definitely NOT the place to be learning from.

Link to comment
Share on other sites

You mean "w3Fools.com"?

The only valid code in your function is the trim();

stripslashes() is only required if you are using "magic quotes" and they were dropped over 10 years ago.

htmlspecialchars() is an output function not an inpput validation function.

You should use a prepared statement and pass the input variables as parameters, thus completely separating query and user input. I would seriously recommend you use PDO intead of mysqli - it makes life much easier.

Instead of, say,

$result = $mysqli->query("SELECT password FROM user WHERE username = '$uservar' ")

you would have

$stmt = $mysqli->prepare("SELECT password FROM user WHERE username =? );
$uservar = trim($uservar);
$stmt->bind_param('s', $uservar);
$stmt->execute();
$stmt->bind_result($password);

Or, with PDO

$stmt = $pdo->prepare("SELECT password FROM user WHERE username =? ");
$stmt->execute( [ trim($uservar) ] );

 

Link to comment
Share on other sites

Thank you for your replies, I ll definitely search more about using PDO.

But for my case now, I have a script that my customer has sent me and that was coded ages ago by anyone else that we can not reach now. And my customer is saying that sometimes the script gives errors, and when I check the code, I could not find any check process before inserting the data into db. I m not gonna change the whole script, as a favor and for to help him I just want to add the functions to secure the script and since I m not a php expert, I just wondered what should I write before inserting the text into db? I don't know if i just write "mysqli_real_escape_string" would be enough?..Well this is what I wonder actually.

Link to comment
Share on other sites

2 hours ago, ginerjm said:

So - what have you done to get rid of the errors?  Do you have any to show us?  Them and the specific lines involved?

lol, the question is very simple: "if i just write "mysqli_real_escape_string" would be enough?..Well this is what I wonder actually.". I have no time for chatting -sorry.

Link to comment
Share on other sites

The question is still "if i just write "mysqli_real_escape_string" would be enough?..Well this is what I wonder actually."..

Well I m not able to re-code everything, as I said this is just a favor that I m doing for my customer. So now my question is still: if i just write "mysqli_real_escape_string" would it be enough?.. If you think you are wasting time, you don't need to reply Barand, I'm not forcing you, thank you for the suggestions in your first post though.

Link to comment
Share on other sites

20 hours ago, Rommeo said:

The question is still "if i just write "mysqli_real_escape_string" would be enough?..Well this is what I wonder actually."..

Well I m not able to re-code everything, as I said this is just a favor that I m doing for my customer. So now my question is still: if i just write "mysqli_real_escape_string" would it be enough?.. If you think you are wasting time, you don't need to reply Barand, I'm not forcing you, thank you for the suggestions in your first post though.

Wait. What is/are the error(s)? No way to tell if any function will or will not work to solve an error without knowing the specific error and what code is causing it.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.