Jump to content
Rommeo

Best & Most Secure way for Form Validation

Recommended Posts

What is the best way for form validation before inserting the data into db?  ( Let's say the field is textarea which is the "Bio" part of the user & html tags are allowed)

According to w3schools, this may be enough;

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

But some say " mysqli_real_escape_string " is needed also, so should i add that one too?

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  $data = mysqli_real_escape_string($dblink,$data);
  return $data;
}

So as a newbie, I m wondering the best and most secure way for validation before inserting the data into db.

Thanks in advance.

Share this post


Link to post
Share on other sites

Read up on using "prepared queries".  You can find it in the php manual under the mysqli or PDO interface.

mysqli:   http://php.net/manual/en/mysqli.prepare.php

PDO:  http://php.net/manual/en/pdo.prepare.php

BTW - what you have shown is not really form validation.  It is merely preparation of the values to be inserted into a query.  Validation should have already occurred by the time your code gets to this point.  You need to check that values actually exist and that they are "valid" - hence the term validation.  Numeric entries need to have actual numbers in them and be in the range of expected values.  Code entries (eg, 'Y' or 'N') need to be correct; the method needs to be the correct one for your form (is it a POST?) and you need to be sure that all of your expected inputs are present.  If not, return the form and its contents to the user to try again. 

 

PS - W3schools is definitely NOT the place to be learning from.

Edited by ginerjm

Share this post


Link to post
Share on other sites

You mean "w3Fools.com"?

The only valid code in your function is the trim();

stripslashes() is only required if you are using "magic quotes" and they were dropped over 10 years ago.

htmlspecialchars() is an output function not an inpput validation function.

You should use a prepared statement and pass the input variables as parameters, thus completely separating query and user input. I would seriously recommend you use PDO intead of mysqli - it makes life much easier.

Instead of, say,

$result = $mysqli->query("SELECT password FROM user WHERE username = '$uservar' ")

you would have

$stmt = $mysqli->prepare("SELECT password FROM user WHERE username =? );
$uservar = trim($uservar);
$stmt->bind_param('s', $uservar);
$stmt->execute();
$stmt->bind_result($password);

Or, with PDO

$stmt = $pdo->prepare("SELECT password FROM user WHERE username =? ");
$stmt->execute( [ trim($uservar) ] );

 

Share this post


Link to post
Share on other sites

Thank you for your replies, I ll definitely search more about using PDO.

But for my case now, I have a script that my customer has sent me and that was coded ages ago by anyone else that we can not reach now. And my customer is saying that sometimes the script gives errors, and when I check the code, I could not find any check process before inserting the data into db. I m not gonna change the whole script, as a favor and for to help him I just want to add the functions to secure the script and since I m not a php expert, I just wondered what should I write before inserting the text into db? I don't know if i just write "mysqli_real_escape_string" would be enough?..Well this is what I wonder actually.

Share this post


Link to post
Share on other sites

So - what have you done to get rid of the errors?  Do you have any to show us?  Them and the specific lines involved?

Share this post


Link to post
Share on other sites
2 hours ago, ginerjm said:

So - what have you done to get rid of the errors?  Do you have any to show us?  Them and the specific lines involved?

lol, the question is very simple: "if i just write "mysqli_real_escape_string" would be enough?..Well this is what I wonder actually.". I have no time for chatting -sorry.

Share this post


Link to post
Share on other sites
6 hours ago, Rommeo said:

the best and most secure way

That was the question and we told you. What you are now asking is for a way to safely avoid doing it the best and most secure way. And we have no more time to waste either.

Share this post


Link to post
Share on other sites

The question is still "if i just write "mysqli_real_escape_string" would be enough?..Well this is what I wonder actually."..

Well I m not able to re-code everything, as I said this is just a favor that I m doing for my customer. So now my question is still: if i just write "mysqli_real_escape_string" would it be enough?.. If you think you are wasting time, you don't need to reply Barand, I'm not forcing you, thank you for the suggestions in your first post though.

Share this post


Link to post
Share on other sites

If you insist on doing it that way, mysqli_real_escape_string()  should replace htmlspecialchars(). And as stated, only stripslashes() if you have magic_quotes set to put them (slashes) in automaticaly when data sent tp the page..

Share this post


Link to post
Share on other sites

But what about the "form validation" that you put in your topic's title?  You're not doing any of that yet?  The things being discussed so far have nothing to do with 'form validation'.

Share this post


Link to post
Share on other sites
20 hours ago, Rommeo said:

The question is still "if i just write "mysqli_real_escape_string" would be enough?..Well this is what I wonder actually."..

Well I m not able to re-code everything, as I said this is just a favor that I m doing for my customer. So now my question is still: if i just write "mysqli_real_escape_string" would it be enough?.. If you think you are wasting time, you don't need to reply Barand, I'm not forcing you, thank you for the suggestions in your first post though.

Wait. What is/are the error(s)? No way to tell if any function will or will not work to solve an error without knowing the specific error and what code is causing it.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.