phppup Posted April 9 Share Posted April 9 I need a little clarity, as I have a form with input and want to sanitize the input effectively to avoid attacks and complications. I adapted a W3 example but got unexpected results when I tried to view the results to verify success. $data = trim($data); echo "after trim >".$data."<br>"; $data = stripslashes($data); echo "after strip >".$data."<br>"; $data = htmlspecialchars($data); echo "after char >".htmlspecialchars($data)."<br>"; echo "straight ".htmlspecialchars($data)."<br>"; //different viewable result echo " >".$data."<br><br>"; Is there something going on 'behind the scenes' that I'm not recalling. Please inform and advise for best practices. Thanks. Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted April 9 Share Posted April 9 forget the word sanitize when dealing with data. also forget about using stripslashes(). when it was needed, it was conditionally applied. the need to do this was removed from php long ago. other than trimming user submitted data, mainly so that you can detect if a value is all white-space characters, you should NOT modify data. you should validate the data to make sure that it meets the business needs of your application. is a required value not empty. is a value that must have a specific format, character range, length, or magnitude valid? if it's valid, use it. if it isn't valid, let the user know what was wrong with it, let them fix it, and resubmit it. security is accomplished by using the data correctly in whatever context it is being used in, e.g. sql, html, mail header, ... in a html context (web page, email body), apply htmlentities/htmlspecialchars to a value right before outputting it, to help prevent cross site scripting. Quote Link to comment Share on other sites More sharing options...
ginerjm Posted April 9 Share Posted April 9 I am certainly not an expert on this subject but I would NEVER use W3 as a resource. Quote Link to comment Share on other sites More sharing options...
phppup Posted April 9 Author Share Posted April 9 (edited) @ginerjm Quote I would NEVER use W3 as a resource. That's good to know, but they come up on top of many searches and you failed to offer any constructive alternative as a recommendation. Should I use nothing at all!!?! @mac_gyver Thanks for the helpful information. Much appreciated. PS: So, if I'm digesting this properly (and I do agree with your methodology) a value should NOT be subjected to htmlentities/htmlspecialchars UNLESS being used within an HTML context. Tinkering with the value, even as a variable going into a database is essentially unnecessary? Edited April 9 by phppup forgot item Quote Link to comment Share on other sites More sharing options...
Barand Posted April 9 Share Posted April 9 29 minutes ago, phppup said: Tinkering with the value, even as a variable going into a database is essentially unnecessary? If it is going into a database then you should be using prepared queries which will guard against SQL injection. 31 minutes ago, phppup said: you failed to offer any constructive alternative Mozilla Developer Network (MDN) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.