Jump to content

form input sanitizing


phppup

Recommended Posts

I need a little clarity, as I have a form with input and want to sanitize the input effectively to avoid attacks and complications.

I adapted a W3 example but got unexpected results when I tried to view the results to verify success.


  $data = trim($data);             echo "after trim >".$data."<br>";
  $data = stripslashes($data);     echo "after strip >".$data."<br>";
  $data = htmlspecialchars($data); echo "after char >".htmlspecialchars($data)."<br>";

  echo "straight ".htmlspecialchars($data)."<br>";  //different viewable result

  echo " >".$data."<br><br>";
  

Is there something going on 'behind the scenes' that I'm not recalling.

Please inform and advise for best practices.

Thanks.

Link to comment
Share on other sites

forget the word sanitize when dealing with data. also forget about using stripslashes(). when it was needed, it was conditionally applied. the need to do this was removed from php long ago.

other than trimming user submitted data, mainly so that you can detect if a value is all white-space characters, you should NOT modify data. you should validate the data to make sure that it meets the business needs of your application. is a required value not empty. is a value that must have a specific format, character range, length, or magnitude valid?  if it's valid, use it. if it isn't valid, let the user know what was wrong with it, let them fix it, and resubmit it.

security is accomplished by using the data correctly in whatever context it is being used in, e.g. sql, html, mail header, ...

in a html context (web page, email body), apply htmlentities/htmlspecialchars to a value right before outputting it, to help prevent cross site scripting.

Link to comment
Share on other sites

Posted (edited)

@ginerjm 

Quote

I would NEVER use W3 as a resource.

That's good to know, but they come up on top of many searches and you failed to offer any constructive alternative as a recommendation.  Should I use nothing at all!!?!

 

@mac_gyver Thanks for the helpful information.

Much appreciated.

PS: So, if I'm digesting this properly (and I do agree with your methodology) a value should NOT be subjected to htmlentities/htmlspecialchars UNLESS being used within an HTML context.  Tinkering with the value, even as a variable going into a database is essentially unnecessary?

 

Edited by phppup
forgot item
Link to comment
Share on other sites

29 minutes ago, phppup said:

Tinkering with the value, even as a variable going into a database is essentially unnecessary?

If it is going into a database then you should be using prepared queries which will guard against SQL injection.

31 minutes ago, phppup said:

you failed to offer any constructive alternative

Mozilla Developer Network (MDN)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.