Jump to content
Larry Ullman's Book Forums
Sign in to follow this  
bnorcom

Server-Side Validation

Recommended Posts

Server-side validation is necessary for form data.  For this, Script 12.8 uses htmlentities().  Also in the script is strip_tags().  To complicate things on page 328 is htmlspecialchars().  Then if you dig around you find filter_input() and filter_var().  Also there's filter_validate() and filter_sanitize().  To be thorough do you have to use all these to make sure nothing is overlooked?

Share this post


Link to post
Share on other sites

Good question! First, to be clear, htmlentities(), strip_tags(), and htmlspecialchars() do not do any validating. They just make a value safe in different ways. 

 

Basically you want to build up validation based upon the required data, values and type:

- Is a value required?

- Is the accepted value one of a small set (e.g., "male" or "female")?

- Should the accepted value be of a specific type (e.g., integer)?

- If it's a number, should the accepted value be within a certain range (e.g., greater than 0)?

- If it's a string, should it be of a certain format (e.g., email address)?

- If it's a string, should it absolute not contain certain characters?

 

I generally use the Filter extension when I can, but there's no one right answer. For each piece of data coming from external sources, you want to find the most specific and limiting validation possible.

Share this post


Link to post
Share on other sites

My question is, which is the best way to make a form input "sticky" using both stripslashes and htmlspecialchars, namely what is the proper order of the two:

 

<input type="text" name="firstName" size="30" maxlength="30" value="'; if(isset($_POST['firstName'])) echo stripslashes(htmlspecialchars($_POST['firstName'], ENT_QUOTES)); echo '" />

 

-or-

 

<input type="text" name="firstName" size="30" maxlength="30" value="'; if(isset($_POST['firstName'])) echo htmlspecialchars(stripslashes($_POST['firstName']), ENT_QUOTES); echo '" />

 

They both yield the same results when using a value such as O'Schmalley McGee

 

<input type="text" name="firstName" size="30" maxlength="30" value="O&#039;Schmalley McGee" />

 

But which one is technically "better?"

 

Thank you in advance and God Bless Larry Ullman for being a fantastic author!

 

 

Share this post


Link to post
Share on other sites

You'll definitely want to do stripeslashes() and then htmlspecialchars(). Thank you for the nice compliment!!!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×