Jump to content



Photo

Server-Side Validation


  • Please log in to reply
3 replies to this topic

#1 bnorcom

bnorcom

    Member

  • Members
  • PipPip
  • 20 posts

Posted 8 October 2016 - 4:18 PM

Server-side validation is necessary for form data.  For this, Script 12.8 uses htmlentities().  Also in the script is strip_tags().  To complicate things on page 328 is htmlspecialchars().  Then if you dig around you find filter_input() and filter_var().  Also there's filter_validate() and filter_sanitize().  To be thorough do you have to use all these to make sure nothing is overlooked?


  • 0

#2 Larry

Larry

    Administrator/Writer

  • Administrators
  • 4749 posts
  • LocationState College, PA (USA)

Posted 11 October 2016 - 4:02 PM

Good question! First, to be clear, htmlentities(), strip_tags(), and htmlspecialchars() do not do any validating. They just make a value safe in different ways. 

 

Basically you want to build up validation based upon the required data, values and type:

- Is a value required?

- Is the accepted value one of a small set (e.g., "male" or "female")?

- Should the accepted value be of a specific type (e.g., integer)?

- If it's a number, should the accepted value be within a certain range (e.g., greater than 0)?

- If it's a string, should it be of a certain format (e.g., email address)?

- If it's a string, should it absolute not contain certain characters?

 

I generally use the Filter extension when I can, but there's no one right answer. For each piece of data coming from external sources, you want to find the most specific and limiting validation possible.


  • 0

#3 cremona

cremona

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 29 June 2017 - 8:44 AM

My question is, which is the best way to make a form input "sticky" using both stripslashes and htmlspecialchars, namely what is the proper order of the two:

 

<input type="text" name="firstName" size="30" maxlength="30" value="'; if(isset($_POST['firstName'])) echo stripslashes(htmlspecialchars($_POST['firstName'], ENT_QUOTES)); echo '" />

 

-or-

 

<input type="text" name="firstName" size="30" maxlength="30" value="'; if(isset($_POST['firstName'])) echo htmlspecialchars(stripslashes($_POST['firstName']), ENT_QUOTES); echo '" />

 

They both yield the same results when using a value such as O'Schmalley McGee

 

<input type="text" name="firstName" size="30" maxlength="30" value="O&#039;Schmalley McGee" />

 

But which one is technically "better?"

 

Thank you in advance and God Bless Larry Ullman for being a fantastic author!

 

 


  • 0

#4 Larry

Larry

    Administrator/Writer

  • Administrators
  • 4749 posts
  • LocationState College, PA (USA)

Posted 3 July 2017 - 2:22 PM

You'll definitely want to do stripeslashes() and then htmlspecialchars(). Thank you for the nice compliment!!!


  • 0