Server-side validation is necessary for form data. For this, Script 12.8 uses htmlentities(). Also in the script is strip_tags(). To complicate things on page 328 is htmlspecialchars(). Then if you dig around you find filter_input() and filter_var(). Also there's filter_validate() and filter_sanitize(). To be thorough do you have to use all these to make sure nothing is overlooked?
Posted 11 October 2016 - 4:02 PM
Good question! First, to be clear, htmlentities(), strip_tags(), and htmlspecialchars() do not do any validating. They just make a value safe in different ways.
Basically you want to build up validation based upon the required data, values and type:
- Is a value required?
- Is the accepted value one of a small set (e.g., "male" or "female")?
- Should the accepted value be of a specific type (e.g., integer)?
- If it's a number, should the accepted value be within a certain range (e.g., greater than 0)?
- If it's a string, should it be of a certain format (e.g., email address)?
- If it's a string, should it absolute not contain certain characters?
I generally use the Filter extension when I can, but there's no one right answer. For each piece of data coming from external sources, you want to find the most specific and limiting validation possible.
Posted 29 June 2017 - 8:44 AM
My question is, which is the best way to make a form input "sticky" using both stripslashes and htmlspecialchars, namely what is the proper order of the two:
<input type="text" name="firstName" size="30" maxlength="30" value="'; if(isset($_POST['firstName'])) echo stripslashes(htmlspecialchars($_POST['firstName'], ENT_QUOTES)); echo '" />
<input type="text" name="firstName" size="30" maxlength="30" value="'; if(isset($_POST['firstName'])) echo htmlspecialchars(stripslashes($_POST['firstName']), ENT_QUOTES); echo '" />
They both yield the same results when using a value such as O'Schmalley McGee
But which one is technically "better?"
Thank you in advance and God Bless Larry Ullman for being a fantastic author!
Posted 3 July 2017 - 2:22 PM
You'll definitely want to do stripeslashes() and then htmlspecialchars(). Thank you for the nice compliment!!!