bnorcom Posted October 8, 2016 Share Posted October 8, 2016 Server-side validation is necessary for form data. For this, Script 12.8 uses htmlentities(). Also in the script is strip_tags(). To complicate things on page 328 is htmlspecialchars(). Then if you dig around you find filter_input() and filter_var(). Also there's filter_validate() and filter_sanitize(). To be thorough do you have to use all these to make sure nothing is overlooked? Link to comment Share on other sites More sharing options...
Larry Posted October 11, 2016 Share Posted October 11, 2016 Good question! First, to be clear, htmlentities(), strip_tags(), and htmlspecialchars() do not do any validating. They just make a value safe in different ways. Basically you want to build up validation based upon the required data, values and type: - Is a value required? - Is the accepted value one of a small set (e.g., "male" or "female")? - Should the accepted value be of a specific type (e.g., integer)? - If it's a number, should the accepted value be within a certain range (e.g., greater than 0)? - If it's a string, should it be of a certain format (e.g., email address)? - If it's a string, should it absolute not contain certain characters? I generally use the Filter extension when I can, but there's no one right answer. For each piece of data coming from external sources, you want to find the most specific and limiting validation possible. Link to comment Share on other sites More sharing options...
cremona Posted June 29, 2017 Share Posted June 29, 2017 My question is, which is the best way to make a form input "sticky" using both stripslashes and htmlspecialchars, namely what is the proper order of the two: <input type="text" name="firstName" size="30" maxlength="30" value="'; if(isset($_POST['firstName'])) echo stripslashes(htmlspecialchars($_POST['firstName'], ENT_QUOTES)); echo '" /> -or- <input type="text" name="firstName" size="30" maxlength="30" value="'; if(isset($_POST['firstName'])) echo htmlspecialchars(stripslashes($_POST['firstName']), ENT_QUOTES); echo '" /> They both yield the same results when using a value such as O'Schmalley McGee <input type="text" name="firstName" size="30" maxlength="30" value="O'Schmalley McGee" /> But which one is technically "better?" Thank you in advance and God Bless Larry Ullman for being a fantastic author! Link to comment Share on other sites More sharing options...
Larry Posted July 3, 2017 Share Posted July 3, 2017 You'll definitely want to do stripeslashes() and then htmlspecialchars(). Thank you for the nice compliment!!! Link to comment Share on other sites More sharing options...
Recommended Posts