Jump to content
Larry Ullman's Book Forums

Server-Side Validation


Recommended Posts

Server-side validation is necessary for form data.  For this, Script 12.8 uses htmlentities().  Also in the script is strip_tags().  To complicate things on page 328 is htmlspecialchars().  Then if you dig around you find filter_input() and filter_var().  Also there's filter_validate() and filter_sanitize().  To be thorough do you have to use all these to make sure nothing is overlooked?

Link to comment
Share on other sites

Good question! First, to be clear, htmlentities(), strip_tags(), and htmlspecialchars() do not do any validating. They just make a value safe in different ways. 

 

Basically you want to build up validation based upon the required data, values and type:

- Is a value required?

- Is the accepted value one of a small set (e.g., "male" or "female")?

- Should the accepted value be of a specific type (e.g., integer)?

- If it's a number, should the accepted value be within a certain range (e.g., greater than 0)?

- If it's a string, should it be of a certain format (e.g., email address)?

- If it's a string, should it absolute not contain certain characters?

 

I generally use the Filter extension when I can, but there's no one right answer. For each piece of data coming from external sources, you want to find the most specific and limiting validation possible.

Link to comment
Share on other sites

  • 8 months later...

My question is, which is the best way to make a form input "sticky" using both stripslashes and htmlspecialchars, namely what is the proper order of the two:

 

<input type="text" name="firstName" size="30" maxlength="30" value="'; if(isset($_POST['firstName'])) echo stripslashes(htmlspecialchars($_POST['firstName'], ENT_QUOTES)); echo '" />

 

-or-

 

<input type="text" name="firstName" size="30" maxlength="30" value="'; if(isset($_POST['firstName'])) echo htmlspecialchars(stripslashes($_POST['firstName']), ENT_QUOTES); echo '" />

 

They both yield the same results when using a value such as O'Schmalley McGee

 

<input type="text" name="firstName" size="30" maxlength="30" value="O&#039;Schmalley McGee" />

 

But which one is technically "better?"

 

Thank you in advance and God Bless Larry Ullman for being a fantastic author!

 

 

Link to comment
Share on other sites

 Share

×
×
  • Create New...