mike316 Posted April 30, 2018 Share Posted April 30, 2018 (edited) This post is going to be a little longer than a typical post. I made a form using filter_var/sanitize. Here is my HTML: <!DOCTYPE html> <html> <head> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title>Filter Var Practice</title> <meta name="viewport" content="width=device-width, initial-scale=1"> </head> <body> <form action="practice.php" method="POST"> <p> <label for="first_name">First Name:</label> <input type="text" id="first_name" name="first_name"> </p> <p> <label for="last_name">Last Name:</label> <input type="text" id="last_name" name="last_name"> </p> <p> <label for="email">Email:</label> <input type="text" id="email" name="email"> </p> <p> <label for="comments">Comments:</label> <textarea name="comments" id="comments"></textarea> </p> <p> <input type="submit" name="submit" value="Submit"> </p> </form> </body> </html> And here is my PHP: <!DOCTYPE html> <html> <head> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title>Page Title</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style> .error { color: red; font-weight: bold; } </style> </head> <body> <h1>Filter Var Practice</h1> </body> </html> <?php // Setting error managment. ini_set('display_errors', 1); error_reporting(E_ALL); // Declaring the variables $first_name = $_POST['first_name']; $last_name = $_POST['last_name']; $email = $_POST['email']; /* Allowing users to enter their own line breaks in the comments if they chose to, and using strip_tags to remove unwanted tags like <i></i><b></b> and <script> </script> tags. */ $comments = nl2br(strip_tags($_POST['comments'])); // Sanitizing the data $first_name = filter_var($_POST['first_name'], FILTER_SANITIZE_STRING); $last_name = filter_var($_POST['last_name'], FILTER_SANITIZE_STRING); $email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL); /* Setting a true variable so, if something is empty it will fail, and the print statement inside the if will be false indicating the user left a input field empty. */ $okay = true; if(empty($first_name)) { print '<p class="error">Please enter your first name</p>'; $okay = false; } if(empty($last_name)) { print '<p class="error">Please enter your last name</p>'; $okay = false; } if(empty($email)) { print '<p class="error">Please enter your email</p>'; $okay = false; } if(empty($comments)) { print '<p class="error">Please leave us a comment about our service</p>'; $okay = false; } if($okay) { print "<p>Thank you $first_name $last_name<br> We will be contacting you soon at $email email address<br> And Thank you for your comments: <br> $comments</p>"; } ?> I posted my code on another forum, and below is the answer I received. Here is a link to the post, https://forums.phpfreaks.com/topic/307229-i-have-a-few-questions-about-sanitizing-my-data/ Requinix is user who replied to my question. I don't think the answer I received is correct. I made a post about being confused between, strip_tags, htmlspecialchars, and which one to use, and Larry stated, "Sorry for the confusion! Yes, this should be used on *any* user-submitted data. Forms are very easy to manipulate and I could easily provide to your site any value whatsoever as my ZIP code or salutation. I'd always go with the most strict function you can get away with, which normally means strip_tags()." I think the answer I received is wrong because, as Larry has stated I should use strip_tags to remove unwanted characters from my form submission. Am I correct in my assumption and that I sanitized the data correctly? Sorry for the long post, and thanks for any help. Edited April 30, 2018 by mike316 Link to comment Share on other sites More sharing options...
mike316 Posted May 1, 2018 Author Share Posted May 1, 2018 (edited) I made a mistake when I copied the PHP Code, I didn't copy the actual PHP code in the body of the HTML, I copied the code after the closing HTML tag, and it was too late to edit sorry about that. Edited May 1, 2018 by mike316 Link to comment Share on other sites More sharing options...
Larry Posted May 2, 2018 Share Posted May 2, 2018 Hmmm...I can see the arguments on either side. The response you received in that other forum makes sense in a context, but I don't personally subscribe to the "avoid changing the user's data" argument. Really depends upon the context. Your script is a simple contact form example with blunt sanitizing. The point of the filtering of user-submitted content in this script is to prevent the page from being used to send spam. It also depends upon whether you want to use sanitizing as part of validation or not. Link to comment Share on other sites More sharing options...
Necuima Posted May 3, 2018 Share Posted May 3, 2018 Hi Mike316, I was interested to see that you first declared the variables and am interested in feedback as I never declare PHP variables before using them. Have I been doing something wrong all these years? Necuima Link to comment Share on other sites More sharing options...
Necuima Posted May 3, 2018 Share Posted May 3, 2018 A point of clarification, I do declare variables 'up-front' if I want them to have some default value, but otherwise no. Apologies for any confusion my post may have caused. Link to comment Share on other sites More sharing options...
Larry Posted May 11, 2018 Share Posted May 11, 2018 For me, the variable declaration up front is a protection tool (e.g., you'll get notices if you refer to a variable that doesn't exist) and negates the need for using else clauses in your validation. Largely, though, it's a matter of personal preference, so long as you never assume a variable exists when it might not! Link to comment Share on other sites More sharing options...
Recommended Posts