Jump to content
Larry Ullman's Book Forums

Sanitizing My Data.


Recommended Posts

This post is going to be a little longer than a typical post. I made a form using filter_var/sanitize.

Here is my HTML:

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <title>Filter Var Practice</title>
    <meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
    <form action="practice.php" method="POST">
        <p>
            <label for="first_name">First Name:</label>
            <input type="text" id="first_name" name="first_name">
        </p>
        <p>
            <label for="last_name">Last Name:</label>
            <input type="text" id="last_name" name="last_name">
        </p>
        <p>
            <label for="email">Email:</label>
            <input type="text" id="email" name="email">
         </p>
         <p>
             <label for="comments">Comments:</label>
             <textarea name="comments" id="comments"></textarea>
         </p>
        <p>
            <input type="submit" name="submit" value="Submit">
        </p>
    </form>
</body>
</html> 

And here is my PHP:

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <title>Page Title</title>
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <style>
        .error {
            color: red;
            font-weight: bold;
        }
    </style>
</head>
<body>
    <h1>Filter Var Practice</h1>
</body>
</html>

<?php
    // Setting error managment.
    ini_set('display_errors', 1);
    error_reporting(E_ALL);
    
    // Declaring the variables
    $first_name = $_POST['first_name'];
    $last_name = $_POST['last_name'];
    $email = $_POST['email'];

    /* Allowing users to enter their own line breaks
       in the comments if they chose to, and using strip_tags
       to remove unwanted tags like <i></i><b></b> and <script>
       </script> tags.
    */

    $comments = nl2br(strip_tags($_POST['comments']));


    // Sanitizing the data

    $first_name = filter_var($_POST['first_name'], FILTER_SANITIZE_STRING);
    
    $last_name = filter_var($_POST['last_name'], FILTER_SANITIZE_STRING);
    
    $email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
    

    /* Setting a true variable so, if something is empty it will fail, 
       and the print statement inside the if will be false indicating 
       the user left a input field empty.
    */

    $okay = true;

    if(empty($first_name)) {
        print '<p class="error">Please enter your first name</p>';
        $okay = false;
    }

    if(empty($last_name)) {
        print '<p class="error">Please enter your last name</p>';
        $okay = false;
    }

    if(empty($email)) {
        print '<p class="error">Please enter your email</p>';
        $okay = false;
    }

    if(empty($comments)) {
        print '<p class="error">Please leave us a comment about our service</p>';
        $okay = false;
    }

    if($okay) {
        print "<p>Thank you $first_name $last_name<br>
               We will be contacting you soon at $email email address<br>
               And Thank you for your comments: <br>
               $comments</p>";
    }
    
?>

I posted my code on another forum, and below is the answer I received.

 

Requinix is user who replied to my question. 
 
I don't think the answer I received is correct. I made a post about being confused between, strip_tags, htmlspecialchars, and which one to use, and Larry stated, "Sorry for the confusion! Yes, this should be used on *any* user-submitted data. Forms are very easy to manipulate and I could easily provide to your site any value whatsoever as my ZIP code or salutation. I'd always go with the most strict function you can get away with, which normally means strip_tags()."
 
I think the answer I received is wrong because, as Larry has stated I should use strip_tags to remove unwanted characters from my form submission. Am I correct in my assumption and that I sanitized the data correctly? Sorry for the long post, and thanks for any help. 
Edited by mike316
Link to comment
Share on other sites

I made a mistake when I copied the PHP Code, I didn't copy the actual PHP code in the body of the HTML, I copied the code after the closing HTML tag, and it was too late to edit  :blink:  sorry about that.

Edited by mike316
Link to comment
Share on other sites

Hmmm...I can see the arguments on either side. The response you received in that other forum makes sense in a context, but I don't personally subscribe to the "avoid changing the user's data" argument. Really depends upon the context. Your script is a simple contact form example with blunt sanitizing. The point of the filtering of user-submitted content in this script is to prevent the page from being used to send spam. 

 

It also depends upon whether you want to use sanitizing as part of validation or not. 

Link to comment
Share on other sites

Hi Mike316,

 

I was interested to see that you first declared the variables and am interested in feedback as I never declare PHP variables before using them.

 

Have I been doing something wrong all these years?

 

Necuima

Link to comment
Share on other sites

For me, the variable declaration up front is a protection tool (e.g., you'll get notices if you refer to a variable that doesn't exist) and negates the need for using else clauses in your validation. Largely, though, it's a matter of personal preference, so long as you never assume a variable exists when it might not!

Link to comment
Share on other sites

 Share

×
×
  • Create New...