Solved

html input clean up

Posted on 2016-11-14
3
75 Views
Last Modified: 2016-11-14
I use below function to clean up my web users html inputs,
most of the time I insert my html inputs to mysql database.

do you think this function is enough?


function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

       $id = test_input($_POST["id"]);
    $comment = test_input($_POST["comment"]);
    $adet = test_input($_POST["adet"]);
0
Comment
Question by:Braveheartli
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 51

Expert Comment

by:Ryan Chong
ID: 41885995
do you think this function is enough?
it is depending on how you want your data being saved.

the most effective way is to store your data into your database, and then retrieve and display it into your web pages.

you need to test the scenarios for both insertion and updating.

your function generally looks ok...
1
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 41886102
Let's try to deconstruct this function, line-by-line:
function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

Open in new window

1. This is the function "signature" showing only one input is allowed
2. This removes any whitespace from the front and back of a string
3. This removes escape-type slashes from a string.  It should not be necessary.  Years ago we might have needed something like this, but not any more.  It probably does not hurt, but it just adds unwanted overhead.
4. This is used before sending browser output; it is inappropriate to convert the entities before storing a string in your database.  It increases the length of the string and may cause truncation.  Recommend you omit this from the data model and use it in the view portion instead.
5. This returns the modified string.

Now having said all that, let's consider what you really want to do when you get external input.  The general design is "Filter Input" and "Accept Only Known Good Values."  You might want to learn about PHP filter_var() and related functions.  You probably want to design your app with one filtering algorithm for each external input.  If you expect the input to be a positive integer, test it!  And discard any request that has anything other than a positive integer, because it's probably an attack or a client error.  If you expect the input to be an email address, use FILTER_VALIDATE_EMAIL.   Etc...

Once the input has passed all of the filter / sanitize tests, you can prepare it for use in a database query.  If you're using the MySQLi extension, you will use one of the escape functions, probably real_escape_string().  If you're using PDO, you do not escape the input values, instead you prepare the query.

More details and comparative examples about the different database extensions are available here:
https://www.experts-exchange.com/articles/11177/PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html

When you get ready to send string data to the client browser, use htmlentities() or htmlspecialchars() to avoid sending unwanted markup in a text field.  These functions nullify the effect of evil javascript that might have gotten embedded in your application data model.
1
 
LVL 1

Author Closing Comment

by:Braveheartli
ID: 41886120
Thank you very much Ray Paseur
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Find out what you should include to make the best professional email signature for your organization.
This article shows the steps required to install WordPress on Azure. Web Apps, Mobile Apps, API Apps, or Functions, in Azure all these run in an App Service plan. WordPress is no exception and requires an App Service Plan and Database to install
The viewer will learn how to dynamically set the form action using jQuery.
HTML5 has deprecated a few of the older ways of showing media as well as offering up a new way to create games and animations. Audio, video, and canvas are just a few of the adjustments made between XHTML and HTML5. As we learned in our last micr…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question