Solved

html input clean up

Posted on 2016-11-14
3
53 Views
Last Modified: 2016-11-14
I use below function to clean up my web users html inputs,
most of the time I insert my html inputs to mysql database.

do you think this function is enough?


function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

       $id = test_input($_POST["id"]);
    $comment = test_input($_POST["comment"]);
    $adet = test_input($_POST["adet"]);
0
Comment
Question by:Braveheartli
3 Comments
 
LVL 50

Expert Comment

by:Ryan Chong
ID: 41885995
do you think this function is enough?
it is depending on how you want your data being saved.

the most effective way is to store your data into your database, and then retrieve and display it into your web pages.

you need to test the scenarios for both insertion and updating.

your function generally looks ok...
1
 
LVL 109

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 41886102
Let's try to deconstruct this function, line-by-line:
function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

Open in new window

1. This is the function "signature" showing only one input is allowed
2. This removes any whitespace from the front and back of a string
3. This removes escape-type slashes from a string.  It should not be necessary.  Years ago we might have needed something like this, but not any more.  It probably does not hurt, but it just adds unwanted overhead.
4. This is used before sending browser output; it is inappropriate to convert the entities before storing a string in your database.  It increases the length of the string and may cause truncation.  Recommend you omit this from the data model and use it in the view portion instead.
5. This returns the modified string.

Now having said all that, let's consider what you really want to do when you get external input.  The general design is "Filter Input" and "Accept Only Known Good Values."  You might want to learn about PHP filter_var() and related functions.  You probably want to design your app with one filtering algorithm for each external input.  If you expect the input to be a positive integer, test it!  And discard any request that has anything other than a positive integer, because it's probably an attack or a client error.  If you expect the input to be an email address, use FILTER_VALIDATE_EMAIL.   Etc...

Once the input has passed all of the filter / sanitize tests, you can prepare it for use in a database query.  If you're using the MySQLi extension, you will use one of the escape functions, probably real_escape_string().  If you're using PDO, you do not escape the input values, instead you prepare the query.

More details and comparative examples about the different database extensions are available here:
https://www.experts-exchange.com/articles/11177/PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html

When you get ready to send string data to the client browser, use htmlentities() or htmlspecialchars() to avoid sending unwanted markup in a text field.  These functions nullify the effect of evil javascript that might have gotten embedded in your application data model.
1
 
LVL 1

Author Closing Comment

by:Braveheartli
ID: 41886120
Thank you very much Ray Paseur
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article demonstrates how to create a simple responsive confirmation dialog with Ok and Cancel buttons using HTML, CSS, jQuery and Promises
Finding original email is quite difficult due to their duplicates. From this article, you will come to know why multiple duplicates of same emails appear and how to delete duplicate emails from Outlook securely and instantly while vital emails remai…
In this tutorial viewers will learn how to style elements, such a divs, with a "drop shadow" effect using the CSS box-shadow property Start with a normal styled element, such as a div.: In the element's style, type the box shadow property: "box-shad…
The viewer will learn how to dynamically set the form action using jQuery.

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question