Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

html input clean up

Posted on 2016-11-14
3
Medium Priority
?
119 Views
Last Modified: 2016-11-14
I use below function to clean up my web users html inputs,
most of the time I insert my html inputs to mysql database.

do you think this function is enough?


function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

       $id = test_input($_POST["id"]);
    $comment = test_input($_POST["comment"]);
    $adet = test_input($_POST["adet"]);
0
Comment
Question by:Braveheartli
3 Comments
 
LVL 54

Expert Comment

by:Ryan Chong
ID: 41885995
do you think this function is enough?
it is depending on how you want your data being saved.

the most effective way is to store your data into your database, and then retrieve and display it into your web pages.

you need to test the scenarios for both insertion and updating.

your function generally looks ok...
1
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 2000 total points
ID: 41886102
Let's try to deconstruct this function, line-by-line:
function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

Open in new window

1. This is the function "signature" showing only one input is allowed
2. This removes any whitespace from the front and back of a string
3. This removes escape-type slashes from a string.  It should not be necessary.  Years ago we might have needed something like this, but not any more.  It probably does not hurt, but it just adds unwanted overhead.
4. This is used before sending browser output; it is inappropriate to convert the entities before storing a string in your database.  It increases the length of the string and may cause truncation.  Recommend you omit this from the data model and use it in the view portion instead.
5. This returns the modified string.

Now having said all that, let's consider what you really want to do when you get external input.  The general design is "Filter Input" and "Accept Only Known Good Values."  You might want to learn about PHP filter_var() and related functions.  You probably want to design your app with one filtering algorithm for each external input.  If you expect the input to be a positive integer, test it!  And discard any request that has anything other than a positive integer, because it's probably an attack or a client error.  If you expect the input to be an email address, use FILTER_VALIDATE_EMAIL.   Etc...

Once the input has passed all of the filter / sanitize tests, you can prepare it for use in a database query.  If you're using the MySQLi extension, you will use one of the escape functions, probably real_escape_string().  If you're using PDO, you do not escape the input values, instead you prepare the query.

More details and comparative examples about the different database extensions are available here:
https://www.experts-exchange.com/articles/11177/PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html

When you get ready to send string data to the client browser, use htmlentities() or htmlspecialchars() to avoid sending unwanted markup in a text field.  These functions nullify the effect of evil javascript that might have gotten embedded in your application data model.
1
 
LVL 1

Author Closing Comment

by:Braveheartli
ID: 41886120
Thank you very much Ray Paseur
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This post looks at MongoDB and MySQL, and covers high-level MongoDB strengths, weaknesses, features, and uses from the perspective of an SQL user.
Q&A with Course Creator, Mark Lassoff, on the importance of HTML5 in the career of a modern-day developer.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will the learn the benefit of plain text editors and code an HTML5 based template for use in further tutorials.
Suggested Courses

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question