Solved

html input clean up

Posted on 2016-11-14
3
30 Views
Last Modified: 2016-11-14
I use below function to clean up my web users html inputs,
most of the time I insert my html inputs to mysql database.

do you think this function is enough?


function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

       $id = test_input($_POST["id"]);
    $comment = test_input($_POST["comment"]);
    $adet = test_input($_POST["adet"]);
0
Comment
Question by:Braveheartli
3 Comments
 
LVL 49

Expert Comment

by:Ryan Chong
ID: 41885995
do you think this function is enough?
it is depending on how you want your data being saved.

the most effective way is to store your data into your database, and then retrieve and display it into your web pages.

you need to test the scenarios for both insertion and updating.

your function generally looks ok...
1
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 41886102
Let's try to deconstruct this function, line-by-line:
function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

Open in new window

1. This is the function "signature" showing only one input is allowed
2. This removes any whitespace from the front and back of a string
3. This removes escape-type slashes from a string.  It should not be necessary.  Years ago we might have needed something like this, but not any more.  It probably does not hurt, but it just adds unwanted overhead.
4. This is used before sending browser output; it is inappropriate to convert the entities before storing a string in your database.  It increases the length of the string and may cause truncation.  Recommend you omit this from the data model and use it in the view portion instead.
5. This returns the modified string.

Now having said all that, let's consider what you really want to do when you get external input.  The general design is "Filter Input" and "Accept Only Known Good Values."  You might want to learn about PHP filter_var() and related functions.  You probably want to design your app with one filtering algorithm for each external input.  If you expect the input to be a positive integer, test it!  And discard any request that has anything other than a positive integer, because it's probably an attack or a client error.  If you expect the input to be an email address, use FILTER_VALIDATE_EMAIL.   Etc...

Once the input has passed all of the filter / sanitize tests, you can prepare it for use in a database query.  If you're using the MySQLi extension, you will use one of the escape functions, probably real_escape_string().  If you're using PDO, you do not escape the input values, instead you prepare the query.

More details and comparative examples about the different database extensions are available here:
https://www.experts-exchange.com/articles/11177/PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html

When you get ready to send string data to the client browser, use htmlentities() or htmlspecialchars() to avoid sending unwanted markup in a text field.  These functions nullify the effect of evil javascript that might have gotten embedded in your application data model.
1
 
LVL 1

Author Closing Comment

by:Braveheartli
ID: 41886120
Thank you very much Ray Paseur
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
This article discusses how to create an extensible mechanism for linked drop downs.
In this tutorial viewers will learn how to position overlapping items using z-index in CSS. They will also learn the restrictions on the z-index property.  Create a new HTML document with an internal stylesheet.: Create a div in CSS and name it Red.…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now