Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

html input clean up

Posted on 2016-11-14
3
59 Views
Last Modified: 2016-11-14
I use below function to clean up my web users html inputs,
most of the time I insert my html inputs to mysql database.

do you think this function is enough?


function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

       $id = test_input($_POST["id"]);
    $comment = test_input($_POST["comment"]);
    $adet = test_input($_POST["adet"]);
0
Comment
Question by:Braveheartli
3 Comments
 
LVL 51

Expert Comment

by:Ryan Chong
ID: 41885995
do you think this function is enough?
it is depending on how you want your data being saved.

the most effective way is to store your data into your database, and then retrieve and display it into your web pages.

you need to test the scenarios for both insertion and updating.

your function generally looks ok...
1
 
LVL 109

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 41886102
Let's try to deconstruct this function, line-by-line:
function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

Open in new window

1. This is the function "signature" showing only one input is allowed
2. This removes any whitespace from the front and back of a string
3. This removes escape-type slashes from a string.  It should not be necessary.  Years ago we might have needed something like this, but not any more.  It probably does not hurt, but it just adds unwanted overhead.
4. This is used before sending browser output; it is inappropriate to convert the entities before storing a string in your database.  It increases the length of the string and may cause truncation.  Recommend you omit this from the data model and use it in the view portion instead.
5. This returns the modified string.

Now having said all that, let's consider what you really want to do when you get external input.  The general design is "Filter Input" and "Accept Only Known Good Values."  You might want to learn about PHP filter_var() and related functions.  You probably want to design your app with one filtering algorithm for each external input.  If you expect the input to be a positive integer, test it!  And discard any request that has anything other than a positive integer, because it's probably an attack or a client error.  If you expect the input to be an email address, use FILTER_VALIDATE_EMAIL.   Etc...

Once the input has passed all of the filter / sanitize tests, you can prepare it for use in a database query.  If you're using the MySQLi extension, you will use one of the escape functions, probably real_escape_string().  If you're using PDO, you do not escape the input values, instead you prepare the query.

More details and comparative examples about the different database extensions are available here:
https://www.experts-exchange.com/articles/11177/PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html

When you get ready to send string data to the client browser, use htmlentities() or htmlspecialchars() to avoid sending unwanted markup in a text field.  These functions nullify the effect of evil javascript that might have gotten embedded in your application data model.
1
 
LVL 1

Author Closing Comment

by:Braveheartli
ID: 41886120
Thank you very much Ray Paseur
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
reverse engineer .sql from php files 11 35
html border input line 7 15
MySQL InnodDB Import from mysqldump takes forever. 2 36
CSS Style 8 20
Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question