Filter Input
Server-side filtering is important for security.
# Client-side validation is important for usability.
<form method="POST">
Username: <input type="text" name="username">
Color:
<select name="color">
<option></option>
<option>Red</option>
<option>Blue</option>
</select>
<input type="submit" name="btn_submit">
</form>
# All of PHP's superglobals arrays should be considered tainted
# Even $_SERVER array is not fully safe, ...
# it contains some data provided by the client
#
# Only $_SESSION is safe!
# Ctype functions are always preferred over regular expressions
if (isset($_POST['btn_submit'])) {
$clean = array();
if (ctype_alpha($_POST['username'])) { // Look Here
$clean['username'] = $_POST['username'];
}
if (in_array($_POST['color'], array("Red", "Blue"))) {
$clean['color'] = $_POST['color'];
}
var_dump($clean);
}
Escape Output
Escaping output protects the client and user from potentially damaging commands.
<form method="POST">
Message: <input type="text" name="message">
<input type="submit" name="btn_submit">
<br><br>
Example: <br>
John's message is "Hellow World!"
</form>
if (isset($_POST['btn_submit'])) {
echo "nr" . htmlentities($_POST['message']);
# John's message is "Hellow World!
# Will convert double-quotes
echo "nr" . htmlentities($_POST['message'], ENT_QUOTES);
# John's message is "Hellow World!
# Will convert both double and single quotes
}
Last update: 504 days ago
