validating text input

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

Discussions like these are often more about terminology then about the underlying principles. I think that anyone who has programmed some more agrees that you should do something with the data coming into your app, and something when data leaves your app. I prefer the terms input filtering/validation and output escaping.

Data from outside -> filter/validate -> Business logic -> escape -> HTML, DB, etc

So filtering/validating is making sure only good data comes into your app. If you want a numeric value for something, you don't want any other character. So you filter/validate with ctype_digit/is_numeric or something similar.

Escaping happens every time some data leaves your app. Wheter it is output to HTML or a db or something else. Depending on where the data goes to you use a specific escaping mechanism.
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Post by infolock »

Exactly. stripslashes, addslashes, regular expressions, and any other form of validation and data-validation functions are abosolutely needed. Couldn't have said it better myself matthijs
Post Reply