How can I ensure my user's data is valid in PHP and MySQL?

Question

I have a web form that takes 2 string values and 2 integer values from a user and stores them in a database.

How can I ensure that the ints are actually ints and sanitze input so that Bobby Tables doesn't pay me a visit?

Here is my forms code:

if(isset($_POST['submit']))
{
    $formTitle = $_POST['title'];
    $formAuthor = $_POST['author'];
    $formPagecount = $_POST["pagecount"];
    $formCurrentpage = $_POST["currentpage"];   
}

<form method="post" action="index.php">
    Title: <input type="text" size="25" maxlength="250" name="title" />
    <br/>
    Author: <input type="text" size="25" maxlength="250" name="author" />
    <br/>
    Page Count: <input type="text" size="25" maxlength="25" name="pagecount" />
    <br/>
    Current Page: <input type="text" size="25" maxlength="25" name="currentpage" />
    <br />
    <input type="submit" value="Add new book" name="submit" />
</form>

Answer 1

There are several things you may want to check / do :

• Verify the form has been submitted : isset on the $_POST component will help
• Chechking your data are "valid" :
  • did the user enter data in each field ?
  • do the required field contain data ?
  • don't forget to trim before checking, so a field containing " " doesn't count as a field with data in it
• Chechking your data is actually the way you want :
  • do the title and author contain strings ? Longer than X characters ? Short that Y characters ? Any "fordibben" character or value ?
  • do the two other fields contain numeric data ? Positive ? Only numbers (nothing like 3E5 or the like) Not bigger than what you consider as OK ?

There are frameworks that can help you with all that.
For instance :

• PEAR::Validate
• Zend_Validate

(The more you re-use existing great code, the better for your application, I'd say : less risk to introduce bugs with your new, un-tested, code ;-) )

Once you made sure your data is OK, you can insert it into the database.
Which means you must escape it properly.
Depending on the functions / classes you're using, you'll take a look at

• mysqli_real_escape_string for strings
• intval for integers (forcing them into integers, to be sure)
• if use PDO : PDO::quote
• Or you may use prepared statements, that will do most of the escaping work for you ;-)
  • I'd go with those, I think, btw :
  • see mysqli_prepare,
  • and PDO::prepare

Finally, if the data was not successfully validated, you may want to re-echo the form, with the fields already containing what the user typed in the first time.

There, you need to escape data to HTML format, to avoid XSS. Take a look at htmlspecialchars

Same thing, btw, if you want to display those data on another screen somewhere else in your application...

Answer 2

The only safe ways to check if user input data only consists of digits are (1) to use regular expressions or (2) use the ctype-extension (preferable).

if (ctype_digit($_POST['pagecount'])) {
    // ...
}

If you insert integer values into your database you don't have to escape them but make sure they really are integers (cast them); for strings you should use mysql_real_escape_string but it is never wrong (but usually better) to use prepared statements.

By the way: It's not safe to check for the submit-button because IE <= 6 only sends it if it's clicked to submit the form (not if the form is submitted via the enter key).

Answer 3

PDO and its prepared statements will save you headaches, even if they look more complex at first. For integers you can use intval($input), but keep in mind that PHP will -- in its infinite wisdom -- turn non-numeric input into 0.