Form data best practices

Question

Okay I know the answer to an all in one data cleaning strategy do not do it. My question is: Are there any standard actions that should be taken to secure form data right off the bat? Asides from doing my own form validation (ie Email, phone, etc).

As of currently this is in relation to a WebApp (HTML, PHP and MYSQL) but I would not say this should be limited to that I want to know best practices. From what I have read the only time anything should be done is when in as a data cleansing step is before a particular action is taken with that data (ie before storing in my database use mysql_real_escape_string).

EDIT:

Asides from SQL injection what are other malicious attacks that can occure from not cleaning data?

Have a read about SQL injection => http://stackoverflow.com/q/60174/ if you haven't already. — Funk Forty Niner, Jul 20 '14 at 13:34

score 1 · Answer 1 · edited May 23 '17 at 11:45

1

Magic Quotes has shown us that every sort of sanitation 'right off the bat' is bad practice. We validate our data when we need it at runtime as different usage requires different validation.

For validation purposes there are nowadays dozens of libraries available such as GUMP and Zend Forms (Further libraries can be found here: Easiest Form validation library for PHP?).

P.S.: You are talking about mysql_real_escape_string. Make sure that you use either PDO or mysqli instead of the nowadays deprecated Original MySQL API. For more information read: Why shouldn't I use mysql_* functions in PHP?.

edited May 23 '17 at 11:45

Community

1
1

answered Jul 20 '14 at 13:49

chrisp

569
4
24

I never used Magic quotes and that is what made me curious doing research on it. I will take a look at the libraries thanks! – nerdlyist Jul 20 '14 at 20:41

score 1 · Accepted Answer · edited May 23 '17 at 12:17

First of all, I am assuming you are using MySQLi (PDO is fine as well) and not the deprecated MySQL extension. If not, then you should definitely switch to one of those two.

Before inserting information into the database always make sure you used prepared statements and parametrized queries (see here: How can I prevent SQL injection in PHP?)

As for validating Emails, IP's and other types of data before they are inserted into the database, consider using filter_var() (see here: http://php.net/manual/en/function.filter-var.php)

When pulling information out of your database, make sure you use htmlspecialchars() and strip_tags().

Example: htmlspecialchars(strip_tags($message_body))

I am actually using the library php active record which I believe is using PDO. So then the only time to really be concersd from the seems of it is when the program is about to use it. — nerdlyist, Jul 20 '14 at 14:04

Form data best practices

2 Answers2