2

After many attempts of writing a code that can sanatize/validate $_POST["input"] in a PHP form I have to ask about it in general, because every attempt didn't work as I expected. I really have tried much and i just started to exercise with coding 2 months ago (html, css, bootstrap, wordpress, php). I hope you can tell me, as you can see, what is the most common or "best" way to sanatize a php form.

I have re-writed some OOP PDO form validation, which i couldn't get runned as i integrated it into a new homepage, because my OOP skills = 0.

It was build with classes, but i didn't see any prepared statement, which surprised me because prepared statements are idolized in the web.

Which is the better way and could you tell me why?

I hope you can answer my question and explain a little bit how i can handle it in a "pro-way", which in the best case is safe, because it is a hurdle for me.

Thank you for your help.

CodeVolunteer
  • 145
  • 7

2 Answers2

0

First of all, you should never connect validation and "sanitization" in any context. That's two completely different matters, which, alas, confuse too many people.

Validation indeed have to be applied to the form data and there is no common way to do it. Just use your common sense, business logic needs and framework guidelines.

While "sanitization" is a different matter. Even the word itself is the biggest blunder of PHP folks, always misused and confused.

And the best way to "sanitize" is not to to sanitize at all. Because

  1. You can't "sanitize" your data, whatever you mean under the term.
  2. Whatever "sanitization" will rather spoil the data.
  3. There are actually many destinations this data may be for. You can't have one-for-all solution.
  4. It is destination, not source that matters. Means you should use prepared statements not for POST variables but for SQL queries. BIG difference.

You should format, not "sanitize". Format according to the rules of the certain current destination.

To format data for the SQL query you have to use prepared statements.
To format your data for other destinations you have to follow their rules. And again, not "post form" but all data, despite of its source.

Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
0

The Answer of "Your Common Sense" is definitely correct.

So you should validate your form first (clientside), there are a lots of small validation libs like e.g.: http://rickharrison.github.io/validate.js/

When it was posted you have to check if this data, is like you expected it. E-Mail is just an e-mail, name ist just a string without XSS or SQL Injection stuff.....

So it depends on the destination like the above answer said.

To filter some post values there is for example: http://php.net/manual/en/function.filter-var.php

You can also use full frameworks or libraries against sql Injection and XSS stuff. You should use MySQLi prepared statements an some other stuff against XSS, like: HTMLPurifier http://htmlpurifier.org/

These are just some examples, if you interested I recommend you reading this page: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

swidmann
  • 2,787
  • 1
  • 18
  • 32