From a security standpoint, are PDO prepared statements sufficient for preventing mysql related security issues? Or should I be character validating server side as well. Currently I am using pdo prepared statements and client side javascript form checking (but as I understand it the javascript can be disabled).
Kindest Regards,
Chris
There's actually three concerns here, each of which requires a different approach.
Data validation concerns verifying that all required form parameters are supplied, that they're an acceptable length and have the right sort of content. You need to do this yourself if you don't have an ORM you can trust.
Data escaping concerns inserting data into the database in a manner that avoids SQL injections. Prepared statements are a great tool to protect from this.
Data presentation concerns avoiding XSS issues where content you're displaying can be misinterpreted as scripts or HTML. You need to use htmlspecialchars at the very least here.
Note that all three of these are solved problems if you use a development framework. A good one to have a look at is Laravel since the documentation is thorough and gives you a taste for how this all comes together, but there are many others to choose from.
You could pass the data directly into your database, but what if the data the user submits is dodge, or maybe it's just invalid? They may submit a letter instead of a number, or the email address may contain an invalid character.
You can enhance your validation on the server side by using PHP's inbuilt Filters.
You can use these to both sanitize and validate your data.
Validation filters check that the data the user has provided is valid. For example, is the email valid? Is the number actually a number? Does the text match a certain regex?
Sanitization filters basically remove invalid characters for a given data type. Ie removing unsafe characters, removing invalid email/URL characters, removing non numeric characters.
There are a bunch of helper methods that can sanitize and validate single values, arrays and associative arrays, and the _GET and _POST arrays.
Nettuts has a few good tutorials on the matter here and here.
