0

As I read in many articles, the validation of data must be on the serverside and not on the clientside.

I wondering What actions should I do to ensure the maximum security.

For now I'm doing only one action:

  1. Using statement + bind_params for any sql query.

If there Is any more actions that I should do?
I would like to know about them.

DarkBee
  • 16,592
  • 6
  • 46
  • 58
Eyal Biton
  • 11
  • 4
  • 2
    What you're doing will protect against SQL injection. It doesn't validate the data. For instance, you should check that age is a number, a date is properly formatted, country and state names are valid, etc. – Barmar Oct 22 '20 at 07:29
  • Database constraints and triggers are great for validating data. – jarlh Oct 22 '20 at 07:30
  • @jarlh But they're lousy for producing meaningful error messages. – Barmar Oct 22 '20 at 07:31
  • Not sure which articles you have been reading, but data validation starts at the user side normally. It's important that validation is also done on the server side as users can bypass most front end checks. – Nigel Ren Oct 22 '20 at 07:31
  • @Barmar, can be done, if designed properly.. – jarlh Oct 22 '20 at 07:33
  • @jarlh Anything is possible, but it's so much easier if you do it in PHP. – Barmar Oct 22 '20 at 07:33
  • Ofcouse doing in user side also is good Idea , because it make make things more difficult for a beginner developer, while anything is able to code in console, validating data in front-end will be limited. For example. You can do that if form is submitted , once a function that validation data will be executed, and return false if some error occured, so the user can easily send ajax instead of submiting the form . So I belive that validation should be both sides. 30% user side + 70% server side. – Eyal Biton Oct 22 '20 at 07:53
  • "Many articles" are written by people who shouldn't been doing it. As a result, they are confusing security with validation. Security is obligatory and you are already OK with it. Validation belongs to the business logic, and rather optional but most of all - open ended. There is no starting or ending point. Just define rules for *your* data and go for all the validation you can think of – Your Common Sense Oct 22 '20 at 08:01
  • I am torn between closing this question as a dupe, as it's tagged with security and sql-injection (as both has nothing to do with validation) and voting to close as needs more focus, as it's apparently two different topics, unrelated to each other – Your Common Sense Oct 22 '20 at 08:03
  • Your Common Sense, This answer solved my confusion and the difference between validation and security for sql-injection. As I understand , Bind parameters Is the only action needed to prevent any sql injections? . – Eyal Biton Oct 22 '20 at 09:31
  • Well, with *data* - yes. but when will need to add *another query part* dynamically, it have to be filtered out against a hardcoded list of variants. I am closing this question as a dupe where all these matters are explained – Your Common Sense Oct 22 '20 at 09:45

0 Answers0