1

I would like to ask you if it is neccessary to check $_POST before db insertion even in cases that I know that user must fill these inputs by some data.

And if yes, what is the best way? Because now I use this, but it is quite time consuming to write every one, if I have more inputs.

    if ( isset($_POST['id']) ) {
        $id = $_POST['id'];
    }

    if ( isset($_POST['title']) ) {
        $title = $_POST['title'];
    }

    if ( isset($_POST['text']) ) {
        $text = $_POST['text'];
    }

    if ( isset($_POST['tag']) ) {
        $tag[] = $_POST['tag'];
    }
    ...

    // edit data in db

Thank you

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
Dump
  • 237
  • 1
  • 12
  • 6
    You assume that all users are good and will not attempt to circumvent any client-side checks that ensure these fields are filled in correctly. Alas that is not so. You would be advised to check that these fields are completed correctly server-side and that the values are within expected ranges/types. There are quicker ways to accomplish what you have written above though - think of arrays and array iteration as one possile method or [filter_input_array](https://www.php.net/manual/en/function.filter-input-array.php) for instance – Professor Abronsius Jan 07 '22 at 09:12
  • You also need to use Prepared Statements when inserting into your database, as this can help out, not just on this topic but also with handling single-quotes and the like. – droopsnoot Jan 07 '22 at 09:19
  • There are also ready-made scripts and plugins for PHP which can help with data validation, if you search. – ADyson Jan 07 '22 at 09:42
  • Do you need to verify? _Verification for isset?_ Well, it depends. To get _Undefined array key_ warnings when things are not set, then no. Otherwise yes. Tip: you can use [??=](https://stackoverflow.com/questions/59102708/what-is-null-coalescing-assignment-operator-in-php-7-4) for defaults. _Sanitizing data?_ When using prepared statements, then for server security, no. If that data is ever output, then at some point you need to sanitize to prevent XSS vulnerability. If that data is ever used by your code, then you would want to make sure you only insert such data that your code expects. – Markus AO Jan 07 '22 at 09:43
  • Ok, so if I understand well. I always need to validate data and sanitize data from forms. Validation is used to eliminate user errors like empty input or wrong filled data like string instead of integer in town post code. Sanitization is used due to XSS attacks prevention. Is it big problem to use sanitization on input and also output from db? – Dump Jan 13 '22 at 15:16

1 Answers1

2

You can check through a loop whether every field required is provided like this:

$requiredFields = ['id', 'title', 'text', 'tag'];
foreach ($requiredFields as $fieldName) {
    if (!array_key_exists($fieldName, $_POST)) {
        echo "Field {$fieldName} is required";
        break;
    }
}

Then you can safely assign them to variables

$id = $_POST['id'];
$title = $_POST['title'];
$text = $_POST['text'];
$tag = $_POST['tag'];

You can use the extract() function to assign the input to variables dynamically, but I wouldn't recommend this, because your code will be impolite.

Next, you should validate each field, think about:

  • Is id numeric? Should it be?
  • Is the string length of title above 0?
  • Are the characters in the text field perhaps too long? Should you show an error if this is the case.

After that, if you are inserting the data into the database yourself, read about escaping each parameter to prevent MySQL Injection.

You should always assume that the end user who fills in the form will be an attacker. Don't leave your database vulnerable.

Samih Soylu
  • 96
  • 6