Sanitizing User Input

hadoob024

I'm about to begin my first PHP project. I've read through a couple of PHP programming books, some tutorials, and flipped through the manual as well. I guess the first place I want to start is with sanitizing user input. I've read the suggestions for this from various places, but was trying to get some tips from the programmers on this forum.

So, I guess I was wondering if anyone here had any special tips/recommendations for sanitizing user input coming from a HTML form? Thanks in advance!

-hadoob024

Drakla

Write a class to do it, start now, start today, don't put it off because forms, and dealing with forms and cleaning is the biggest time waste in history so having something reusable is more than brilliant.

Don't be an absolute prat like I was for ages and have tons of code with a load of if statements checking if variables are set, put the variable list in an array. E.g.

$adsCreateFields = array('bannerimage', 'buttonimage', 'urllink', 'companyname', 'smalldesc', 'largedesc', 'howearn', 
		'smalldescfreebie', 'largedescfreebie', 'howearnfreebie', 'payment', 'network', 'status', 'freebieok', 'cashbackok');

function &ads_get_input($fields)
{
	$rh = &new RequestHandler;  <-- this has already stripped all request data if magic quotes on

	// keep only the fields required
foreach ($fields as $key)
{
	if (isset($rh->data[$key]))
		$data[$key] = $rh->data[$key];
	else
		$data[$key] = '';
}

         // replace the data array and trim and specialchars the lot in one go ready to go back into forms if there was an error in validation

$rh->data = &$data;
$rh->trim();
$rh->specialchars();

return $data;
}

My form class also has loads of validation guff inside, you can specify by passing in information on what must be supplied, what type it must be, and see if it's within bounds.

But the biggest rule... make sure ints are ints, and cast them with $page=(int)$page

hadoob024

Cool. Thanks. I have a follow-up question. I only have 4 or 5 fields that I need to check. Is the overhead from creating classes worth it in order to only verify 4 or 5 fields?

Weedpacket

Yes. Because (a) the "overhead" bogeymonster is pretty much just that, and (b) otherwise you'd just have to do it all over again with the next form.

hadoob024

Cool. Thanks! I appreciate all the valuable advice. Here's another question. I just ran the phpinfo() function and saw that my service provider doesn't have PHP5 installed. Can I still use Classes, cuz I thought that I remembered that OOP was only introduced with PHP5?

Drakla

Yeah, you can still use classes. Php5 just adds extra class features to shut up bleating idiots

justsomeone

make your class as reusable as possible - invent your own "datatypes", and validate against each of them.

For instance, you will often need to prompt for an email address. Use a regexp to validate that it is really in the right format to be an email address. Optionally, you might want to query the mail host to see if it's a valid email address.

hadoob024

Cool! Thanks for the tips. Yeah, I guess something reusable would be the best way to go.