Key validation points

Lest you forget why we actually bother validating input, it is because the golden rule of user input is "never trust user input". That means exactly what it says: never trust anything that comes from users. Most of your users will be nice people who want to use your site as you expect them to, however there are some very malicious people out there who hack, cheat, and steal using any means they can - don't let yourself become their next victim!

Above and beyond the golden rule, there are several key things you need to keep in mind when working with user variables:

  • If you are not using magic quotes (and you really shouldn't be), always use the function mysql_real_escape_string() when working with user input destined for databases. In addition, always use mysql_real_escape_string() whenever your user input will be inside quotes.

  • Consider using strip_tags() to make sure people cannot insert rogue HTML into your pages.

  • Never include() a file using a variable unless you are certain the variable cannot come externally. While include($var); might look nice on the surface, it does not take much effort for your users to set $var to be a sensitive file on your system. Even using include("/path/to/somdir/$var") isn't safe, because $var could include "../" to go to the parent directory.

  • Always remember that your users might submit no value at all, in which case you need to check for a variable's existence before you check its value.

  • Don't assume that client-side validation is enough - users can easily disable scripting on their machine, or find other ways around your client-side verification

  • Remember that users can enter "Elephant" for their age - don't assume that users entered anything like what you asked them to.

  • Variable variables and variable functions that rely on user input should be viewed with extreme caution: don't give your users any such easy chances to damage your system with bad input.


Next chapter: Form design >>

Previous chapter: Advanced variable validation using CTYPE

Jump to:


Home: Table of Contents

Follow us on or Twitter

Username:   Password:
Create Account | About TuxRadar