Input Validation in PHP

By: Andi, Stig and Derick Printer Friendly Format    

One essential technique to protect your web site from users is input validation, which is an impressive term that doesn’t mean much at all. The term simply means that you need to check all input that comes from the user, whether the data comes from cookies, GET, or POST data.

First, turn off register_globals in php.ini and set the error_level to the highest possible value (E_ALL | E_STRICT). The register_globals setting stops the registration of request data (Cookie, Session, GET, and POST variables) as global variables in your script; the high error_level setting will enable notices for uninitialized variables.

For different kinds of input, you can use different methods. For instance, if you expect a parameter passed with the HTTP GET method to be an integer, force it to be an integer in your script:

<?php

$product_id = (int) $_GET['prod_id'];

?>

Everything other than an integer value is converted to 0. But, what if $_GET['prod_id'] doesn’t exist? You will receive a notice because we turned the error_level setting up. A better way to validate the input would be

<?php

if (!isset($_GET['prod_id'])) {

die ("Error, product ID was not set");

}

$product_id = (int) $_GET['prod_id'];

?>

However, if you have a large number of input variables, it can be tedious to write this code for each and every variable separately. Instead, you might want to create and use a function for this, as shown in the following example:

<?php

function sanitize_vars(&$vars, $signatures, $redir_url = null)

{

$tmp = array();

/* Walk through the signatures and add them to the temporary

* array $tmp */

foreach ($signatures as $name => $sig) {

if (!isset($vars[$name]]) &&

isset($sig['required']) && $sig['required'])

{

/* redirect if the variable doesn't exist in the array */

if ($redir_url) {

header("Location: $redir_url");

} else {

echo 'Parameter $name not present and no redirect URL';

}

exit();

}

/* apply type to variable */

$tmp[$name] = $vars[$name];

if (isset($sig['type'])) {

settype($tmp[$name], $sig['type']);

}

/* apply functions to the variables, you can use the standard PHP

* functions, but also use your own for added flexibility. */

if (isset($sig['function'])) {

$tmp[$name] = {$sig['function']}($tmp[$name]);

}

}

$vars = $tmp;

}

$sigs = array(

'prod_id' => array('required' => true, 'type' => 'int'),

'desc' => array('required' => true, 'type' => 'string',

'function' => 'addslashes')

);

sanitize_vars(&$_GET, $sigs,

"http:// {$_SERVER['SERVER_NAME']}/error.php?cause=vars");

?>



Ask a Question



Most Viewed Articles (in PHP )

Latest Articles (in PHP)

Comment on this tutorial