Input Validation in PHP
By: Andi, Stig and Derick in PHP Tutorials on 2008-11-23
One essential technique to protect your web site from users is input validation, which is an impressive term that doesn't mean much at all. The term simply means that you need to check all input that comes from the user, whether the data comes from cookies, GET, or POST data.
First, turn off register_globals in php.ini and set the error_level to the highest possible value (E_ALL | E_STRICT). The register_globals setting stops the registration of request data (Cookie, Session, GET, and POST variables) as global variables in your script; the high error_level setting will enable notices for uninitialized variables.
For different kinds of input, you can use different methods. For instance, if you expect a parameter passed with the HTTP GET method to be an integer, force it to be an integer in your script:
<?php
$product_id = (int) $_GET['prod_id'];
?>
Everything other than an integer value is converted to 0. But, what if $_GET['prod_id'] doesn't exist? You will receive a notice because we turned the error_level setting up. A better way to validate the input would be
<?php
if (!isset($_GET['prod_id'])) {
die ("Error, product ID was not set");
}
$product_id = (int) $_GET['prod_id'];
?>
However, if you have a large number of input variables, it can be tedious to write this code for each and every variable separately. Instead, you might want to create and use a function for this, as shown in the following example:
<?php
function sanitize_vars(&$vars, $signatures, $redir_url = null)
{
$tmp = array();
/* Walk through the signatures and add them to the temporary
* array $tmp */
foreach ($signatures as $name => $sig) {
if (!isset($vars[$name]]) &&
isset($sig['required']) && $sig['required'])
{
/* redirect if the variable doesn't exist in the array */
if ($redir_url) {
header("Location: $redir_url");
} else {
echo 'Parameter $name not present and no redirect URL';
}
exit();
}
/* apply type to variable */
$tmp[$name] = $vars[$name];
if (isset($sig['type'])) {
settype($tmp[$name], $sig['type']);
}
/* apply functions to the variables, you can use the standard PHP
* functions, but also use your own for added flexibility. */
if (isset($sig['function'])) {
$tmp[$name] = {$sig['function']}($tmp[$name]);
}
}
$vars = $tmp;
}
$sigs = array(
'prod_id' => array('required' => true, 'type' => 'int'),
'desc' => array('required' => true, 'type' => 'string',
'function' => 'addslashes')
);
sanitize_vars(&$_GET, $sigs, "http://{$_SERVER['SERVER_NAME']}/error.php?cause=vars");
?> Add Comment
This policy contains information about your privacy. By posting, you are declaring that you understand this policy:
- Your name, rating, website address, town, country, state and comment will be publicly displayed if entered.
- Aside from the data entered into these form fields, other stored data about your comment will include:
- Your IP address (not displayed)
- The time/date of your submission (displayed)
- Your email address will not be shared. It is collected for only two reasons:
- Administrative purposes, should a need to contact you arise.
- To inform you of new comments, should you subscribe to receive notifications.
- A cookie may be set on your computer. This is used to remember your inputs. It will expire by itself.
This policy is subject to change at any time and without notice.
These terms and conditions contain rules about posting comments. By submitting a comment, you are declaring that you agree with these rules:
- Although the administrator will attempt to moderate comments, it is impossible for every comment to have been moderated at any given time.
- You acknowledge that all comments express the views and opinions of the original author and not those of the administrator.
- You agree not to post any material which is knowingly false, obscene, hateful, threatening, harassing or invasive of a person's privacy.
- The administrator has the right to edit, move or remove any comment for any reason and without notice.
Failure to comply with these rules may result in being banned from submitting further comments.
These terms and conditions are subject to change at any time and without notice.
- Data Science
- Android
- React Native
- AJAX
- ASP.net
- C
- C++
- C#
- Cocoa
- Cloud Computing
- HTML5
- Java
- Javascript
- JSF
- JSP
- J2ME
- Java Beans
- EJB
- JDBC
- Linux
- Mac OS X
- iPhone
- MySQL
- Office 365
- Perl
- PHP
- Python
- Ruby
- VB.net
- Hibernate
- Struts
- SAP
- Trends
- Tech Reviews
- WebServices
- XML
- Certification
- Interview
categories
Related Tutorials
Send push notifications using Expo tokens in PHP
PHP convert string to lower case
A Basic Example using PHP in AWS (Amazon Web Services)
Different versions of PHP - History and evolution of PHP
PHP code to write to a CSV file for Microsoft Applications
PHP code to write to a CSV file from MySQL query
PHP code to import from CSV file to MySQL
Password must include both numeric and alphabetic characters - Magento
Resume or Pause File Uploads in PHP
PHP file upload prompts authentication for anonymous users
PHP file upload with IIS on windows XP/2000 etc
Comments