PHP-Security - Validating user input or cleaning it? getting mixed up
Discuss Validating user input or cleaning it? getting mixed up in the PHP Development forum on Dev Shed. Validating user input or cleaning it? getting mixed up PHP Development forum discussing coding practices, tips on PHP, and other PHP-related topics. PHP is an open source scripting language that has taken the web development industry by storm.
Time spent in forums: 2 Months 3 Weeks 4 Days 3 h 47 m 21 sec
Reputation Power: 1063
I find it a terrible idea to unaskedly "clean" user input. When I make a mistake, I want you to tell me so that I can correct it. I do not want you to try to guess what I meant and change my input.
I also think that "validating" input is grossly overrated. You can pass the data through 100 functions doing all kinds of formal verifications -- that still doesn't mean the data is actually true. I mean, how is "firstname.lastname@example.org" better than "asdfgh"?
Sure, validations can sometimes be helpful to notify the user of a typo. And it can be used to enforce certain conventions. But it cannot ensure correct data (with a few exceptions)
Time spent in forums: 2 Months 3 Weeks 5 Days 7 h 34 m 45 sec
Reputation Power: 6300
There's nothing illegal about a name containing numbers. There's probably a kid with numbers in their name right now in the US. If they want their name to look like a myspace profile page title, just let them.
Also note that you used only latin characters in your example. What about unicode? What about german or french names with accent marks? what about asian characters? What about people with oddly hyphenated, spaced, and capitalized names?
Just leave the "name" field alone. It's a label for a human being, and the label can contain anything (aside from sql injection)
Time spent in forums: 2 Months 2 Days 20 h 11 m 10 sec
Reputation Power: 7170
Some forms of cleanup are OK, but not the example you give. Examples of cleanup that are OK:
- If you have a field asking for a dollar amount, it's convenient to allow the user to optionally enter the $ sign even though you would remove the dollar sign for storage purposes.
- Similar logic for most percent fields
- If the user is entering a floating point value, it's normally acceptable to round the value if they enter a greater precision than you can store
- Most text fields you can trim(), particularly if your users are going to be copying the pasting the value from somewhere else
- If the user is entering HTML (for example, using a WYSIWYG editor) it's normally OK to run it through something like Tidy
- If the user enters a date in a format other than the one you asked for, but you're still able to parse the date unambiguously, it's normally OK to convert the date to the format you asked for automatically