Input Validation in PHP

By: Andi, Stig and Derick Emailed: 1728 times Printed: 2329 times    

Latest comments
By: rohit kumar - how this program is work
By: Kirti - Hi..thx for the hadoop in
By: Spijker - I have altered the code a
By: ali mohammed - why we use the java in ne
By: ali mohammed - why we use the java in ne
By: mizhelle - when I exported the data
By: raul - no output as well, i'm ge
By: Rajesh - thanx very much...
By: Suindu De - Suppose we are executing

One essential technique to protect your web site from users is input validation, which is an impressive term that doesn’t mean much at all. The term simply means that you need to check all input that comes from the user, whether the data comes from cookies, GET, or POST data.

First, turn off register_globals in php.ini and set the error_level to the highest possible value (E_ALL | E_STRICT). The register_globals setting stops the registration of request data (Cookie, Session, GET, and POST variables) as global variables in your script; the high error_level setting will enable notices for uninitialized variables.

For different kinds of input, you can use different methods. For instance, if you expect a parameter passed with the HTTP GET method to be an integer, force it to be an integer in your script:

<?php

$product_id = (int) $_GET['prod_id'];

?>

Everything other than an integer value is converted to 0. But, what if $_GET['prod_id'] doesn’t exist? You will receive a notice because we turned the error_level setting up. A better way to validate the input would be

<?php

if (!isset($_GET['prod_id'])) {

die ("Error, product ID was not set");

}

$product_id = (int) $_GET['prod_id'];

?>

However, if you have a large number of input variables, it can be tedious to write this code for each and every variable separately. Instead, you might want to create and use a function for this, as shown in the following example:

<?php

function sanitize_vars(&$vars, $signatures, $redir_url = null)

{

$tmp = array();

/* Walk through the signatures and add them to the temporary

* array $tmp */

foreach ($signatures as $name => $sig) {

if (!isset($vars[$name]]) &&

isset($sig['required']) && $sig['required'])

{

/* redirect if the variable doesn't exist in the array */

if ($redir_url) {

header("Location: $redir_url");

} else {

echo 'Parameter $name not present and no redirect URL';

}

exit();

}

/* apply type to variable */

$tmp[$name] = $vars[$name];

if (isset($sig['type'])) {

settype($tmp[$name], $sig['type']);

}

/* apply functions to the variables, you can use the standard PHP

* functions, but also use your own for added flexibility. */

if (isset($sig['function'])) {

$tmp[$name] = {$sig['function']}($tmp[$name]);

}

}

$vars = $tmp;

}

$sigs = array(

'prod_id' => array('required' => true, 'type' => 'int'),

'desc' => array('required' => true, 'type' => 'string',

'function' => 'addslashes')

);

sanitize_vars(&$_GET, $sigs,

"http:// {$_SERVER['SERVER_NAME']}/error.php?cause=vars");

?>


PHP Home | All PHP Tutorials | Latest PHP Tutorials

Sponsored Links

If this tutorial doesn't answer your question, or you have a specific question, just ask an expert here. Post your question to get a direct answer.



Bookmark and Share

Comments(0)


Be the first one to add a comment

Your name (required):


Your email(required, will not be shown to the public):


Your sites URL (optional):


Your comments:



More Tutorials by Andi, Stig and Derick
Execution Lifetime of a PHP script
preg_split() and explode() in PHP
preg_replace() and preg_replace_callback() in PHP
preg_match(), function preg_match_all(), preg_grep() in PHP
tmpfile() in PHP
Renaming and Removing Files in PHP
Locking files in PHP
File Handling in PHP
Handling BLOB in PHP and MySQL
Using Sessions in PHP
Using Cookies in PHP
Using PEAR::Crypt_HMAC in PHP
Using HMAC Verification in PHP
Input Validation in PHP
__autoload() METHOD in PHP

More Tutorials in PHP
PHP code to import from CSV file to MySQL
PHP code to write to a CSV file from MySQL query
PHP code to write to a CSV file for Microsoft Applications
Convert XML to CSV in PHP
Password must include both numeric and alphabetic characters - Magento
PHP file upload (Large Files)
PHP file upload prompts authentication for anonymous users
PHP file upload with IIS on windows XP/2000 etc
Error: Length parameter must be greater than 0
Multiple File Upload in PHP using IFRAME
Resume or Pause File Uploads in PHP
Exception in module wampmanager.exe at 000F15A0 in Windows 8
Handling file locks in PHP
HTML table output using Nested for loops in PHP
Count occurrences of a character in a String in PHP

More Latest News
Most Viewed Articles (in PHP )
isset() function in PHP
Parent: child process exited with status 3221225477 -- Restarting
Installing PHP 5.x with Apache 2.x on HP UX 11i and configuring PHP 5.x with Oracle 9i
History and origin of PHP
public, protected, and private Properties in PHP
Input Validation in PHP
Using Cookies in PHP
Handling BLOB in PHP and MySQL
Reading Cookie Values in PHP
Function to return number of digits of an integer in PHP
PHP code to write to a CSV file from MySQL query
.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
Here-docs (<<<) in PHP
Booleans in PHP
Static Properties in PHP
Most Emailed Articles (in PHP)
Different versions of PHP - History and evolution of PHP
The new keyword and constructors in PHP
preg_replace() and preg_replace_callback() in PHP
Iterating Through an Array in PHP
Appending One Array to Another in PHP
Decrypting files using GnuPG (GPG) via PHP
Setting up PHP in Windows 2003 Server IIS7, and WinXP 64
Running different websites on different versions of PHP in Windows 2003 & IIS6 platform
Warning: session_start(): open .... failed - PHP error
Malware: global $ob_starting;
Function to sort array by elements and count of element in PHP
Error: Length parameter must be greater than 0
Password must include both numeric and alphabetic characters - Magento
PHP code to import from CSV file to MySQL
PHP code to write to a CSV file for Microsoft Applications