Trust No OneEspecially Not User Data
Whenever you get data from your users, prepare for the worst. In a perfect world, all users enter perfect data (in perfect forms). However, you cannot assume that this will happen. Conclusion: check all user data thoroughly. If a user enters his or her age, you should check itis it numerical at all?
if (!is_numeric($_POST["my_age"])) {
// error handling goes here
}
Are you prompting the user to provide the email address, and then you write it into a database field? If the database field accepts 50 characters, but the email address is longer than that, something bad might happen. Either the information gets truncated, or even worse, you get a database error message. Therefore, you should first trim() the data and then check its length.
|
For a more sophisticated checking of user input, regular expressions are an excellent tool. |
Printing User Data
One specialized case for potentially malicious user data is when you output this data. As a general rule, always check your output! Imagine a guest book where users can leave messages. If you output the text without previously checking it, this might lead to some undesirable results, especially if HTML formatting is used. A <table> element that is not closed leads to a blank page on Netscape 4; imagine what JavaScript code could do to the page layout. Either use strip_tags() to remove all HTML markup, or even better, convert the user data to printable text using htmlspecialchars().
|
