If you’ve ever confronted the task of validating data in a form, you know about choice. Whether it’s choosing between client side or server-side scripts, or the amount of information a user should see on the screen, the results should always give the user quick and meaningful feedback, while providing a solution for when things go wrong.
In this entry, I'll attempt to explain what validation is and why it is important.
There seems to be much interest lately in input filtering in PHP, especially in cross site scripting prevention. I've always preferred input validation to input filtering, but I am giving filtering a new examination. My problem with filtering is with usability. The comments to this post are a good example. There are obviously some usability issues going on here.
One of the concepts that are most difficult for new Web developers to fully grasp, is just how dangerous it is to trust user input. Just in the last week, there've been around a dozen or so different reports of vulnerabilities found in Web applications - mostly all of them revolve around unchecked user input. Because of PHP’s dominance in the Web application development world, many of the vulnerable applications were ones written in PHP, which hurt PHP’s security track record, even though it’s not the language which is at fault (the same applications, written in any other language – would have suffered from the same vulnerabilities).
If you don't read the phpsec list, then you wouldn't have seen the post from a Jared Williams (iirc) regarding using SPL, and specifically ArrayAccess. It basically was asking opinions on a set of classes for cleaning the "tainted" GET/POST/COOKIE arrays.
Personally, I think this is over engineering for this particular issue, and not only that, but it has the potential to hamper your applications performance. There are a number of easy ways to untaint your data, and here's a few ...
I am frequently amazed and/or frustrated when I encounter online applications which have problems with Magic Quotes and string escaping. Even commercial PHP applications I use on a daily basis have such problems. The most common symptom is that slashes (/) end up appearing throughout content.
Over the next few paragraphs, I'm going to show you some basic tricks to validate user input, catch "bad" data before it corrupts your calculations and databases, and provide user notification in a gentle, understandable and non-threatening way. To prepare for this exercise, I suggest you spin up a CD of John Lennon singing 'Imagine', fill your heart with peace and goodwill towards all men, and take a few deep, calming breaths. Once you've exhaled, we can get going.
Today I'll present the fourth and final segment of my PHP link validation series. This week, I'll wrap up the PHP validation script by explaining the most complex and time-consuming forms of link validation. I started this process in part 3, when I showed you how to open a socket to the server. This week, I'll show you how to use PHP to communicate with the server using the HTTP protocol, specifically the GET method.
In part 3 of "A PHP Link Validation Script," I'll introduce the most complex form of validation. It involves connecting to the server in question and trying to retrieve the document through a HTTP server request. To accomplish this, you'll be using PHP's Internet communication functionality; some general knowledge of the HTTP protocol is required.
This week, I'll introduce the next segment of the script that handles the validation of the server which hosts the requested document.
