On Wed, 2010-08-25 at 10:24 -0400, David Mehler wrote:

> Hello,
> I've got two questions. I'm having to redo my form. Can you tell me
> the difference if any between these two lines of code? This is for
> output filtering.
> <textarea name="description"> <?php echo htmlout("$description"); 
> ?></textarea>
> <textarea name="description"><?php echo htmlout($description); ?> </textarea>
> One has the quotes around the parameter in the function call the other
> does not. Here's the functions:
> function html($text)
> {
>       return htmlentities($text, ENT_QUOTES, 'UTF-8');
> }
> function htmlout($text)
> {
>       return html($text);
> }
> My second question is I'm wanting to do input filtering to prevent
> anything malicious from coming in to my form. The eventual goal is to
> get this information in to a database. Here's an insecure name field
> i'm wanting to secure it against html tags, strange text, no symbols
> except perhaps period, dash, letters, numbers alpha numeric stuff.
> $name = $_POST['name'];
> <div>
> <label for="name">Name*:</label>
> <input type="text" name="name" id="name" size="50" value="<?php echo
> htmlout($name); ?>" /> <br />
> </div>
> In my previous form i used a variable declaration like:
> $name = trim($_POST['name']);
> but I can probably do better, as I said this is eventually going in to
> a database.
> Thanks.
> Dave.

The two lines of code are essentially identical, the quotes just put the
variable value inside of a string, but if that variable is a string
anyway, there won't be a difference, although with quotes will be
slightly slower (we're talking milliseconds here)

As for validation, there are several parts to this. Before any value
goes into the DB you should run something like
mysql_real_escape_string() on it (or an alternative equivalent for other
DB's) as this will prevent SQL injection.

One thing I tend to do is to further validate data to expected values
with regular expressions. For example, a phone number could be validated

/^\+?[\d\- ]+$/

which means match the whole string for numbers, spaces and hyphens, and
allow an optional + symbol at the start

There are some things which are hard to regex (like valid email
addresses and domain names) but most form fields tend to expect certain
types of data which you can write simple expressions for.


Reply via email to