last updated: 6/8/23
Working with user data
User input in PHP usually comes from two places: form data and query strings. Both of these are respectively referenced by the two superglobals $_POST and $_GET. A superglobal is a type of variable that is accessible from any PHP script.
Variables are beyond the scope (pun intended) of this article, but the scope (availability) of these superglobal variables is important for you to know.
But we don’t live in a perfect world, and people like to try and game the system by using things as they aren’t intended. If you’ve ever had to go through airport security or used the library book return slot (complete with a computer interface to scan and verify the book you’re returning) after hours you have seen real-world examples of validation and security.
In PHP sanitizing data is important for a couple of reasons.
Security: When you sanitize the data you prevent malicious attacks that can inject harmful code like
SQLinjection and cross-site scripting (XSS). By sanitizing the data you can prevent database deletion and other unauthorized access to your database.Consistency: When you control the quality of data coming in, you can create a consistent user experience (UX). By sanitizing your data you decrease the chance of errors, data corruption, and other unexpected behaviors.
Preventing errors: As previously discussed, as a developer you really want to avoid errors as they decrease UX and trust in your website/application. When you validate and sanitize data you can handle errors, and edge cases (unlikely events) gracefully. By doing so you increase the reliability and stability of your website.
It’s the law: Some Governmental Organizations like the European Union (EU) require it. Laws like the General Data Protection Act (GDPR) exist to protect user data.
Defining: Sanitizing, validating, escaping
So far I have used terms like validating and sanitizing, but haven’t formally defined them! let’s go ahead and do that.
Sanitize: To make input safe by modifying or removing harmful, unwanted characters. In
PHPa common example is removing or escaping backslashes (like from escaped data) andHTMLcharacters.Escaping: Modifying input so special characters are treated as literal text. An example is the
htmlspecialchars()function inPHP. Instead of parsing theHTML(and other characters like “&”, “”, “<“, “>”), this function encodes special characters as their respectiveHTMLentities.
Aside from preventingHTMLinjection, it also prevents XSS attacks byJavaScript. Something like this"<script>alert('XSS attack!');</script>"would be turned into
<script>alert('XSS attack!');</script>. Here’s a typical usage ofhtmlspecialchars()combined withstripslashes() in my code to remove character escapingfunction sanitizeInput(mixed $input) {$stripslash = stripslashes($input);$htmlToEntities = htmlspecialchars($stripslash);return $htmlToEntities;}In implementing thesanitizeInput()function, I learned the order of the two functions is very important. By applyingstripslashesfirst, I ensured that any escaped characters are restored to their original form before further processing.By applying
htmlspecialchars()afterstripcslashes(), I made sure that the special characters are properly encoded, even if they were initially escaped. If the order of functions were reversed I couldn’t make sure the data was properly sanitized ashtmlspecialchars()might not recognize them as special characters.Validating: Ensures that data meets specific criteria. For example, checking a string (text) to make sure it only has letters and is a certain length.
While PHP has plenty of native functions and filters to validate input on the server, it isn’t uncommon to rely on client-side technologies HTML and JavaScript for much of the validation. Modern HTML has an input type of email and number to make sure users can only enter text in a valid format.
Aside from the reasons outlined earlier (like database corruption) server-side validation is extra important because sophisticated users can bypass the front-end validation measures.
As part of a project at perpetual.education a recent use-case for PHP validation I saw was image uploading. We were tasked with creating a create, read, update, delete (CRUD) app with image upload. I created a website for bread recipes that uses a form along with the 3 superglobals $_POST, $_GET, and $_FILES to manage the data.
To prevent users from uploading a file that is too large, I used the PHP getimagesize() function to check the image uploaded and referenced by the $_FILES superglobal. This function returns the size of the file along with an array of other information about it such as its mime type (info that determines the type of file it is). This ensures that only files of a certain mime type are allowed, in this case image/jpeg.
Have you encountered unexpected security issues in your PHP website/app? What are the best native functions or PHP frameworks to prevent them? let me know in the comments.
External Sources