Joe Ferguson, profile picture
Uploaded byJoe Ferguson
PDF, PPTX1,402 views

Memphis php html form processing with php

This document discusses best practices for processing HTML forms with PHP. It begins by introducing the presenter and describing common types of forms. It then discusses how to safely, securely, and reliably get input from users, emphasizing the importance of sanitizing and validating user data to prevent vulnerabilities like SQL injection. It provides examples of bad code and explains why it is insecure. The document then demonstrates how to properly sanitize and validate form input in PHP to avoid these risks. It concludes by offering tips, tricks, and additional resources on secure form handling.

Download as PDF, PPTX
HTML Form Processing with PHP Tips, Tricks, and Bad Ideas
Who is this guy? Joe Ferguson - joe@joeferguson.me Professionally ● Web Developer at RocketFuel ● PHP / LAMP Focused Semi Professional ● Co-Organizer for MemphisPHP.org ● MidsouthMakers - Hackerspace Leader ● HACKmemphis.com Organizer
Types of Forms ● ● ● ● ● Login Form Contact Form Questionnaire Sign Up Form Order Form Every application that interacts with the user uses forms in some manner.
The Problem (Use Case) I have a PHP Application that needs input: How do I… ● safely ● securely ● reliably ... get that input or other data from my users?
Little Bobby Tables... http://xkcd.com/327/
Bad Ideas: Code stolen from someone I follow on twitter that was pointing out bad code…
Whiskey... What is this code even doing?! open a database connection... insert some data... run the insert query….
Tango... What is this code even doing?! create a new query… run the new query and return data...
Foxtrot... What is this code even doing?! close all open connections… get us the heck out of here...
Why is the code bad? ● Using PHP short tags ○ Must be enabled in php.ini use sparingly if at all ● No data sanitization ○ Security?! never important ● No data validation ○ who cares! he trusts his users ● Directly saving user input into a database ○ Begging for a little bobby tables incident ● Not using prepared statements ○ PDO - it’s the wave of the future!
How do I safely get form data? Sanitize it!
How do I securely get form data? HTTPS (SSL)
How do I reliably get form data? Validate it!
Assumptions for our examples ● Existing JavaScript validation that input exists. ● You are using a POST or GET method ● You’re using SSL You can find these slides and examples: https://github.com/Svpernova09
Oh PHP, you so easy…. Create our form:
Oh PHP, you so easy…. Add our form processing:
I’m REALLY good at this PHP thing Output when the form has been submitted:
What if .... ...someone clever comes along? ...someone malicious comes along?
Wait a minute…. HOW DID THIS HAPPEN!!!111>>!??
It was all going so beautifully... Where did we go wrong? Line 53: We used the raw input from the user. This leaves us WIDE open to many attacks.
WTF! But PHP is so EASY! The user put JavaScript in our field: Since we just echoed the input, we injected the user’s JavaScript directly into our page:
How do we prevent such attacks? We must go Back... to line 53! htmlentities() = don’t parse as HTML Browser: Source:
Different ways to sanitize data Data Filters ● Validate Filters ○ FILTER_VALIDATE_EMAIL ○ FILTER_VALIDATE_INT ● Sanitize Filters ○ FILTER_SANITIZE_STRING ○ FILTER_SANITIZE_NUMBER_INT ● htmlspecialchars() ● htmlentities()
htmlentities OR htmlspecialchars ? ● htmlspecialchars() will encode only characters that have special significance in HTML ○ Example: ■ echo htmlspecialchars('<Il était une fois un être>.'); ■ // Outputs: &lt;Il était une fois un être&gt;. ● htmlentities() all characters which have HTML character entity equivalents are translated into these entities ○ Example: ■ ■ echo htmlentities('<Il était une fois un être>.'); // Outputs: &lt;Il &eacute;tait une fois un &ecirc;tre&gt; GREAT Explanation: http://stackoverflow.com/questions/46483/htmlentities-vs-htmlspecialchars
filter_var or html* ? Data Filters are newer than html* functions They are the “better” way. They also depend on newer versions of PHP
But I’m a small shop, & trust users You can’t trust input from ANYONE! ● ● ● ● ● ● ● You Your Parents Your Co Workers Your Boss Your App’s Users Other Apps The Internet
Should I sanitize or validate? BOTH! SANITIZING your data is removing (or encoding) a specific set of characters from your data. VALIDATING your data is making sure the data is in the format you expect to be in.
Sanitizing Data Our new form (Example: 02 - Sanitizing Data)
Sanitizing Data Form Code View (Example: 02 - Sanitizing Data)
Sanitizing Data - Data Entry This is the type of input we want...
Sanitizing Data - Data Entry Make sure no malicious code is in the data... Output:
Sanitizing Data - BETTER way The more modern way: filter_var with flags: Output is the same:
Testing our Data Sanitization
What about check boxes? Let’s add a check box to our form
Sanitize everything! Even check boxes should be sanitized
Validating User Input Our new form (Example: 03 - Validating Data)
Validating User Input Form Code View (Example: 03 - Validating Data)
Validating User Input - Data Entry This is the type of input we want...
Validating Data - Data Entry Make sure the data conforms to expectations
Validating Data - Data Entry Output
Testing Our Validation
Testing Our Validation If we don’t enter an age… if we don’t enter our email...
What do we do with the data? No matter what you do from here… - the hard part is over. Your data is now: ● Validated! ● Sanitized!
Remember that Bad Idea?
Better idea...
Tips ● ALWAYS Sanitize your data. ○ Even if you don’t validate it. ○ Some data is harder to validate than others ● Use JavaScript to enforce requirements ○ JavaScript is great for checking data before it gets submitted. This makes PHP’s job easier ○ Don’t rely on JS to sanitize. Let PHP handle it. ● Offload your PHP processing via Ajax ○ Keeps your code cleaner by separating heavy lifting of data validation out of your form code. ● Show your users where they failed. ○ This also makes your own debugging easier
Tricks - Ajax Form Handling Form Code View (Example: 04 Ajax Form Handling)
Tricks Ajax Form Handling Ajax JavaScript to post the form
Tricks Ajax Form Handling This is the file we’re posting the form data to
Tricks Ajax Form Handling Output This allows you to separate logic away from the file that contains your form.
Tricks - Some tricks won’t last... Issue: Application Form getting spammed. Steps taken: ● We added reCAPTCHA Issue slowed, after some time they continued Further steps: For some reason the spam stopped...
Tricks - Getting Creative Add a question to your form:
Tricks - Getting Creative If the user answers correctly: If the user answers incorrectly:
Better Ideas: CSI:php - csiphp.com CSI:PHP is a great site to see not only bad code, but WHY it’s bad and how to make it better.
Links - Q & A ● ● ● ● MemphisPHP.org phptherightway.com CSIPHP.com Slides & Code Samples: ○ https://github.com/svpernova09 ● htmlentities() or htmlspecialchars()? ○ http://stackoverflow.com/questions/46483/htmlentities-vs-htmlspecialchars ● xkcd: http://xkcd.com/

More Related Content

PDF
Helpful logging with python
byroskakori
 
PPTX
25 php interview questions – codementor
byArc & Codementor
 
PPTX
Javascript
byNital Shingala
 
PPT
Php Presentation
byManish Bothra
 
PPT
PHP Tutorials
byYuriy Krapivko
 
PPTX
PHP for HTML Gurus - J and Beyond 2012
byAndrea Tarr
 
DOCX
Script login form php
byHanief Rpl
 
PPTX
Ns3
byRehmat Ullah
 
Helpful logging with python
byroskakori
 
25 php interview questions – codementor
byArc & Codementor
 
Javascript
byNital Shingala
 
Php Presentation
byManish Bothra
 
PHP Tutorials
byYuriy Krapivko
 
PHP for HTML Gurus - J and Beyond 2012
byAndrea Tarr
 
Script login form php
byHanief Rpl
 
Ns3
byRehmat Ullah
 

Viewers also liked

PDF
Making web forms using php
bykrishnapriya Tadepalli
 
PPTX
Php Form
bylotlot
 
PPT
Chapter 02 php basic syntax
byDhani Ahmad
 
PPT
Chapter 07 php forms handling
byDhani Ahmad
 
PDF
ns-3: History and Future
bymathieu_lacage
 
PDF
Network Simulation NS3
bybaddi youssef
 
PPTX
3 php forms
byhello8421
 
PPTX
Arrays &amp; functions in php
byAshish Chamoli
 
ODP
Form Processing In Php
byHarit Kothari
 
DOC
Creating a Simple PHP and MySQL-Based Login System
byAzharul Haque Shohan
 
PPT
Php forms
byAnne Lee
 
PDF
Building Topology in NS3
byRahul Hada
 
PDF
Tutorial ns 3-tutorial-slides
byVinayagam D
 
PDF
ns-3 Tutorial
bymathieu_lacage
 
PPSX
Php and MySQL
byTiji Thomas
 
ODP
PHP Web Programming
byMuthuselvam RS
 
PPT
Introduction to PHP
byJussi Pohjolainen
 
Making web forms using php
bykrishnapriya Tadepalli
 
Php Form
bylotlot
 
Chapter 02 php basic syntax
byDhani Ahmad
 
Chapter 07 php forms handling
byDhani Ahmad
 
ns-3: History and Future
bymathieu_lacage
 
Network Simulation NS3
bybaddi youssef
 
3 php forms
byhello8421
 
Arrays &amp; functions in php
byAshish Chamoli
 
Form Processing In Php
byHarit Kothari
 
Creating a Simple PHP and MySQL-Based Login System
byAzharul Haque Shohan
 
Php forms
byAnne Lee
 
Building Topology in NS3
byRahul Hada
 
Tutorial ns 3-tutorial-slides
byVinayagam D
 
ns-3 Tutorial
bymathieu_lacage
 
Php and MySQL
byTiji Thomas
 
PHP Web Programming
byMuthuselvam RS
 
Introduction to PHP
byJussi Pohjolainen
 

Similar to Memphis php html form processing with php

PPTX
2-Chapter Edit.pptx debret tabour university
byalemunuruhak9
 
PDF
Tulsa techfest2010 security
byJason Ragsdale
 
PPTX
forms.pptx
byasmabagersh
 
PPTX
Working with data.pptx
bySherinRappai
 
PPTX
Php and web forms
bysana mateen
 
PDF
Validating and Sanitizing User Data
byzakieh alizadeh
 
DOCX
Php forms and validations by naveen kumar veligeti
byNaveen Kumar Veligeti
 
PDF
OWASP Top 10 - DrupalCon Amsterdam 2019
byAyesh Karunaratne
 
PPT
PHP - Introduction to PHP Forms
byVibrant Technologies & Computers
 
PPTX
html forms and server side scripting
bybantamlak dejene
 
PDF
Php, mysq lpart4(processing html form)
bySubhasis Nayak
 
PPT
Security.ppt
bywebhostingguy
 
PPT
12-security.ppt - PHP and Arabic Language - Index
bywebhostingguy
 
PPTX
Php ch-2_html_forms_and_server_side_scripting
bybantamlak dejene
 
PPS
Php Security3895
byAung Khant
 
PPT
Php Security By Mugdha And Anish
byOSSCube
 
PPS
Php security3895
byPrinceGuru MS
 
PPS
PHP Security
bymanugoel2003
 
PPTX
03-forms.ppt.pptx
byThắng It
 
PPT
PHPUG Presentation
byDamon Cortesi
 
2-Chapter Edit.pptx debret tabour university
byalemunuruhak9
 
Tulsa techfest2010 security
byJason Ragsdale
 
forms.pptx
byasmabagersh
 
Working with data.pptx
bySherinRappai
 
Php and web forms
bysana mateen
 
Validating and Sanitizing User Data
byzakieh alizadeh
 
Php forms and validations by naveen kumar veligeti
byNaveen Kumar Veligeti
 
OWASP Top 10 - DrupalCon Amsterdam 2019
byAyesh Karunaratne
 
PHP - Introduction to PHP Forms
byVibrant Technologies & Computers
 
html forms and server side scripting
bybantamlak dejene
 
Php, mysq lpart4(processing html form)
bySubhasis Nayak
 
Security.ppt
bywebhostingguy
 
12-security.ppt - PHP and Arabic Language - Index
bywebhostingguy
 
Php ch-2_html_forms_and_server_side_scripting
bybantamlak dejene
 
Php Security3895
byAung Khant
 
Php Security By Mugdha And Anish
byOSSCube
 
Php security3895
byPrinceGuru MS
 
PHP Security
bymanugoel2003
 
03-forms.ppt.pptx
byThắng It
 
PHPUG Presentation
byDamon Cortesi
 

More from Joe Ferguson

PDF
Modern infrastructure as code with ansible cake fest 2021
byJoe Ferguson
 
PDF
Modern infrastructure as code with ansible PyTN
byJoe Ferguson
 
PDF
Slim PHP when you don't need the kitchen sink
byJoe Ferguson
 
PDF
Throwing Laravel into your Legacy App™
byJoe Ferguson
 
PDF
DevSpace Conf 2017 - Making sense of the provisioning circus
byJoe Ferguson
 
PDF
Release and-dependency-management memphis python
byJoe Ferguson
 
PDF
Composer at Scale, Release and Dependency Management
byJoe Ferguson
 
PDF
Put an end to regression with codeception testing
byJoe Ferguson
 
PDF
Midwest PHP 2017 DevOps For Small team
byJoe Ferguson
 
PDF
All the Laravel Things – Up & Running to Making $$
byJoe Ferguson
 
PDF
Console Apps: php artisan forthe:win
byJoe Ferguson
 
PDF
Console Apps: php artisan forthe:win
byJoe Ferguson
 
PDF
All the Laravel things: up and running to making $$
byJoe Ferguson
 
PDF
So You Just Inherited a $Legacy Application… NomadPHP July 2016
byJoe Ferguson
 
PDF
So You Just Inherited a $Legacy Application...
byJoe Ferguson
 
PDF
Laravel Forge: Hello World to Hello Production
byJoe Ferguson
 
PDF
MidwestPHP 2016 - Adventures in Laravel 5
byJoe Ferguson
 
PDF
Acceptance & Functional Testing with Codeception - SunshinePHP 2016
byJoe Ferguson
 
PDF
Adventures in Laravel 5 SunshinePHP 2016 Tutorial
byJoe Ferguson
 
PDF
php[world] 2015 Laravel 5.1: From Homestead to the Cloud
byJoe Ferguson
 
Modern infrastructure as code with ansible cake fest 2021
byJoe Ferguson
 
Modern infrastructure as code with ansible PyTN
byJoe Ferguson
 
Slim PHP when you don't need the kitchen sink
byJoe Ferguson
 
Throwing Laravel into your Legacy App™
byJoe Ferguson
 
DevSpace Conf 2017 - Making sense of the provisioning circus
byJoe Ferguson
 
Release and-dependency-management memphis python
byJoe Ferguson
 
Composer at Scale, Release and Dependency Management
byJoe Ferguson
 
Put an end to regression with codeception testing
byJoe Ferguson
 
Midwest PHP 2017 DevOps For Small team
byJoe Ferguson
 
All the Laravel Things – Up & Running to Making $$
byJoe Ferguson
 
Console Apps: php artisan forthe:win
byJoe Ferguson
 
Console Apps: php artisan forthe:win
byJoe Ferguson
 
All the Laravel things: up and running to making $$
byJoe Ferguson
 
So You Just Inherited a $Legacy Application… NomadPHP July 2016
byJoe Ferguson
 
So You Just Inherited a $Legacy Application...
byJoe Ferguson
 
Laravel Forge: Hello World to Hello Production
byJoe Ferguson
 
MidwestPHP 2016 - Adventures in Laravel 5
byJoe Ferguson
 
Acceptance & Functional Testing with Codeception - SunshinePHP 2016
byJoe Ferguson
 
Adventures in Laravel 5 SunshinePHP 2016 Tutorial
byJoe Ferguson
 
php[world] 2015 Laravel 5.1: From Homestead to the Cloud
byJoe Ferguson
 

Recently uploaded

PDF
Uber Clone Future Mobility and Transportation.pdf
byV3cube
 
PDF
Supercharge your JVM performance with Project Leyden and Spring Boot
byAmmbra
 
PDF
How to get started with Agentic Automation
byUiPathCommunity
 
PDF
A SEA of Energy Efficiency Opportunities!
byMemoori
 
PDF
What Are AI Agentic Workflows? Unlock the Power of AI Agents in 2025!
byTeleglobal International
 
PDF
A business case for open source: From lock-in to value.pdf
byMindtrek
 
PDF
Bringing Ideas to Life: Visualization and Virtual Servers Explained with Powe...
bySyedSuhailBasha
 
PDF
Neural Networks in a Nutshell: A practical review and usage
byOlaf Reitmaier Veracierta
 
PDF
“Multimodal Enterprise-scale Applications in the Generative AI Era,” a Presen...
byEdge AI and Vision Alliance
 
PDF
Modernization Mondays - Architecture Modernization.pdf
byPrecisely
 
PDF
What Is Agentic AI and How Is It Transforming ERP Systems?
byScalaCode
 
PDF
“SKAIVISION: Transforming Automotive Dealerships with Computer Vision,” a Pre...
byEdge AI and Vision Alliance
 
PDF
GDG Cloud Southlake #46: Ozan Unlu: AI at Scale in Observability and Security
byJames Anderson
 
PDF
Dr. PANKAJ DHUSSA NASA 2025 INTERNATIONAL OBSERVE THE MOON NIGHT
byDr. PANKAJ DHUSSA
 
PPTX
UiPath Platform: Architecture & Context [1/3]
bysuhanisingh58689
 
PDF
How Industrial IoT Improves Quality Control and Drives Smart Manufacturing Ex...
byRejig Digital
 
PDF
Web Mapping 101: Creating Dynamic Web Maps with Geospatial Data
bySafe Software
 
PPTX
TechVerse Kent (Combining Tech, AI, Innovation and Creativity)
byKritarthDevli
 
PPTX
Documenta11y’s Role in Healthcare Document Accessibility
bydocumenta11y
 
PPTX
DOC-20250918-WA0002.pptx Understanding the World Around Us
byvivekpunde6
 
Uber Clone Future Mobility and Transportation.pdf
byV3cube
 
Supercharge your JVM performance with Project Leyden and Spring Boot
byAmmbra
 
How to get started with Agentic Automation
byUiPathCommunity
 
A SEA of Energy Efficiency Opportunities!
byMemoori
 
What Are AI Agentic Workflows? Unlock the Power of AI Agents in 2025!
byTeleglobal International
 
A business case for open source: From lock-in to value.pdf
byMindtrek
 
Bringing Ideas to Life: Visualization and Virtual Servers Explained with Powe...
bySyedSuhailBasha
 
Neural Networks in a Nutshell: A practical review and usage
byOlaf Reitmaier Veracierta
 
“Multimodal Enterprise-scale Applications in the Generative AI Era,” a Presen...
byEdge AI and Vision Alliance
 
Modernization Mondays - Architecture Modernization.pdf
byPrecisely
 
What Is Agentic AI and How Is It Transforming ERP Systems?
byScalaCode
 
“SKAIVISION: Transforming Automotive Dealerships with Computer Vision,” a Pre...
byEdge AI and Vision Alliance
 
GDG Cloud Southlake #46: Ozan Unlu: AI at Scale in Observability and Security
byJames Anderson
 
Dr. PANKAJ DHUSSA NASA 2025 INTERNATIONAL OBSERVE THE MOON NIGHT
byDr. PANKAJ DHUSSA
 
UiPath Platform: Architecture & Context [1/3]
bysuhanisingh58689
 
How Industrial IoT Improves Quality Control and Drives Smart Manufacturing Ex...
byRejig Digital
 
Web Mapping 101: Creating Dynamic Web Maps with Geospatial Data
bySafe Software
 
TechVerse Kent (Combining Tech, AI, Innovation and Creativity)
byKritarthDevli
 
Documenta11y’s Role in Healthcare Document Accessibility
bydocumenta11y
 
DOC-20250918-WA0002.pptx Understanding the World Around Us
byvivekpunde6
 

Memphis php html form processing with php

  • 1.
  • 2.
    Who is thisguy? Joe Ferguson - joe@joeferguson.me Professionally ● Web Developer at RocketFuel ● PHP / LAMP Focused Semi Professional ● Co-Organizer for MemphisPHP.org ● MidsouthMakers - Hackerspace Leader ● HACKmemphis.com Organizer
  • 3.
    Types of Forms ● ● ● ● ● LoginForm Contact Form Questionnaire Sign Up Form Order Form Every application that interacts with the user uses forms in some manner.
  • 4.
    The Problem (UseCase) I have a PHP Application that needs input: How do I… ● safely ● securely ● reliably ... get that input or other data from my users?
  • 5.
  • 6.
    Bad Ideas: Code stolenfrom someone I follow on twitter that was pointing out bad code…
  • 7.
    Whiskey... What is thiscode even doing?! open a database connection... insert some data... run the insert query….
  • 8.
    Tango... What is thiscode even doing?! create a new query… run the new query and return data...
  • 9.
    Foxtrot... What is thiscode even doing?! close all open connections… get us the heck out of here...
  • 10.
    Why is thecode bad? ● Using PHP short tags ○ Must be enabled in php.ini use sparingly if at all ● No data sanitization ○ Security?! never important ● No data validation ○ who cares! he trusts his users ● Directly saving user input into a database ○ Begging for a little bobby tables incident ● Not using prepared statements ○ PDO - it’s the wave of the future!
  • 11.
    How do Isafely get form data? Sanitize it!
  • 12.
    How do Isecurely get form data? HTTPS (SSL)
  • 13.
    How do Ireliably get form data? Validate it!
  • 14.
    Assumptions for ourexamples ● Existing JavaScript validation that input exists. ● You are using a POST or GET method ● You’re using SSL You can find these slides and examples: https://github.com/Svpernova09
  • 15.
    Oh PHP, youso easy…. Create our form:
  • 16.
    Oh PHP, youso easy…. Add our form processing:
  • 17.
    I’m REALLY goodat this PHP thing Output when the form has been submitted:
  • 18.
    What if .... ...someoneclever comes along? ...someone malicious comes along?
  • 19.
    Wait a minute…. HOWDID THIS HAPPEN!!!111>>!??
  • 20.
    It was allgoing so beautifully... Where did we go wrong? Line 53: We used the raw input from the user. This leaves us WIDE open to many attacks.
  • 21.
    WTF! But PHPis so EASY! The user put JavaScript in our field: Since we just echoed the input, we injected the user’s JavaScript directly into our page:
  • 22.
    How do weprevent such attacks? We must go Back... to line 53! htmlentities() = don’t parse as HTML Browser: Source:
  • 23.
    Different ways tosanitize data Data Filters ● Validate Filters ○ FILTER_VALIDATE_EMAIL ○ FILTER_VALIDATE_INT ● Sanitize Filters ○ FILTER_SANITIZE_STRING ○ FILTER_SANITIZE_NUMBER_INT ● htmlspecialchars() ● htmlentities()
  • 24.
    htmlentities OR htmlspecialchars? ● htmlspecialchars() will encode only characters that have special significance in HTML ○ Example: ■ echo htmlspecialchars('<Il était une fois un être>.'); ■ // Outputs: &lt;Il était une fois un être&gt;. ● htmlentities() all characters which have HTML character entity equivalents are translated into these entities ○ Example: ■ ■ echo htmlentities('<Il était une fois un être>.'); // Outputs: &lt;Il &eacute;tait une fois un &ecirc;tre&gt; GREAT Explanation: http://stackoverflow.com/questions/46483/htmlentities-vs-htmlspecialchars
  • 25.
    filter_var or html*? Data Filters are newer than html* functions They are the “better” way. They also depend on newer versions of PHP
  • 26.
    But I’m asmall shop, & trust users You can’t trust input from ANYONE! ● ● ● ● ● ● ● You Your Parents Your Co Workers Your Boss Your App’s Users Other Apps The Internet
  • 27.
    Should I sanitizeor validate? BOTH! SANITIZING your data is removing (or encoding) a specific set of characters from your data. VALIDATING your data is making sure the data is in the format you expect to be in.
  • 28.
    Sanitizing Data Our newform (Example: 02 - Sanitizing Data)
  • 29.
    Sanitizing Data Form CodeView (Example: 02 - Sanitizing Data)
  • 30.
    Sanitizing Data -Data Entry This is the type of input we want...
  • 31.
    Sanitizing Data -Data Entry Make sure no malicious code is in the data... Output:
  • 32.
    Sanitizing Data -BETTER way The more modern way: filter_var with flags: Output is the same:
  • 33.
    Testing our DataSanitization
  • 34.
    What about checkboxes? Let’s add a check box to our form
  • 35.
    Sanitize everything! Even checkboxes should be sanitized
  • 36.
    Validating User Input Ournew form (Example: 03 - Validating Data)
  • 37.
    Validating User Input FormCode View (Example: 03 - Validating Data)
  • 38.
    Validating User Input- Data Entry This is the type of input we want...
  • 39.
    Validating Data -Data Entry Make sure the data conforms to expectations
  • 40.
    Validating Data -Data Entry Output
  • 41.
  • 42.
    Testing Our Validation Ifwe don’t enter an age… if we don’t enter our email...
  • 43.
    What do wedo with the data? No matter what you do from here… - the hard part is over. Your data is now: ● Validated! ● Sanitized!
  • 44.
  • 45.
  • 46.
    Tips ● ALWAYS Sanitizeyour data. ○ Even if you don’t validate it. ○ Some data is harder to validate than others ● Use JavaScript to enforce requirements ○ JavaScript is great for checking data before it gets submitted. This makes PHP’s job easier ○ Don’t rely on JS to sanitize. Let PHP handle it. ● Offload your PHP processing via Ajax ○ Keeps your code cleaner by separating heavy lifting of data validation out of your form code. ● Show your users where they failed. ○ This also makes your own debugging easier
  • 47.
    Tricks - AjaxForm Handling Form Code View (Example: 04 Ajax Form Handling)
  • 48.
    Tricks Ajax FormHandling Ajax JavaScript to post the form
  • 49.
    Tricks Ajax FormHandling This is the file we’re posting the form data to
  • 50.
    Tricks Ajax FormHandling Output This allows you to separate logic away from the file that contains your form.
  • 51.
    Tricks - Sometricks won’t last... Issue: Application Form getting spammed. Steps taken: ● We added reCAPTCHA Issue slowed, after some time they continued Further steps: For some reason the spam stopped...
  • 52.
    Tricks - GettingCreative Add a question to your form:
  • 53.
    Tricks - GettingCreative If the user answers correctly: If the user answers incorrectly:
  • 54.
    Better Ideas: CSI:php- csiphp.com CSI:PHP is a great site to see not only bad code, but WHY it’s bad and how to make it better.
  • 55.
    Links - Q& A ● ● ● ● MemphisPHP.org phptherightway.com CSIPHP.com Slides & Code Samples: ○ https://github.com/svpernova09 ● htmlentities() or htmlspecialchars()? ○ http://stackoverflow.com/questions/46483/htmlentities-vs-htmlspecialchars ● xkcd: http://xkcd.com/