jimfog Posted January 28, 2013 Share Posted January 28, 2013 I am in the proccess of validating the form-so far I have used custom functions.Recently I came across with the filter_var function and I wanted to know if someone has used and what is his opinion about it. Should I leave control of validation/sanitization completely to this function?Someone might argue that this depends on my needs, but I wanted to hear views anyway. Link to comment Share on other sites More sharing options...
birbal Posted January 28, 2013 Share Posted January 28, 2013 It is best to use inbuilt validation function. it has common validation like URL,email in built without any use of regex. also it have facility for regex based validation and even custom rule validation using callable function. more over that it is native code of php so it is faster. One advantage of it is you can built an array of validation rules and use it in form generation and validation in one place. Link to comment Share on other sites More sharing options...
jimfog Posted January 28, 2013 Author Share Posted January 28, 2013 I used the filter sanitize_string for a phone form field.And what surprised is the multiple dashes(------) are considered valid. So custom checks are needed to(usage of regular expressions) along with the filters of course. Link to comment Share on other sites More sharing options...
jimfog Posted January 29, 2013 Author Share Posted January 29, 2013 filter_var with SANITIZE_STRING just strips the input from tags like h2, h1 br etc...I think more is needed.When it comes to strings like city, address etc where there is no validate filter available(like there is e-mail for example)-more must be done.Custom checks might be needed. Link to comment Share on other sites More sharing options...
jeffman Posted January 29, 2013 Share Posted January 29, 2013 For city and address, there may be nothing you can do. Even in one country, there are many different ways to write an address. Your best bet is to make sure there is no HTML in the text, no javascript, and if you are saving this in a database, always prevent SQL injection. You can Google that. Link to comment Share on other sites More sharing options...
jimfog Posted January 31, 2013 Author Share Posted January 31, 2013 ...make sure there is no HTML in the text, no javascript, When we say "escape output", do we mean the above?Does sanitization takes care of that? Link to comment Share on other sites More sharing options...
birbal Posted January 31, 2013 Share Posted January 31, 2013 escaping is different than sanitinzing or filtering sanitinizing: Removing unwanted characters from input and return the result string validation: Check for existance of unwanted characters and pass if it matches otherwise not, returns like boolean escape: marking some character so that in particular context it will have different meaning than usual meaning of charcter. eg echo "hello world \n"; we use '\' to escape 'n' which is distinct from ordinary 'n' and represents new line. another eg echo "it is \" quoted \" string"; Link to comment Share on other sites More sharing options...
jimfog Posted February 18, 2013 Author Share Posted February 18, 2013 (edited) Furthermore your explanation of sanitization/validation is messy. You are saying essentially that sanitization is the same with validation:Since-according to you-they both check for unwanted characters. Anyway...I found some resources in the web about these two and it is clear now to me. About escaping....I have understood what is all about. Edited February 18, 2013 by jimfog Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now