Hi,
I think the page about PHP form validation should make clear that validation issues depend on the context and that the proposed validation (the "test_input" function at the end) only protects against rogue URLs.
Indeed, I just found a rather popular page in IoT community that uses that exact function for values to be inserted in a database. Unfortunately, if I'm not mistaken, the test_input function does nothing to prevent SQL injection (a value like "1';drop table SensorData;" would happily pass through test_input) and, to the contrary, would modify perfectly valid SQL string values (e.g. with slashes) before insertion.
Currently, as your page starts with "Think SECURITY when processing PHP forms!" and ends with a section named with the generic "Validate Form Data With PHP" title, one expects that this code is the universal way of validating data.
I think it would be good to make clear that most of this page is about a particular case of validation and that the proposed function is a method to "Validate URL parameters With PHP", and that other methods are to be applied depending on the context...
Keep on the good work,
Vicne
