Vicne Posted November 2, 2019 Share Posted November 2, 2019 Hi, I think the page about PHP form validation should make clear that validation issues depend on the context and that the proposed validation (the "test_input" function at the end) only protects against rogue URLs. Indeed, I just found a rather popular page in IoT community that uses that exact function for values to be inserted in a database. Unfortunately, if I'm not mistaken, the test_input function does nothing to prevent SQL injection (a value like "1';drop table SensorData;" would happily pass through test_input) and, to the contrary, would modify perfectly valid SQL string values (e.g. with slashes) before insertion. Currently, as your page starts with "Think SECURITY when processing PHP forms!" and ends with a section named with the generic "Validate Form Data With PHP" title, one expects that this code is the universal way of validating data. I think it would be good to make clear that most of this page is about a particular case of validation and that the proposed function is a method to "Validate URL parameters With PHP", and that other methods are to be applied depending on the context... Keep on the good work, Vicne Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now