Jump to content

PHP form validation gives a false feeling of security

Recommended Posts


I think the page about PHP form validation should make clear that validation issues depend on the context and that the proposed validation (the "test_input" function at the end) only protects against rogue URLs.

Indeed, I just found a rather popular page in IoT community that uses that exact function for values to be inserted in a database. Unfortunately, if I'm not mistaken, the test_input function does nothing to prevent SQL injection (a value like "1';drop table SensorData;" would happily pass through test_input) and, to the contrary, would modify perfectly valid SQL string values (e.g. with slashes) before insertion.

Currently, as your page starts with "Think SECURITY when processing PHP forms!" and ends with a section named with the generic "Validate Form Data With PHP" title, one expects that this code is the universal way of validating data.

I think it would be good to make clear that most of this page is about a particular case of validation and that the proposed function is a method to "Validate URL parameters With PHP", and that other methods are to be applied depending on the context...

Keep on the good work,


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...