Jump to content

PHP form validation gives a false feeling of security


Recommended Posts


I think the page about PHP form validation should make clear that validation issues depend on the context and that the proposed validation (the "test_input" function at the end) only protects against rogue URLs.

Indeed, I just found a rather popular page in IoT community that uses that exact function for values to be inserted in a database. Unfortunately, if I'm not mistaken, the test_input function does nothing to prevent SQL injection (a value like "1';drop table SensorData;" would happily pass through test_input) and, to the contrary, would modify perfectly valid SQL string values (e.g. with slashes) before insertion.

Currently, as your page starts with "Think SECURITY when processing PHP forms!" and ends with a section named with the generic "Validate Form Data With PHP" title, one expects that this code is the universal way of validating data.

I think it would be good to make clear that most of this page is about a particular case of validation and that the proposed function is a method to "Validate URL parameters With PHP", and that other methods are to be applied depending on the context...

Keep on the good work,


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...