Form Tutorial Help

[ben03]

Hi there,

  I was using the https://www.w3schools.com/php/php_form_validation.asp tutorial to create a form that strips out malicious tags etc via the following. However when I receive the form the tags seem to be intact. Is what I am doing wrong and how should I correct it if so?

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">

<?php

$phone = $location = "";

if ($_SERVER["REQUEST_METHOD"] == "POST") {
    $phone = test_input($_POST["phone"]);
    $location = test_input($_POST["location"]);

    $toEmail = 'email@address.com';
    $emailSubject = 'Callback request form';
    $headers = ['From' => 'homepage', 'Reply-To' => 'noreply', 'Content-type' => 'text/html; charset=iso-8859-1'];

    $bodyParagraphs = ["Callback request number: {$phone}<br />", "Location: {$location}"];
    $body = join(PHP_EOL, $bodyParagraphs);

    if (mail($toEmail, $emailSubject, $body, $headers)) {
        echo '<p>Thank you for your interest, we will respond as soon as possible.</p>';
    } else {
        echo '<p>Something went wrong. Please try again later.</p>';
    }
}

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}
?>

 

[Ingolme]

The tags aren't removed, they're just converted into text so that they can't be interpreted as HTML.

[ben03]

ah ok, thanks Ingolme. Are there other security concerns with forms that should be addressed or does this technique generally cover most?

[niche]

Potentially, there are all kinds to potential security issues not covered by:

http:// https://www.w3schools.com/php/php_form_validation.asp

Everything from malicious attacks to cleaning inputs. 

[niche]

Just now, niche said:

Potentially, there are all kinds to potential security issues not covered by:

http:// https://www.w3schools.com/php/php_form_validation.asp

Everything from malicious attacks to cleaning inputs. 

EDIT:

PDO doesn't even cover them all.