Validating and Processing Forms with JavaScript and PHP
Illustration by John Hersey
Watching:

Sanitizing form input


From:

Validating and Processing Forms with JavaScript and PHP

with Ray Villalobos

Video: Sanitizing form input

Sanitizing means cleaning up the data in your form, to prevent malicious scripts from executing. You need to be careful when receiving input from any form, since forms are a way for users to pass information to your server. Malicious users can sometimes try to get access to sensitive information by exploiting unsafe pages. The most misuse security threats happen when your form is saving information to an existing database, outputting the info to a page or emailing data to someone else. If you've been following along with this video, you've already learned how to use regular expressions to validate user input.
Expand all | Collapse all
  1. 3m 36s
    1. Welcome
      1m 9s
    2. What you should know
      1m 2s
    3. Using the exercise files
      1m 25s
  2. 12m 50s
    1. Understanding forms
      2m 2s
    2. Working with form fields
      7m 4s
    3. Using the form tag
      3m 44s
  3. 19m 23s
    1. Using input validation
      2m 10s
    2. Adding required fields and placeholders
      1m 31s
    3. Constraining numeric and date fields
      2m 32s
    4. Accepting multiple entries
      1m 41s
    5. Limiting uploads by MIME types
      2m 35s
    6. Assisting text input with a datalist
      1m 55s
    7. Constraining with regular expression patterns
      6m 59s
  4. 42m 13s
    1. Accessing forms
      3m 57s
    2. Looking up form elements
      3m 35s
    3. Handling focus changes
      2m 47s
    4. Detecting the onchange event
      4m 31s
    5. Using the selectedIndex property
      2m 30s
    6. Dynamic validation with regular expressions
      7m 0s
    7. Creating a generic input validation function
      4m 31s
    8. Validating in older browsers with Modernizr
      7m 32s
    9. Interrupting form submission with onsubmit
      5m 50s
  5. 15m 20s
    1. Understanding jQuery
      3m 47s
    2. Validating on submit with jQuery
      3m 45s
    3. Building interactive jQuery validation
      2m 34s
    4. Using the jQuery Validation plugin
      5m 14s
  6. 32m 57s
    1. Communicating with PHP servers
      2m 27s
    2. Retrieving data from superglobals
      8m 18s
    3. Using server-side validation
      4m 59s
    4. Adding in-page validation
      5m 22s
    5. Mirroring input data back to the user
      7m 46s
    6. Sanitizing form input
      4m 5s
  7. 43m 29s
    1. Mailing form data
      8m 28s
    2. Understanding file uploads
      3m 1s
    3. Uploading files
      9m 20s
    4. Processing form data with AJAX
      8m 14s
    5. Preparing your database
      5m 50s
    6. Pushing data
      8m 36s
  8. 1m 17s
    1. Next steps
      1m 17s

Start your free trial now, and begin learning software, business and creative skills—anytime, anywhere—with video instruction from recognized industry experts.

Start Your Free Trial Now
please wait ...
Watch the Online Video Course Validating and Processing Forms with JavaScript and PHP
2h 51m Intermediate Apr 23, 2013

Viewers: in countries Watching now:

Validating web forms is a critical skill for any web developer, ensuring that the data that's submitted is complete, accurate, and nonmalicious before it's sent off to the server. Join author Ray Villalobos in this course as he shows how to validate input from site visitors with HTML5, JavaScript, and jQuery and then process the data with PHP. Plus, learn how to email form data and save it in a MySQL database so that it's ready for other applications.

Topics include:
  • Understanding forms
  • Adding required fields and placeholders
  • Accepting multiple entries
  • Limiting uploads
  • Handling focus changes
  • Validating with regular expressions
  • Working with older browsers
  • Building jQuery validation
  • Using server-side validation
  • Sanitizing form input
  • Uploading files
  • Sending form data to a database
Subjects:
Developer Web
Software:
JavaScript PHP
Author:
Ray Villalobos

Sanitizing form input

Sanitizing means cleaning up the data in your form, to prevent malicious scripts from executing. You need to be careful when receiving input from any form, since forms are a way for users to pass information to your server. Malicious users can sometimes try to get access to sensitive information by exploiting unsafe pages. The most misuse security threats happen when your form is saving information to an existing database, outputting the info to a page or emailing data to someone else. If you've been following along with this video, you've already learned how to use regular expressions to validate user input.

One way to sanitize your input is to check what the user types versus regular expression patterns. PHP also has a lot of functions that can help you prevent the misuse of your forms. Which ones you use depends on the context of what you're trying to prevent. Strip_tags() removes HTML tags from input fields. It's useful if you want to strip any links or other code out of the text. You can take a look at the PHP manual for more information about strip_tags() Htmlspecialchars() converts some characters to HTML entities.

So, for example the less than or greater than signs become ampersand lt and ampersand gt. If some user input gets printed, it won't become a part of your page. For example, somebody might type in a script tag or a closing body tag and when that prints out, it would stop your page or create a script that runs. Here's the page for html special characters and the phpWebSite. HTML entities is pretty much like HTML special characters, but it converts as many characters as possible.

It has a lot of parameters to allow you to control what gets converted. Here is a page for that function. Mysqli_real_escape_string is used for database sanitizing. It removes special characters that could be considered dangerous when passed into a database. The last function, filter_var, is the most powerful and flexible of all the functions. It lets you do what all the other functions do and provides a number of filters and configurations for customization.

Here's a page in the phpWebSite. And you want to make sure you click on the types of filters to take a look at all of the different kinds of filters available. So there's Validation filters and Sanitization filters. So let's click on those. You could see that every one of those filters has a lot of options. Let's try this out on our page. I'm going to modify the common field, so you can't put HTML tags in there. So, I need to go all the way to the bottom and add a small thing to the label, that will just let people know that HTML is not allowed.

Then I'm going to go to the top and find the place where I check for the comment section, and that's right here. So I'm checking the post variable for comments. And what I want to do here is use the filtervar function, pass along the comments from the post superglobal, as well as the constant that I want to filter with. And I'm just going to sanitize string which will remove any HTML special characters. And I need to make my comments be equal to all that.

What I'm doing here is taking the variable my comments and running a filter sanatizing the string from the posted comments. So let's go ahead and save this, and I'm going to refresh this page, just reload the form. Notice that it says, HTML is not allowed. And I'll try typing something in here with HTML. I'm going to hit Send, and when this reloads, the tag is gone from the bold word. Most of the time you should be using the filter_var function.

You will often see the mysqli_real_escape_string function used in database applications. Some of these functions require different versions of PHP, so if you have a server running on PHP4, some of the more convenient modern functions are not going to work.

There are currently no FAQs about Validating and Processing Forms with JavaScript and PHP.

 
Share a link to this course

What are exercise files?

Exercise files are the same files the author uses in the course. Save time by downloading the author's files instead of setting up your own files, and learn by following along with the instructor.

Can I take this course without the exercise files?

Yes! If you decide you would like the exercise files later, you can upgrade to a premium account any time.

Become a member Download sample files See plans and pricing

Please wait... please wait ...
Upgrade to get access to exercise files.

Exercise files video

How to use exercise files.

Learn by watching, listening, and doing, Exercise files are the same files the author uses in the course, so you can download them and follow along Premium memberships include access to all exercise files in the library.


Exercise files

Exercise files video

How to use exercise files.

For additional information on downloading and using exercise files, watch our instructional video or read the instructions in the FAQ .

This course includes free exercise files, so you can practice while you watch the course. To access all the exercise files in our library, become a Premium Member.

Join now Already a member? Log in

* Estimated file size

Are you sure you want to mark all the videos in this course as unwatched?

This will not affect your course history, your reports, or your certificates of completion for this course.


Mark all as unwatched Cancel

Congratulations

You have completed Validating and Processing Forms with JavaScript and PHP.

Return to your organization's learning portal to continue training, or close this page.


OK
Become a member to add this course to a playlist

Join today and get unlimited access to the entire library of video courses—and create as many playlists as you like.

Get started

Already a member ?

Exercise files

Learn by watching, listening, and doing! Exercise files are the same files the author uses in the course, so you can download them and follow along. Exercise files are available with all Premium memberships. Learn more

Get started

Already a Premium member?

Exercise files video

How to use exercise files.

Ask a question

Thanks for contacting us.
You’ll hear from our Customer Service team within 24 hours.

Please enter the text shown below:

The classic layout automatically defaults to the latest Flash Player.

To choose a different player, hold the cursor over your name at the top right of any lynda.com page and choose Site preferences from the dropdown menu.

Continue to classic layout Stay on new layout
Exercise files

Access exercise files from a button right under the course name.

Mark videos as unwatched

Remove icons showing you already watched videos if you want to start over.

Control your viewing experience

Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.

Interactive transcripts

Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.

Learn more, save more. Upgrade today!

Get our Annual Premium Membership at our best savings yet.

Upgrade to our Annual Premium Membership today and get even more value from your lynda.com subscription:

“In a way, I feel like you are rooting for me. Like you are really invested in my experience, and want me to get as much out of these courses as possible this is the best place to start on your journey to learning new material.”— Nadine H.

Thanks for signing up.

We’ll send you a confirmation email shortly.


Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

Keep up with news, tips, and latest courses with emails from lynda.com.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

   
submit Lightbox submit clicked
Terms and conditions of use

We've updated our terms and conditions (now called terms of service).Go
Review and accept our updated terms of service.