Easy-to-follow video tutorials help you learn software, creative, and business skills.Become a member

Sanitizing form input

From: Validating and Processing Forms with JavaScript and PHP

Video: Sanitizing form input

Sanitizing means cleaning up the data in your form, to prevent malicious scripts from executing. You need to be careful when receiving input from any form, since forms are a way for users to pass information to your server. Malicious users can sometimes try to get access to sensitive information by exploiting unsafe pages. The most misuse security threats happen when your form is saving information to an existing database, outputting the info to a page or emailing data to someone else. If you've been following along with this video, you've already learned how to use regular expressions to validate user input.

Sanitizing form input

Sanitizing means cleaning up the data in your form, to prevent malicious scripts from executing. You need to be careful when receiving input from any form, since forms are a way for users to pass information to your server. Malicious users can sometimes try to get access to sensitive information by exploiting unsafe pages. The most misuse security threats happen when your form is saving information to an existing database, outputting the info to a page or emailing data to someone else. If you've been following along with this video, you've already learned how to use regular expressions to validate user input.

One way to sanitize your input is to check what the user types versus regular expression patterns. PHP also has a lot of functions that can help you prevent the misuse of your forms. Which ones you use depends on the context of what you're trying to prevent. Strip_tags() removes HTML tags from input fields. It's useful if you want to strip any links or other code out of the text. You can take a look at the PHP manual for more information about strip_tags() Htmlspecialchars() converts some characters to HTML entities.

So, for example the less than or greater than signs become ampersand lt and ampersand gt. If some user input gets printed, it won't become a part of your page. For example, somebody might type in a script tag or a closing body tag and when that prints out, it would stop your page or create a script that runs. Here's the page for html special characters and the phpWebSite. HTML entities is pretty much like HTML special characters, but it converts as many characters as possible.

It has a lot of parameters to allow you to control what gets converted. Here is a page for that function. Mysqli_real_escape_string is used for database sanitizing. It removes special characters that could be considered dangerous when passed into a database. The last function, filter_var, is the most powerful and flexible of all the functions. It lets you do what all the other functions do and provides a number of filters and configurations for customization.

Here's a page in the phpWebSite. And you want to make sure you click on the types of filters to take a look at all of the different kinds of filters available. So there's Validation filters and Sanitization filters. So let's click on those. You could see that every one of those filters has a lot of options. Let's try this out on our page. I'm going to modify the common field, so you can't put HTML tags in there. So, I need to go all the way to the bottom and add a small thing to the label, that will just let people know that HTML is not allowed.

Then I'm going to go to the top and find the place where I check for the comment section, and that's right here. So I'm checking the post variable for comments. And what I want to do here is use the filtervar function, pass along the comments from the post superglobal, as well as the constant that I want to filter with. And I'm just going to sanitize string which will remove any HTML special characters. And I need to make my comments be equal to all that.

What I'm doing here is taking the variable my comments and running a filter sanatizing the string from the posted comments. So let's go ahead and save this, and I'm going to refresh this page, just reload the form. Notice that it says, HTML is not allowed. And I'll try typing something in here with HTML. I'm going to hit Send, and when this reloads, the tag is gone from the bold word. Most of the time you should be using the filter_var function.

You will often see the mysqli_real_escape_string function used in database applications. Some of these functions require different versions of PHP, so if you have a server running on PHP4, some of the more convenient modern functions are not going to work.

Show transcript

This video is part of

Image for Validating and Processing Forms with JavaScript and PHP
 
Expand all | Collapse all
  1. 3m 36s
    1. Welcome
      1m 9s
    2. What you should know
      1m 2s
    3. Using the exercise files
      1m 25s
  2. 12m 50s
    1. Understanding forms
      2m 2s
    2. Working with form fields
      7m 4s
    3. Using the form tag
      3m 44s
  3. 19m 23s
    1. Using input validation
      2m 10s
    2. Adding required fields and placeholders
      1m 31s
    3. Constraining numeric and date fields
      2m 32s
    4. Accepting multiple entries
      1m 41s
    5. Limiting uploads by MIME types
      2m 35s
    6. Assisting text input with a datalist
      1m 55s
    7. Constraining with regular expression patterns
      6m 59s
  4. 42m 13s
    1. Accessing forms
      3m 57s
    2. Looking up form elements
      3m 35s
    3. Handling focus changes
      2m 47s
    4. Detecting the onchange event
      4m 31s
    5. Using the selectedIndex property
      2m 30s
    6. Dynamic validation with regular expressions
      7m 0s
    7. Creating a generic input validation function
      4m 31s
    8. Validating in older browsers with Modernizr
      7m 32s
    9. Interrupting form submission with onsubmit
      5m 50s
  5. 15m 20s
    1. Understanding jQuery
      3m 47s
    2. Validating on submit with jQuery
      3m 45s
    3. Building interactive jQuery validation
      2m 34s
    4. Using the jQuery Validation plugin
      5m 14s
  6. 32m 57s
    1. Communicating with PHP servers
      2m 27s
    2. Retrieving data from superglobals
      8m 18s
    3. Using server-side validation
      4m 59s
    4. Adding in-page validation
      5m 22s
    5. Mirroring input data back to the user
      7m 46s
    6. Sanitizing form input
      4m 5s
  7. 43m 29s
    1. Mailing form data
      8m 28s
    2. Understanding file uploads
      3m 1s
    3. Uploading files
      9m 20s
    4. Processing form data with AJAX
      8m 14s
    5. Preparing your database
      5m 50s
    6. Pushing data
      8m 36s
  8. 1m 17s
    1. Next steps
      1m 17s

Start learning today

Get unlimited access to all courses for just $25/month.

Become a member
Sometimes @lynda teaches me how to use a program and sometimes Lynda.com changes my life forever. @JosefShutter
@lynda lynda.com is an absolute life saver when it comes to learning todays software. Definitely recommend it! #higherlearning @Michael_Caraway
@lynda The best thing online! Your database of courses is great! To the mark and very helpful. Thanks! @ru22more
Got to create something yesterday I never thought I could do. #thanks @lynda @Ngventurella
I really do love @lynda as a learning platform. Never stop learning and developing, it’s probably our greatest gift as a species! @soundslikedavid
@lynda just subscribed to lynda.com all I can say its brilliant join now trust me @ButchSamurai
@lynda is an awesome resource. The membership is priceless if you take advantage of it. @diabetic_techie
One of the best decision I made this year. Buy a 1yr subscription to @lynda @cybercaptive
guys lynda.com (@lynda) is the best. So far I’ve learned Java, principles of OO programming, and now learning about MS project @lucasmitchell
Signed back up to @lynda dot com. I’ve missed it!! Proper geeking out right now! #timetolearn #geek @JayGodbold
Share a link to this course

What are exercise files?

Exercise files are the same files the author uses in the course. Save time by downloading the author's files instead of setting up your own files, and learn by following along with the instructor.

Can I take this course without the exercise files?

Yes! If you decide you would like the exercise files later, you can upgrade to a premium account any time.

Become a member Download sample files See plans and pricing

Please wait... please wait ...
Upgrade to get access to exercise files.

Exercise files video

How to use exercise files.

Learn by watching, listening, and doing, Exercise files are the same files the author uses in the course, so you can download them and follow along Premium memberships include access to all exercise files in the library.


Exercise files

Exercise files video

How to use exercise files.

For additional information on downloading and using exercise files, watch our instructional video or read the instructions in the FAQ .

This course includes free exercise files, so you can practice while you watch the course. To access all the exercise files in our library, become a Premium Member.

Join now Already a member? Log in

Are you sure you want to mark all the videos in this course as unwatched?

This will not affect your course history, your reports, or your certificates of completion for this course.


Mark all as unwatched Cancel

Congratulations

You have completed Validating and Processing Forms with JavaScript and PHP.

Return to your organization's learning portal to continue training, or close this page.


OK
Become a member to add this course to a playlist

Join today and get unlimited access to the entire library of video courses—and create as many playlists as you like.

Get started

Already a member ?

Become a member to like this course.

Join today and get unlimited access to the entire library of video courses.

Get started

Already a member?

Exercise files

Learn by watching, listening, and doing! Exercise files are the same files the author uses in the course, so you can download them and follow along. Exercise files are available with all Premium memberships. Learn more

Get started

Already a Premium member?

Exercise files video

How to use exercise files.

Ask a question

Thanks for contacting us.
You’ll hear from our Customer Service team within 24 hours.

Please enter the text shown below:

The classic layout automatically defaults to the latest Flash Player.

To choose a different player, hold the cursor over your name at the top right of any lynda.com page and choose Site preferences from the dropdown menu.

Continue to classic layout Stay on new layout
Exercise files

Access exercise files from a button right under the course name.

Mark videos as unwatched

Remove icons showing you already watched videos if you want to start over.

Control your viewing experience

Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.

Interactive transcripts

Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.

Learn more, save more. Upgrade today!

Get our Annual Premium Membership at our best savings yet.

Upgrade to our Annual Premium Membership today and get even more value from your lynda.com subscription:

“In a way, I feel like you are rooting for me. Like you are really invested in my experience, and want me to get as much out of these courses as possible this is the best place to start on your journey to learning new material.”— Nadine H.

Thanks for signing up.

We’ll send you a confirmation email shortly.


Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

Keep up with news, tips, and latest courses with emails from lynda.com.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

   
submit Lightbox submit clicked
Terms and conditions of use

We've updated our terms and conditions (now called terms of service).Go
Review and accept our updated terms of service.