I’m writing a PHP script to grab text box data from a submitted form. These are simple text boxes and I don’t want to accept any HTML tags. I think I should at least use strip_tags() and addslashes(). Anything else? I wouldn’t mind restricting the input to alphanumerics, should I use a regular expression to seek out nonstandard characters?
This is a simple form that actually (ugh) gets emailed to the person processing it. (No database, sadly.) And it’s simple data, first and last name sort of things.
Edit: I’d also like to know specifically what I should be looking for. What’s the consensus on reasonable input filtering?
Use the PHP filter functions.
You can use them for sanitizing input and validating input (eg email addresses).
There are two approaches to validation (this also applies to security and lots of other things).
Firstly, you can default to allow anything except for that which is explicitly disallowed. Or you can default ti disallowing everything except that which is specifically allowed.
Generally speaking the latter approach is more secure and should be used except in cases where you have a compelling reason not to (eg it’s simply too hard to know what’s allowed, you’re doing an app for users who aren’t deemed to be a security threat and so on).
You have to be careful using this however. For people’s names characters like ‘ and – are perfectly valid but naive implementations may restrict them. What you want to generally avoid is:
A good default value to use is:
but pick the right filter for the situation.