This might seem like a daft question but the sanitizing of user input continually confuses me, and i would like once and for all to get a definitive answer.
So heres the scenario
- Customer fills in web form.
- PHP checks that the mandatory fields have been filled in appropriately, if not it doesn’t let the customer continue until they are.
- If so then the user input is displayed on screen for confirmation, while the input data is also stored as hidden form elements.
- Customer then confirms input, the hidden elements are then sent on for further processing.
Working with the principle that data shouldn’t be escaped until the last minute, how would this apply to the data stored in the hidden elements at point 3. (Obviously the data printed on screen at this point i have applied htmlentities() too)
Should i use htmlentities on the hidden elements, however this is technically not the last stage as after part 4 i would then be using the variables again before sticking them into a DB or email.
I am fully aware that i might be doing this completely wrong, so any thoughts are very welcome. ^_^
If you’re writing out the user’s input to the page, it should ALWAYS be escaped. Otherwise there’s nothing to stop people adding javascript etc to their input, or to try and escape out of your hidden fields and inject code onto the page. So yup, use htmlentities on the hidden fields too. Just because the user can’t see them doesn’t stop people from injecting code into them.