Menu
Forums
All threads
Latest threads
New posts
Trending threads
New posts
Search forums
Trending
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Upgrades
Log in
Register
What's new
Search
Search
Search titles only
By:
All threads
Latest threads
New posts
Trending threads
New posts
Search forums
Menu
Log in
Register
Navigation
Install the app
Install
More options
Contact us
Close Menu
Forums
Server Development
Habbo Retros
Habbo Releases
CMS Releases
[REL] AfterCMS | Plus Emulator | PHP7
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="BIOS" data-source="post: 398231" data-attributes="member: 15674"><p>1. It depends what type of data you're validating. For example, the <a href="http://php.net/manual/en/function.filter-var.php" target="_blank">filter_var()</a> method has options which make it useful for validating data such as IP addresses and e-mail addresses, e.g: FILTER_VALIDATE_EMAIL.</p><p></p><p>If you're only expecting a whole number, I'd opt for something like <a href="http://php.net/manual/en/function.ctype-digit.php" target="_blank">ctype_digit</a> over others such as is_numeric as this particular function allows for float values which you probably don't want in a lot of cases; if you're looking for a user's ID etc.</p><p></p><p>2. I generally wouldn't as that may allow for tainted input, which as you know can lead to a lot of problems and may even make your application vulnerable somewhere down the process.</p><p></p><p>This is why I opt for a whitelist validation approach. If you require a username that only contains letters and numbers, make sure that's all you allow; nothing else should pass. Then I'd store it in the database using prepared statements and such for extra measure, then it is pulled back out somewhere and sanitized before it's finally displayed on the page.</p></blockquote><p></p>
[QUOTE="BIOS, post: 398231, member: 15674"] 1. It depends what type of data you're validating. For example, the [URL='http://php.net/manual/en/function.filter-var.php']filter_var()[/URL] method has options which make it useful for validating data such as IP addresses and e-mail addresses, e.g: FILTER_VALIDATE_EMAIL. If you're only expecting a whole number, I'd opt for something like [URL='http://php.net/manual/en/function.ctype-digit.php']ctype_digit[/URL] over others such as is_numeric as this particular function allows for float values which you probably don't want in a lot of cases; if you're looking for a user's ID etc. 2. I generally wouldn't as that may allow for tainted input, which as you know can lead to a lot of problems and may even make your application vulnerable somewhere down the process. This is why I opt for a whitelist validation approach. If you require a username that only contains letters and numbers, make sure that's all you allow; nothing else should pass. Then I'd store it in the database using prepared statements and such for extra measure, then it is pulled back out somewhere and sanitized before it's finally displayed on the page. [/QUOTE]
Insert quotes…
Verification
Post reply
Forums
Server Development
Habbo Retros
Habbo Releases
CMS Releases
[REL] AfterCMS | Plus Emulator | PHP7
Top