Best Security Measures on User Input

cgdtalent · 02-08-2013, 05:37 AM

On a form where users can input information, is it best to use strip_tags or use htmlentities or do both?

Also, is it necessary to filter the output on a form? For instance if all fields are required and they leave one field empty, then all the info they previously input is now displayed in the form fields again - should this be filtered going out as well?

salesmachine · 02-08-2013, 06:59 AM

I think strip_tags will be the best measures for your category.

LearningCoder · 02-08-2013, 08:18 AM

You could just use mysqli prepared statements, then when you want to display the data from the database to yourself or for whatever purpose, you could strip the tags then. I've always been told if you are re-displaying the data, then don't edit what the user has put. I used to strip all tags and as many 'special characters' as I could but was told to simply leave them in, then when you need to use that data, use those type of functions when re-displaying.

So now I leave the data as it is, insert using a prepared statement, then strip certain tags out, but only a few. I'm still not 100% sure on the way to handle data which you re-display on your website.

Regards,

LC

devinmaking · 02-08-2013, 09:56 AM

I use PDO prepared statements to make sure input fields are safe.

I use it for anything i am dragging from a website including when fetching data from the url.