In this shot, we will learn to perform back-end validation in PHP.
Let’s imagine that we built a web application and are ready to ship it to the world. We should think twice before doing so.
First, is our front-end secured? We must ensure that we use the latest HTML 5 features to protect our form inputs, JavaScript for a better UX when filling the form, and so on.
We can learn more about front-end validation here.
Next, is our back-end also protected? If not, this shot is for you.
Why do we need back-end validation when our front-end is already robust? Because the front-end validation is easy to bypass. As a rule of thumb, the server should never trust the data it receives from the client (browser).
We can bypass the front-end validation when:
We need prepared statements if our application relies on user inputs to perform database tasks:
<?phpfunction add_project($title, $category){try {global $connection;$sql = 'INSERT INTO projects(title, category) VALUES(?, ?)';$statement = $connection->prepare($sql);$new_project = array($title, $category);$affectedLines = $statement->execute($new_project);return $affectedLines;} catch (PDOException $exception) {echo $sql . "<br>" . $exception->getMessage();exit;}}
In the above code:
?).prepare the statement, i.e., create an SQL statement template and send it to the database server.execute, during which the parameter values are sent to the server.Note: You can learn more about the prepared statement from this shot.
Web applications rely on a big part of external data, and by default, this data should be seen as unsafe. Therefore, failing to apply PHP filtering may lead to security issues.
To filter input, PHP provides us with a built-in function called filter_var():
Let’s see some examples of the filter_var() function.
The filter_var() function accepts two parameters:
The sample code for sanitization of string str is given below:
<?php// sanitize a string$str = "<h1>Hello World!</h1>";$newStr = filter_var($str, FILTER_SANITIZE_STRING);echo $newStr;
The sample code for sanitization of integer int is given below:
<?php// validate an integer$int = '2';echo (filter_var($int, FILTER_VALIDATE_INT))? "This is an integer.": "This is not an integer.";
The above code works as intended, except when $int = 0.
We can do a zero check to work around it:
<?php// validate an integer$int = '0';$filtered = filter_var($int, FILTER_VALIDATE_INT);echo ($filtered || $filtered === 0)? "This is an integer.": "This is not an integer.";
The output shows that it is not working for the case where int=0.
<?php$email = 'sarah.lifaefi@kavira.com';// Remove all illegal symbols from email$email = filter_var($email, FILTER_SANITIZE_EMAIL);// Validate e-mail: yes, it's a properly formatted e-mail @echo (filter_var($email, FILTER_VALIDATE_EMAIL))? "This is a valid e-mail address.": "This is not a valid e-mail address.";
This shot explained that the front-end validation alone is not enough in web applications. We should do it with back-end validation to make them fully secure. We should also remember:
filter_var($var, FILTER_SANITIZE_*)) is to clean the illegal character out of datafilter_var($var, FILTER_VALIDATE_*)) is to confirm that the data is a valid format.