Input validation

The month of PHP bugs is over, but you should still watch the PHP-Security blog, since there are good things coming from there, like this article: Holes in most preg_match() filters. Go read it if you are using regular expressions for input validation. Two tips to avoid these pitfalls:

  • Cast your input to the datatype you expect before validating
  • Use capture to get the values out which interest you rather than trying to validate the whole string (this also adds usability because it helps users if they included tabs / spaces at the beginning or end of the input – for example because they were copy-pasting it from a Word document)
, ,

Leave a Reply

Your email address will not be published. Required fields are marked *