Secure Form Validation
Secure Form Validation

Secure Form Validation


It is of critical importance to ensure that your forms are secure and safe. Secure in that surfers cannot enter data which can harm or exploit your server. There are two levels of security: client-side and server-side. Let’s first discuss client-side.


In the case of client-side, you use the browser (using client-side JavaScript) to catch simple failures like mandatory fields that are empty, or catch invalid input (e.g., non-numeric input when you are collecting numeric data). You can find an abundant number of examples just by Googling ‘jquery form validation’. This is your first line of defense. These client-side security measures can, however, be bypassed: for example, if JavaScript disabled in browser.


Your next line of defense in secure form validation is server-side based. This method is PHP-based, and it applies to all browsers. First, you need to clean all form input:


$name = clean_input($_POST["name"]);
function test_input($input) {
$input = trim($input);
$input = stripslashes($input);
$input = htmlspecialchars($input);
return $input;


The PHP htmlspecialchars() function escapes any HTML code so it is safe to be displayed on a page or inside an email. The PHP trim() function strip unnecessary characters (extra space, tab, newline, etc.): skip in cases where you are collecting data in paragraph format via <textarea> where newlines etc. are desired. The PHP stripslashes() function removes backslashes (\) from the user input data: slashes often are used when hackers are submitting malicious data to exploit the web server.


This is okay if you collecting data to be stored in a file, displayed to the screen, or emailed. But, there are special circumstances if the user input data is stored in a mySQL database. There is a security concern in regard to mySQL injection attacks.


To quote Wikipedia:

SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application’s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.


How can one avoid mySQL injection attacks? Like we discussed earlier, clean user input data:

  1. Escape user data. For example: $name= mysql_real_escape_string($name);
  2. Check user data variable type. This is done by using the php functions “is_numeric()”, “is_string()”, “is_float()”, and “is_int()” to determine if the input the user is sending in is of the same type that you are requesting. Although not 100%, if you were asking for a number and they sent in a word you know to discard it, and return an error thereby entirely evading a mySQL injection attack.
  3. Use prepared mySQL statements via MySQL Improved (mysqli) if your version of PHP supports it.


Using all of these secure form validation measures will secure your forms. Better to side with caution. Better to over-validate rather than under-validate, and server-side validation should always be employed: especially if the form sends emails, writes to files, or writes to a database.

Leave a Reply