As in my last post, I explained how to create a new note using a form and request methods, but I didn't store the data in a database table.
Diving in code
Today, I learned how to get input from users using forms and store it in a database, as well as how to validate forms to ensure the data is correct and secure.
On VS Code Side
In fresh VS Code (version 1.90 at the time of work), we need following dependencies:
create a new note and store it in database
escape untrusted input
make form validate to prevent security vulnerabilities
Introduction
When building web applications, security is a top priority. Two essential practices to ensure security are escaping untrusted input and validating forms. In this post, we'll explore how to implement these practices in PHP.
Create Note Form
When creating a note, the user submits a form that stores data in the database using a database query. The user-id is set to 1 for each note. This process occurs in the note-create.php file.
<?php
$config = require('config.php');
$db = new Database($config['database']);
$heading = 'Create Note';
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$db->query('INSERT INTO notes(body, user_id) VALUES(:body, :user_id)', [
'body' => $_POST['body'],
'user_id' => 1
]);
}
require 'views/note-create.view.php';
Escaping Untrusted Input
To prevent XSS attacks, it's essential to escape output in the notes.php file using htmlspecialchars. This function escapes special chars, ensuring that malicious code cannot be injected.
<a href="note.php?id=<?= htmlspecialchars($note['id']) ?>"><?= htmlspecialchars($note['body']) ?></a>
Form Validation
Form validation is crucial to prevent security vulnerabilities. In the note-create.php file, form data is validated using strlen and conditional statements. The script checks if the body is empty or exceeds 1000 characters, displaying error messages if validation fails. Prepared statements are used to prevent SQL injection, and user input is validated to prevent security vulnerabilities.
<?php
$config = require('config.php');
$db = new Database($config['database']);
$heading = 'Create Note';
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$errors = [];
if (strlen($_POST['body']) === 0) {
$errors['body'] = 'A body is required';
}
if (strlen($_POST['body']) > 1000) {
$errors['body'] = 'The body can not be more than 1,000 characters.';
}
if (empty($errors)) {
$db->query('INSERT INTO notes(body, user_id) VALUES(:body, :user_id)', [
'body' => $_POST['body'],
'user_id' => 1
]);
}
}
require 'views/note-create.view.php';
Conclusion
In this post, we learned how to escape untrusted input and validate forms in PHP. By following these practices, you can ensure that your PHP application is secure and reliable. Remember to always validate user input and escape output to prevent security vulnerabilities like XSS attacks and SQL injection.
I hope that you have clearly understood it .
Top comments (0)