PHP Forms Security
To ensure the correctness of the data, a proper validation should be done. As an example, let's assume that you have a input field to get the age of the user. If a user types a string like "hello" there and submits and you save that value without any validation, your database will have saved invalid data which can break your website system.
In the same way, hackers can use your forms to attack your website.
To protect data from hackers and spammers a secure validation must be done. You should validate every user input before processing.
Cross-Site Scripting (XSS Attacks)
This is the main type of attack we should think about when handling forms. First, we should understand what is Cross-Site Scripting.
Open the form we created in the last chapter, and, input <script>alert('Hacked')</script> as the name and submit. Then, you will see an alert (if your browser does not have an in-built xss attack preventer). Great, You hacked your own form!
There are three other validations that you should do.
- Validate the request method. (Optional)
- Remove unnecessary white spaces in the input.
- Check whether input matches with the input type. (Whether a date is a date, email is an email, etc.)
Let's see how to do validation with PHP in the next chapter.