PHP TUTORIALPHP IntroductionPHP InstallationPHP Hello WorldPHP Basic SyntaxPHP VariablesPHP ConstantsPHP OutputPHP Data TypesPHP OperatorsPHP ConditionalsPHP Shorthand ConditionalsPHP LoopsPHP Loop Control StructuresPHP FunctionsPHP StringsPHP ArraysPHP Superglobal VariablesPHP in HTMLPHP RegexRegex IntroductionRegex PCRE SyntaxPHP PREG FunctionsPHP FormsPHP Forms IntroductionPHP Forms CreatingPHP Forms SecurityPHP Forms ValidationPHP Forms Required InputsPHP Forms StickyPHP Forms Advanced ValidationPHP Forms Finishing

PHP Forms Security

"Security" is the most important part of forms


To ensure the correctness of the data, a proper validation should be done. As an example, let's assume that you have a input field to get the age of the user. If a user types a string like "hello" there and submits and you save that value without any validation, your database will have saved invalid data which can break your website system.

In the same way, hackers can use your forms to attack your website.

Why Validation?

To protect data from hackers and spammers a secure validation must be done. You should validate every user input before processing.

Never trust user inputs!

Cross-Site Scripting (XSS Attacks)

This is the main type of attack we should think about when handling forms. First, we should understand what is Cross-Site Scripting.

Cross-site scripting is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. -Wikipedia-

Open the form we created in the last chapter, and, input <script>alert('Hacked')</script> as the name and submit. Then, you will see an alert (if your browser does not have an in-built xss attack preventer). Great, You hacked your own form!

If we do not prevent users from submitting malicious data like this, hackers can add javascript code to your website and change the behavior of your website. They even can make a redirect to their website. Ex: Try <script>location.href=""</script>.

Other Validations

There are three other validations that you should do.

  • Validate the request method. (Optional)
  • Remove unnecessary white spaces in the input.
  • Check whether input matches with the input type. (Whether a date is a date, email is an email, etc.)

Let's see how to do validation with PHP in the next chapter.