Validate Form Data With PHP
The first thing we will do is to pass all variables through PHP’s htmlspecialchars() function.
When we use the htmlspecialchars() function; then if a user tries to submit the following in a text field:
<script>location.href(‘http://www.hacked.com’)</script>
– this would not be executed, because it would be saved as HTML escaped code, like this:
<script>location.href(‘http://www.hacked.com’)</script>
The code is now safe to be displayed on a page or inside an e-mail.
We will also do two more things when the user submits the form:
- Strip unnecessary characters (extra space, tab, newline) from the user input data (with the PHP trim() function)
- Remove backslashes (\) from the user input data (with the PHP stripslashes() function)
The next step is to create a function that will do all the checking for us (which is much more convenient than writing the same code over and over again).