PHP TUTORIALPHP TutorialPHP InstallationPHP Hello WorldPHP Basic SyntaxPHP CommentsPHP VariablesPHP Variable ScopePHP ConstantsPHP StringsPHP OutputPHP Data TypesPHP Type CastingPHP OperatorsPHP ConditionalsPHP Shorthand ConditionalsPHP LoopsPHP Loop Control StructuresPHP FunctionsPHP String FunctionsPHP ArraysPHP Superglobal VariablesPHP in HTMLPHP AdvancedPHP Include and RequirePHP HTTP & HTTPSPHP RegexRegex IntroductionRegex PCRE SyntaxPHP PREG FunctionsPHP FormsPHP Forms IntroductionPHP Forms CreatingPHP Forms SecurityPHP Forms ValidationPHP Forms Required InputsPHP Forms StickyPHP Forms Advanced ValidationPHP Forms FinishingPHP OOPPHP OOP IntroductionPHP OOP ClassesPHP OOP PropertiesPHP OOP ObjectsPHP OOP MethodsPHP OOP $this KeywordPHP OOP Constructors and DestructorsPHP OOP VisibilityPHP OOP InheritancePHP OOP Abstract Classes and MethodsPHP OOP InterfacesPHP OOP TraitsPHP OOP ConstantsPHP OOP StaticPHP OOP NamespacesPHP OOP Autoloading

PHP Forms Security

"Security" is the most important part of forms


To ensure the correctness of the data, a proper validation should be done. As an example, let's assume that you have a input field to get the age of the user. If a user types a string like "hello" there and submits and you save that value without any validation, your database will have saved invalid data which can break your website system.

In the same way, hackers can use your forms to attack your website.

Why Validation?

To protect data from hackers and spammers a secure validation must be done. You should validate every user input before processing.

Never trust user inputs!

Cross-Site Scripting (XSS Attacks)

This is the main type of attack we should think about when handling forms. First, we should understand what is Cross-Site Scripting.

Cross-site scripting is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. -Wikipedia-

Open the form we created in the last chapter, and, input <script>alert('Hacked')</script> as the name and submit. Then, you will see an alert (if your browser does not have an in-built xss attack preventer). Great, You hacked your own form!

If we do not prevent users from submitting malicious data like this, hackers can add javascript code to your website and change the behavior of your website. They even can make a redirect to their website. Ex: Try <script>location.href=""</script>.

Other Validations

There are three other validations that you should do.

  • Validate the request method. (Optional)
  • Remove unnecessary white spaces in the input.
  • Check whether input matches with the input type. (Whether a date is a date, email is an email, etc.)

Let's see how to do validation with PHP in the next chapter.

Visit PHP Help group to get some help from experts.
Profile Picture
Supun Kavinda
I'm the Founder of Hyvor, Web Developer, Physics Lover, Flutist, and a Table Tennis Player.
My Websites