Vetting form input using PHP

Forms provide a really good way for a hacker to try and fiddle with the internal ‘gubbings’ of your PHP code both in a normal PHP software development situation and customising WordPress with PHP.

The following functions allow a PHP developer to clean up the form’s data before they start to process it with their PHP code.

  • trim –
  • stripslashes
  • htmlspecialchars

Typically you can cascade the piece of data from the form through these functions.

$formvalue = trim($formvalue);
$formvalue = stripslashes($formvalue );
$formvalue = htmlspecialchars($formvalue );

They can obviously be nested into one line for brevity:

$formvalue = htmlspecialchars(stripslashes(trim($formvalue)));

Using the above will  remove  characters  such as  space, tab and  newline. It will then take out any ‘\’ characters. Finally any html tags are neutralised by characters such as <> being  replace by their respective PHP escape codes. For example: &gt for the greater than symbol >.