If you have a web application, there are basic security best practices that should have been implemented when it was built.

In this post, I'll discuss two of the most important - filtering input and escaping output. It's so easy to do, yet so many web developers don't do it.

Filtering input and escaping output is important because without it, your web application almost certainly offers hackers multiple opportunities to breach it.

This can put you, and the users of your web application at great risk from data theft and other undesirable experiences.

Since I work primarily with PHP, here are the basics for filtering input and escaping output in PHP.

Note that these basic principles are not specific to PHP and can and should be applied no matter what language your web application is built with.

Filtering Input

Make sure register_globals is OFF and use $_POST, $_GET and $_REQUEST to access external data (i.e. data submitted to your application by a user). Never trust any data that comes through $_POST, $_GET and $_REQUEST. Filter it.

You can filter data using the following:

$id = trim(strip_tags($_GET['id'])));

In this example, a variable called $id is set to the filtered value of the 'id' variable that has been passed in the query string (i.e. yourwebsite.com/script.php?id=1) or via a form using method="get".

strip_tags strips any HTML and PHP tags from the input. This is extremely important in helping prevent malicious code from being injected into your application.

trim strips out any whitespace from the beginning or end of the string.

An important part of a good filtering is validation, which validates that the input is in the format expected (i.e. if you're expecting a numeric value but don't receive it, you should immediately consider the input to be invalid and unacceptable and handle it according).

For instance, if you're looking for the value of $_POST['email'] to be a valid email address, you could use the ereg function to validate it:

if(!ereg("^[a-zA-Z0-9_\.\-]+@[a-zA-Z0-9\-\.]+$, trim(htmlentities(strip_tags($_POST['email'])))) {
  // tell the user he entered an invalid email address

Escaping Output

Escaping output is just as important as filtering input. For instance, if your web application is inserting data into a database, you need to escape the output that is provided to the database.

In PHP, you can do this easily in one of two ways - via the addslashes function or the mysql_real_escape_string function (if you're using MySQL). addslashes adds backslashes before any characters that require them. mysql_real_escape_string escapes characters specifically for MySQL.

If you're outputting data to the browser, you would use the htmlentities function, which coverts any characters which have HTML character entity equivalents into those entities.


If your web application is not filtering input and escaping output it's at risk. While doing these two things are only the first steps in developing a secure web application, they're steps that unfortunately aren't taken enough, often because web developers are lazy or inexperienced.

If you run a business and rely on someone else to develop and maintain your web application, ask about these two items. If you don't get a satisfactory response, you may need to make some changes.

For more information about these items and other PHP security techniques (many of which are applicable to other languages) check out these two links here and here.


Published 11 August, 2008 by Patrick Oak

82 more posts from this author

You might be interested in

Comments (0)

Save or Cancel

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.