So I posted a question the other night and an interesting reply got me to thinking. I've always done things a certain way and I try to be as safe as possible but I'm wondering what else I could be doing. This isn't related to a specific piece of code so much as a concept.
The layout is jQuery/PHP. Standard HTML and CSS.
Scenario I write a signup form. The form includes email, password, first name, last name, zip code.
When the user submits, jquery picks it up, prevents default and submits for validation through ajax. On the php side, I'm going to verify lengths, symbols, values, etc to try and get the best possible read on the data. If it works, I continue with the signup. If a flag is tripped, I return a JSON string that has a message, an error status and other relevant information. I'm doing it this way instead of checking the jquery because of the ability for the user to open the script and make changes.
On the php side, I can only work with the information that is received. I use POST and I only call for the variables that I'm looking for. Nothing can be added to the php this way...at least not easily. I'm also using PDO and prepared statements for inputting to the db for an extra measure of security.
My question is this. When you guys are validating data, what other steps do you take to prevent security breaches? I only know what I know so this is why I ask. I'm always looking to make my code better. Obviously there are a dozen functions I can use like striptags
, strip_slashes
, etc but I'm really curious what everyone else does in case there might be something I could be doing better.
I tried google but looking for validation and error checking really just returns the obvious broken scripts and code snippets but not much in the way of conceptualizing a better way of doing things. Just looking for some general feedback. Thanks!