Handling Online Payments Part 2 - Reading In And Sanitizing Submitted Data
bystymiee01-13-201107:26 PM - edited 10-20-201109:59 AM
This is part two of a multi-part series on handling online payments.
In Part I of this series we identified our goals (creating a payment form that was usable, accessible, and secure) and began by creating the form we will use to capture payment information. We're going to continue this process by exploring how we will handle the data submitted by that form.
There are three parts of handling user submitted information. They are:
Reading In And Sanitizing Submitted Data
Before we can do anything with the information sent to us we need to receive the information and place them into variables to be used later in our code. This is also a good place to remove unwanted information that may or may not have been included.
Validating The Information
Once we receive the user submitted information we need to make sure we have everything we are looking for and that it in a format that we expect.
Collecting And Displaying Errors
If the information submitted to us is invalid or missing information we need to collect a list of what errors we found and display them to the user in a friendly and easy to understand format.
In this blog post we're going to focus on reading in and sanitizing user data.
The code below uses the HTML form we created in Part I of this series. Be sure to have that handy as we will continue to build upon it as this series continues.
Reading In And Sanitizing Submitted Data
This is probably the simplest portion of handling a form submission but is not well understood or handled by many developers. As the point of entry for user submitted data this is the perfect place to begin ensuring our code is secure. The first mistake many PHP developers make is to use the $_REQUEST superglobal variable to receive form submissions. As you will remember we explicitly created our form to send all form data via POST. PHP allows us to specifically look only for data submitted via POST with the $_POST superglobal. By using $_POST instead of $_REQUEST we remove the possibility of an attacker submitting form information using GET. This isn't a huge security issue but since we can easily prevent these kinds of attacks and abuse simply by using $_POST instead of $_REQUEST we would be remiss not to do so.
Here's an example of reading in a submission from our form using $_POST. It goes at the very top of the page where you have your form. You'll notice that we explicitly check that a form submission has been made using POST using the PHP superglobal $_SERVER['REQUEST_METHOD']. This is how we'll know the form has been submitted and not just the page being loaded for the first time.
Although we have successfully received the form submission we should sanitize the information before we try to use it. There are three things we should lookout for and handle at this stage:
White space before or after data, although meaningless to human eyes, make all the difference to computers. " hi " does not equal "hi" to a computer. So if you're searching your data base for "hi" but it is stored as " hi " you will have difficulty finding that record. Fortunately it is easy to ensure that our data does not have extraneous white space attached to it. PHP's built in trim() function removes leading and trailing white space for us automatically.
I may not have travelled the world as extensively as some people but I have yet to meet or hear of a person who has HTML code in their name or address. None of the information we will be collecting in our form should ever have HTML included in it. So it would be a good idea to remove it before we even begin to examine it. This is where PHP's built in strip_tags() function comes in handy. It removes unwanted HTML from variables, and strings, and returns a "clean" string for us.
Numbers Should Always Be Number
Some information is always expected to be a number. The expiration date's year is a good example of that. In cases like this we can cast information into a data type of our choosing, in this case an integer. We have a couple of different ways of doing this. One is to place (int) to the right of the assignment operator (=) when assigning the value to a variable. Another is to use PHP's built in intval() function.
Here's the same code as above but with our sanitation efforts included:
Tip: A good idea would be to combine trim() and strip_tags() into one function. This makes it easier to reuse this code and makes your code cleaner and easier to maintain. Be sure to use trim() last as stripping HTML may cause white space to be added to a value.
Now that we have successfully received and sanitized our form data we can begin the process of validating it to make sure we have everything we need and in a format that we expect. In the next part of this series we will see how to validate this information and bring our form one step closer to reality.