The magic PHP function: test_data()


If you don’t know this function, let me show it to you:

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;

“But it sanitizes my input” – yes, destructively.

I’ll let the trim function pass, although that depends on the data you are sourcing.

Always delay escaping until you need to render something. Besides being a best practice, this also makes sure you are escaping according to the correct context. HTML has different escaping needs when compared to JSON and SQL. This bad function assumes that everything will always be HTML forever.

Why did I write this? Because that stupid function keeps showing up.

(I rarely talk about the image attached to the post, but yes, that is an elliptical with doorway beads and a sequin hat. Enough said.)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.