0

When sanitizing the $_POST passed from the controller to the model, I need to sanitize the input and there are 2 options that I can think of.

For the first one, I can nest the if blocks like this:

if(!empty($username))
{
            if(!empty($password))
            {
              //login the user
            }
            else 
            {
                echo 'Please enter password.'
            }
 }
 else 
 {
    echo 'Please enter username.'
 }

And the other one is like this:

   if(empty($username))
    {
        $err[] = 'Please enter username';                
    }
    if(empty($password))
    {
        $err[] = 'Please enter password.';                
    }
    if(empty($err)){
        //login the user
    }
    else
    {
        //display error
    }

Which way is the preferred one and is there another, smarter way of sanitizing the input?

user3628807
  • 325
  • 3
  • 12
  • 1
    Complete opinionated as I will now prove: [Insert person[s name here]'s preferred method is `if (!empty($username) && !empty($password))` rather than nested. – Script47 Sep 11 '17 at 16:37
  • Just from personal experience, my project is set up like this: `if( empty($username)) throw new LoginException('Please enter username.'); if(empty($password)) throw new LoginException('Please enter password.'); ...` - Some people may accuse me of misusing exceptions, but it works just fine. – Niet the Dark Absol Sep 11 '17 at 16:37
  • 1
    @NiettheDarkAbsol I'm accusing you of having a different opinion thereby proving my point even more! – Script47 Sep 11 '17 at 16:38
  • @Script47 Okay I get your idea but I want to be able to specifically say what input has failed the verification instead of saying "something is wrong" and another thing is when registering a new user, every data is going through a different sanitizing - for the username - first of all if it's not empty, then if it's containing restricted characters, the length of the username, if username is taken, etc.. So I can't combine them in one if statement. – user3628807 Sep 11 '17 at 16:46

2 Answers2

1

Simply can use:

$errors = [];
if(!isset($_POST['username']) || empty($_POST['username'])) {
    $errors[] = 'Please enter valid username';
} else if(!isset($_POST['password']) || empty($_POST['password'])) {
    $errors[] = 'Please enter valid password';
}

filter_var can be used to filter for specific input.

Lovepreet Singh
  • 4,792
  • 1
  • 18
  • 36
  • How about if the input string is `' '`? – Script47 Sep 11 '17 at 16:52
  • Combining username and password in one if statement is not what I am looking for. When registering the user `$username` is going to go through a few checks - if the username is taken, its length, if it contains restricted character, etc.. Which then I will have multiple if statements. I guess my example was not ideal. – user3628807 Sep 11 '17 at 16:53
  • Use empty. It's more precise – Rotimi Sep 11 '17 at 16:54
  • @Akintunde the answerer is using `empty`. They need to use `trim` with `empty`. – Script47 Sep 11 '17 at 16:55
  • Best and recommended way to deal with form data is use of filter_has_var and filter_var function. Please look at documentation of these functions. – Lovepreet Singh Sep 11 '17 at 16:59
0

This isn't sanitizing, you just checking if is there any character in your input. Sanitizing is about getting exact type of value for your form.

if is your problem about if blocks on and on you can create an array of expected input names

$desiredInputs = array('username','password','etc');
$errors = [];
foreach ($desiredInputs as $input) {
    if(!isset($_POST[$input]) || empty(trim($_POST[$input])){
        $errors[] = $input.' is not set or empty';
    }
}

For sanitizing you can check the answer below; https://stackoverflow.com/a/34760018/502649

Additionally best practice for sanitizing is RegEx and filter_var

siniradam
  • 2,727
  • 26
  • 37
  • I know that this is not exactly sanitizing. I am giving a simple example but `$username` is going to go through a few checks - if the username is taken, its length, if it contains restricted character, etc.. Which then I will have multiple if statements. – user3628807 Sep 11 '17 at 16:48
  • Rather than `$_POST[$input] == ''` make use of `empty` as the former is verbose. – Script47 Sep 11 '17 at 16:49
  • How about if the input string is `' '`? – Script47 Sep 11 '17 at 16:52
  • As you see that @Script47 correcting me :), you may write a function that checks specifically what you need to check. For instance a function called validate($inputToValidate,$expectedType) so you can use regex formulas to check is it email, empty or whatever. expected type can be email, ip phone, numeric, alphanumeric etc. – siniradam Sep 11 '17 at 16:56