>> Table of Contents >> Developer's Manual

Check form data

How do I check user input prior to processing it?

To do this, YANA offers a function named untaintInput().

The function has the following parameters:





value mixed n/a data to be cleaned
type string ""

Data type

In addition to the supported native types of PHP the following values are allowed:

  • time: UTC (type integer, length 11)

  • ip: IP-address (type string, length 15)

  • mail: mail address (type string)

  • select: treated as "string"

  • text: treated as "string"

length integer 0 Maximum length of data
escape integer 0 see table

List of parameters for untaintInput

The parameter $escape can be any one of the following constants.

Identifier Description
YANA_ESCAPE_NONE No changes (Default)
YANA_ESCAPE_SLASHED Converts single and double quotation marks to their respective escape sequences in C-notation
YANA_ESCAPE_TOKEN replaces token by their HTML entities
YANA_ESCAPE_CODED replaces HTML symbols, such as Tags, by entities
YANA_ESCAPE_LINEBREAK converts all whitespace characters (particularly line breaks) into spaces
YANA_ESCAPE_USERTEXT for treatment of input from text area fields

Valid values for parameter $escape, function untaintInput

For INPUT fields you should always call untaintInput() with the parameter YANA_ESCAPE_LINEBREAK. This will prevent an attacker from smuggling line breaks into the output, which might be a possible threat. For TEXTAREA fields you should use YANA_ESCAPE_USERTEXT. This prevents many forms of flooding, by constantly repeated texts (Copy'n'Paste Flooding), and will wrap oversized text strings, trim white space and thus will ensure, the layout of your page is not broken.

Author: Thomas Meyer, www.yanaframework.net