Filtering input

Filtering user input is important.

A. Client-side (HTML and Javascript)

Client-side form input can be filtered with HTML5 pattern attribute or Javascript validation. Implementing client-side validation is important as it provides the user with instant feedback that there is something incomplete or typo on the form. This can reduce the back and forth form posting and thus also reduce the  network traffic so server-side validation (which consumes server CPU time) won't need to occur. Client-side validation won't necessarily validate 100% of the user input due to the differences among different web browser implementation. Javascript validation is also unreliable if it is disabled in the user's web brwoser.

B. Server-side

Server-side validation is important as it truly validates the user's input before it is processed. Implementing a client-side validation only is insufficient as it makes the assumption that the only users on your website are normal users. Oftentimes there are bots or even malicious attacker that can inject codes through vulnerable inputs. This is why you should always have server-side validation in your code. All server variables such as $_GET, $_POST, $_COOKIE, and even $_SERVER still need to be validated as it can be changed.

SCHLIX CMS provides the following functions to validate $_GET and $_POST to filter and convert user input to the desired input type: all functions that start with fget_ and fpost_.