The proper way to handle data flow through an application

Question

This may get marked as duplicate, but in my defense, I've been searching around for a while, and a lot of the information I find is in relation to mysql or mysqli at best, or is incomplete. I want a thorough, up-to-date answer that factors in using PDO and prepared statements.

What is the proper way to handle data as it moves through an application.

Is the following theoretical flow of data adequate, and if not, what improvements would you recommend?

1. proper form validation client side.
2. Use of $_POST rather than $_GET
3. In PHP, using $variable = htmlentities($_POST['variable']); just before database insertion.
4. using PDO and prepared statements like: bindValue(':variable', $variable);
5. On output, using echo htmlspecialchars($variable); to prevent XSS attacks.

Two related questions:

• Lets say you're using htmlentities() on data before database insertion. How can you also remove all the garbage that is inserted if a user entered say <p>my input value</p>. This writes: <tr><p>my input value</p>&l to the database.
• If your php is returning a JSON array handled by AJAX, how do you handle output in that scenario? This doesn't work in PHP: htmlspecialchars($JSON_Array)

Thanks in advance for your help on this.

Answer 1

Generally speaking your flow will be similar to this:

1. "Validate" data client side - you don't want to trust this validation since you should never trust anything coming from the client, this is done to make the user experience better.

2. Validation on the server - make sure the data given to you is valid. Examples might be: validate type (int, string, etc.), validate value (users can't order a negative amount of an item), etc. If you're using some kind of MVC-ish framework this is done in the Model layer.

3. Store the data in the database - you'll use prepared statements to protect yourself from SQL injection but you don't want to manipulate the data in any way (no htmlentities or the like).

4. Whenever you're taking data out of the database that's when you decide if you need to convert HTML entities or do some other processing based on whether you're outputting HTML, JSON, XML, etc.

If you need to use htmlspecialchars or something like that on data in a JSON array, execute that before you put the data in the JSON array.