20
seCure develoPment For mobIle APPs
POST Requests
For this example, the $_POST request does indeed contain a string, a user name.
equestion then becomes what is this string for and where does it go? e string is
to be stored in the database, queried from the database, and sent back to the client as
static HTML, not as a hyperlink. is tells us the steps we need to take in processing
this input variable.
Assuming both PHP character set and PDO connection character set are both
UTF-8, we can operate on our string.
e first step is to cut it. Our database column has a limit of 25 characters for
the username.
$userName = mb_substr($_POST['name'], 0, 25);//make requiredlength
e second step is to ensure it is only alpha-numeric.
if(ctype_alnum($userName))//only ...