293
16
Secure clIent Server
forM vAlIdAtIon
PHP UTF-8 Input Validation
Server UTF-8 Validation
Even though the client browser has been told to send valid UTF-8 characters with
header('Content-Type: text/html; charset = utf-8'),
the server still needs to verify the character set to account for any cases where invalid
characters have either accidently or maliciously been sent.
One way to validate whether incoming strings contain valid UTF-8 is:
$utf8 = mb_detect_encoding($string, "UTF-8");
if ($utf8 ! = 'UTF-8')
{
header("Location: $LOGIN");
exit(0;
}
is process only checks the data and stops processing the script if invalid characters
are detected. It does not attempt to correct or remove invalid characters.
An alternative but potentially unsafe method is ...