Necessary to check for empty variable after validation and before saving data?

Is it still necessary to check for empty variable after validation a form and before saving a data?

This step is somewhat unnecessary because if a user does not enter any input, the validation rule would definitely trigger an error.

However, I've seen comments from others saying that if user input gets sanitized it might return an empty variable. But how often do we get user who will enter pure XSS sc开发者_高级运维ript that will only return an empty variable?

Anyone has any opinions on this? Thanks in advance.

Having a sanitized return value that is empty and having an empty value sent is not the same thing.

Consider a simpe logon script: User does not input username & password. Would you still validate his input? Obviously, no. You would have a check for $_POST['username'] and $_POST['pw'] to make sure they have a value before passing those off to validation. This is the only way you have control on what is wrong ( and why it is wrong). You can then give the user a message that username & password is needed to log on. Of course, many validation libraries do that step themselves but it is important that the validation library you use tells you why the validation failed so you can act accordingly, ie: To message the user, or log malicious attempts for example.

Hope that helps, happy conding