PHP form validation question?

Is it necessary to validate a name or street address? when I have it coded in the following format. And if so why?

$address = mysqli_real_escape_string($mysqli, htmlentities($_POST['address']));
$name开发者_StackOverflow = mysqli_real_escape_string($mysqli, htmlentities($_POST['name']));

1. Do not store values filtered by htmlspecialchars/htmlentities/etc in your database - do it directly before display in HTML/XML/etc documents.
2. If you're OK with names like blah blah <>DAS#^^2@@vm/.,czc, then this code looks fine.

How many names or addresses do you know of that contain a '$' or '%'? There are simple checks you can perform to check for users being stupid. Usually a name will only contain word characters (and sometimes with a comma and period if they are a Jr, Sr, etc) and an address will only contain alphanumeric characters (unless they abbreviate, in which case a period might be included). It's not necessary, but personally I would put in checks so you don't end up with users just entering random BS just to be funny (that's one of my pet peeves, sorry).

You seem a bit mixed up there because you have 2 means of escaping data and none of filtering when the rule is FIEO Filter Input Escape Output

Filtering:

if YOU DECIDE that a "name" can only be upper and lower case letters, be between 2 and 50 characters long and can contain dashes and single quotes (') then you should either:

remove anything not matching your own definition example above (using regular expressions maybe) OR abort the operation

Depending on how kind you want to be to your user/potential cracker

filter_var() is also very useful in this scenario.

Escaping

You escape the data in readiness for the next environment the data is headed for;

If its to go into a database then you'd use your mysqli_real_escape_string(), if you are echoing to the screen in html then use htmlentities() and so on.

HTH