Popular posts

As you said yourself your goal is

to prevent malicious input

This is great that you already understand that you ALWAYS have to check user's input back-end. However, you do not write over 9000 validation rules. It nothing does with the language. You just use technique called escape a string.

You escape any input based on what you are going to do next with the input

• Insert into MySQL? -> Use prepared statements.
• Also display in browser to other users? -> Prevent XSS attacks and encode HTML characters when sending string to your template/view/output. You NEVER encode HTML string before saving it in DB, you save it AS IS and later you just escape output from DB.

The only exception is when you intentionally want to remove (strip) specific parts of user input like all HTML tags, emojis, whatever. Well, this depends on your business case and if you really want just to allow a-z, 0-9 and Chinese characters, you may use regex ranges for unicode itself.