Page 1 of 1

Newbie Sanitization and Insert

Posted: Wed Nov 18, 2009 11:49 am
by Shura
I hope this hasn't been asked before, but I'm trying to write an interface to a mysql database. I have a .htaccess file, so I'm not terribly concerned with malicious users, but I figure it's still good to protect against oblivious and dangerous users. My problem is that I don't want to force people to re-enter all their data if they make a mistake the first go round.

For example:
fields are:
Name (text field)
Type (drop down list)
Month (drop down list)
Day (drop down list)
Year (drop down list)
etc.

All of these fields are required, and when I sanitize the data, I want to also go through and make sure that all values are present, then print a message saying which ones are missing. Ideally I want to return to the form, and leave all the good values in place. Does anyone have any tips to do this? Also I'm not sure I'm doing the sanitization very well. The parsing for all fields looks like this:

$parsed //n by 2 array, where index = 0 holds an error message (or null if everything is okay), and index = 2 is the sanitized input (or null if there is an error)
$n = 0 //used to iterate through $parsed

for each variable in $_POST {
if variable === "" {
$parsed[n][0] = "some error message"
$parsed[n][1] = NULL;
} else {
$parsed[n][o] = NULL;
$parsed[n][1] = filter_var(variable, APPROPRIATE_PHP_FLITER);
}
}

if all $parsed[][0] == NULL {
insert values in $parsed[][1] into db;
} else {
print all errors to screen.
}

// end algorithm
thanks a ton.

Re: Newbie Sanitization and Insert

Posted: Wed Nov 18, 2009 12:47 pm
by superdezign
You are referring to "sticky values" in forms. Basically, common practice is to submit a form to the same page so that if there are errors, you can print them out. Otherwise, you can handle success however you plan to. For sticky values, you'll need to get the posted data and place it into the form. You could use a function to assist you with that, as not to look for invalid values, since the $_POST array is empty before the form has been submitted.

Functions:

Code: Select all

// functions.php
// Get post data
function getPost($name) {
    if (!empty($_POST) && isset($_POST[$name])) {
        return $_POST[$name];
    }
    
    return '';
}
Controller:

Code: Select all

// controller.php
include_once 'functions.php';
 
// Sticky values
$title= getPost('title');
$description = getPost('description');
 
// Form handling
$errors = array();
$success = false;
 
if (!empty($_POST)) {
    // Validate title
    if (empty($title)) {
        $errors[] = 'Must fill "title" field.';
    }
 
    // Validate description
    if (empty($description)) {
        $errors[] = 'Must fill "description" field.';
    }
 
    // Submit form
    if (empty($errors)) {
        /* Perform business logic here */
        $success = true;
    }
}
 
include 'view.php';
View:

Code: Select all

// view.php
if ($success) {
    echo '<p>Success!</p>';
} else {
    echo <<<HTML
<form method="post" action="#">
    <input type="text" name="title" value="<?php echo $title; ?>" />
    <input type="text" name="description" value="<?php echo $description; ?>" />
    <button type="submit">Submit</button>
</form>
HTML;
}
This is a simplified version of controllers and views, but it should make it easier for you to follow what is going on. This is the basic concept of form validation and submission.

Enjoy. :P

Re: Newbie Sanitization and Insert

Posted: Mon Nov 23, 2009 12:33 pm
by Shura
Wow! I get it - thanks!