Malicious Input

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Todd_Z
Forum Regular
Posts: 708
Joined: Thu Nov 25, 2004 9:53 pm
Location: U Michigan

Malicious Input

Post by Todd_Z »

I am making a form with about 40 text fields. The question that I have is how to validate those fields as to eliminate the possibility of malicious content. Anyone have any good functions or tips?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

What I've done with forms is created an extension class to viewtopic.php?t=34883 which interacts with my form processing class.
User avatar
neophyte
DevNet Resident
Posts: 1537
Joined: Tue Jan 20, 2004 4:58 pm
Location: Minnesota

Post by neophyte »

There was a good article in last months phparch that talked about whitelisting your fields. That's what I'd do. Make an array of your field names as key and the type of validation/ name of function as value. Loop through your post with you fields array and validate each field and make an error array ect...

Check out the ctype series of functions.

http://us2.php.net/manual/en/ref.ctype.php
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

I dont think its so difficult.

you have to loop your $_POST array(i am sure you dont use get for that)

if all the text fields are goin to be same data type, its as simple to run a custom made validation function on each value and output error if validation fails.

else, if of different data types,
you can have an array where
fieldname, fieldtype
then you have validation rules for each datatype.

so you get the $_POST array
match the fieldname first by looping, if matched get the field type
run a sub if block and check for appropriate data type validation rule.

thats all i could think
Post Reply