Page 1 of 1

How to check if a textarea is null in $_REQUEST

Posted: Sat Feb 10, 2007 7:05 pm
by mcccy005
I want to be able to test if a textarea field is empty when a user submits the form (I can get it to work fine with text fields, radio fields etc).
The problem is that as soon as a user clicks on the textarea (but enters no data), somehow data registered as being entered into it; so that when the form is submitted and I use if(isset($_REQUEST['field_name'])), it will return true, even though theres actually no actual data in there.
I've also tested to see if the data in the $_REQUEST array is null; blank (ie. " " or "") etc. but can't get it to work.

Worse case scenario, I could just test the string to see if it has any letters (a, A - z, Z) or numbers 0 - 9 or any other characters (eg. /) but this seems a bit long-winded and dodgy and thought there ought to be a better way.

Posted: Sat Feb 10, 2007 10:28 pm
by Ambush Commander
Is there a particular reason why you're using $_REQUEST and not $_GET or $_POST? Not really relevant, but it's bad practice to retrieve data from posted forms via $_REQUEST.

Try !empty($_REQUEST['field_name']); Also, what happens when you var_dump() the field?

Posted: Sun Feb 11, 2007 8:39 am
by feyd
Might need to trim() it first.

Posted: Sun Feb 11, 2007 9:57 am
by RobertGonzalez
I agree with the others. You could try is_null(), but I think a better way would be to use empty(trim($_POST['field'[)).

Posted: Sun Feb 11, 2007 3:25 pm
by jmut
Ambush Commander wrote:Is there a particular reason why you're using $_REQUEST and not $_GET or $_POST? Not really relevant, but it's bad practice to retrieve data from posted forms via $_REQUEST.

Try !empty($_REQUEST['field_name']); Also, what happens when you var_dump() the field?
any particular reason why using $_REQUEST is bad?

Posted: Sun Feb 11, 2007 3:31 pm
by feyd
The data contained in $_REQUEST comes from a variety of sources. Each subsequent source overrides any conflicting elements. The order in which they are read is determined through the variables_order directive.

Posted: Sun Feb 11, 2007 5:30 pm
by mcccy005
The reason I use $_REQUEST is because I created a series of objects to use to easily create an a series of related input forms with various input fields. I probably could change everything to $_POST and not allow the user to specify whether data from the form is sent using $_POST or $_GET, but heard that there was no security loop-holes with it so have left it.

Anyways, I've tried if(null); and if (empty( )) and that doesn't work.

Also, whilst I never use var_dump( ) I'm assuming it will output the same as echo '$_REQUEST['field_name'] which outputs absolutely nothing. If I have text before the echo and after the echo, there isn't even an extra blank space outputted (nor is it in the source code of the outputted html).

I do use stripslashes( ); but I used that AFTER I try to verify the data (but before it enters the database) so perhaps I'll try using trim( ) before-hand tonight and see how that goes.

Thanks.

Posted: Sun Feb 11, 2007 7:10 pm
by RobertGonzalez
is_null() checks to see if a variable is defined as null or is has a null value. empty() tells you whether the string is empty, 0, "0", '', or array().

$_REQUEST is bad because it contains all of the members of the $_GET, $_POST and $_COOKIE arrays. Since PHP treats members of these arrays in certain order, it would be easy for someone to pass a $_GET var into the form action URL of a form and overwrite a $_POST var or even a cookie var. Just on that premise alone, $_REQUEST in an unsafe superglobal to use. The manual even says so.

Posted: Mon Feb 12, 2007 1:29 am
by jmut
but still, I fail to see any security concernes of this? If you check and validate each input it should be no problem. Clearly using $_POST does not make you more secure as any data can be spoofed no matter what.
So bottom line I guess is...you can easily shoot yourself in the foot with the order of GET,POSt etc. if you mixed up your logic in a weird way.

Posted: Mon Feb 12, 2007 9:10 am
by RobertGonzalez
The risk is on the developer. If you want to bear that risk, so be it. Personally, if I know data is coming from POST, I use the POST array. If I know it is coming from GET, I use the GET. I always use the COOKIE array for cookies and the SESSION array for sessions (when I don't build my own session handler). It is not that much harder to do and is less susceptible to user interference.