PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Whether your validation is enough depends on what you want. If you want to check a field is longer than 1 character after stripping a few bits of HTML then what you have there is enough. I believe it's best to validate every form field based on an expected value. If the user is supposed to enter an email address then I validate the field against an email regular expression, if they're supposed to enter a URL I check the field contains a URL, if it's supposed to be a date then I check it's a valid date, and so on. I find it's best to make sure everything in the form is what it's meant to be simply because it stops clients phoning me up asking why their site looks wrong when they put a telephone number in the email section.
Generic validation, just like generic escaping (ala magic_quotes) is never a good idea, there is always a case when it doesn't work, so avoid doing it. Heed onion2k.
Ha, on second glance, it if isn't $something = strip_tags(...) it just does nothing. Even if it did, dangerous tags and attributes will still pass, leaving vectors for XSS attacks.
If i'm not wrong, the point here is that thiscatis's function working on the temporary variable $input, not on the original POST variables. So it will not effect $_POST.
It doesn't need to affect $_POST. The function is only validating the data, it's not doing anything with it. Quite frankly I think it's correct: validation functions shouldn't change any data. Leave the data cleansing to another function.
If the point of validation is simply checking, then strip_tags() is not apart of it (not that it affects anything.) The only thing doing anything would then be the strlen() check.. but where does $error go? If this is the entire function, which as far as has been posted it is, then it goes no where and does nothing as well. The only thing that would therefore happen as result is the function echoing some bits about fields needing corrections because they're less than two characters in length.
<?php
function validateFormInput() {
foreach ($_POST as $key => $input) {
strip_tags($input, '<a><b><i><u><li><div><style><script><br>');
if (strlen($input) < 2) {
$error = true;
echo "<div style=\"form_error\">Please correct the <b>$key</b> field.</div>";
}
}
}
?>
Take the POST array and loops it's keys and values. It looks at a value, and after removing a handful of HTML tags, checks the length of the remaining string. If that is less than 2 chars long, it sets a var that it literally locked in the scope of the function (so it is doing nothing) then echo's out a statement to the browser.
It is just my opinion, but functions should return a value. In this case, you could make this function an is_ function and check boolean against it in your code.