Form Validation
Moderator: General Moderators
Form Validation
I have decided to create my own form validation functions but I need to know which characters (or combinations of them) i should not accept from users. I'm not talking about 'you cannot enter alphabetic characters in age field' validation, this kind of validation is obvious. What I am looking for could be an article (or your own tips) indicating what kind of malicious user input should be denied. Probably only addslashes isn't enough... or is it? I have seen quite a few articles where they advice 'Filter your data!' but for me this doesn't say enough...
Let's take an example. Say, I have a registration form on my site with a field 'Your Name'. How should I check the $_POST['name'] to be sure nothing malicious is executed in my MySQL db? Should all characters be accepted or not (such as %, (, =, ...)? Would be nice if someone could just tell me how they would check the data of the 'Your Name' field. It would help me to get a better idea on what steps should be taken.
- shiznatix
- DevNet Master
- Posts: 2745
- Joined: Tue Dec 28, 2004 5:57 pm
- Location: Tallinn, Estonia
- Contact:
easiest idea would be to use mysql_real_escape_string which will basically escape all the characters
best idea would be to write a regular expression for each field and validate against that but that can be tricky because if you have a last name field then you would think using only letters would work but what if their name was O'Riley or somtin then you have to allow ' in it but then you have to add slashes. but if you think it through enough then you will be able to do it
best idea would be to write a regular expression for each field and validate against that but that can be tricky because if you have a last name field then you would think using only letters would work but what if their name was O'Riley or somtin then you have to allow ' in it but then you have to add slashes. but if you think it through enough then you will be able to do it
There's a number of functions built into PHP that perform these operations anyway. Such as:
mysql_real_escape_string(string): Used to escape a string to be safely used in a MySQL queryu.
strip_tags(string): Used to strip potentially risky HTML tags from a string
addslashes(string): The most basic function which merely adds slashes where necessary to a provided string.
mysql_real_escape_string(string): Used to escape a string to be safely used in a MySQL queryu.
strip_tags(string): Used to strip potentially risky HTML tags from a string
addslashes(string): The most basic function which merely adds slashes where necessary to a provided string.
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
In which case he could use the built in ctype functions:
The function in bold is of particular value.
Taken from: http://uk.php.net/ctypectype_alnum -- Check for alphanumeric character(s)
ctype_alpha -- Check for alphabetic character(s)
ctype_cntrl -- Check for control character(s)
ctype_digit -- Check for numeric character(s)
ctype_graph -- Check for any printable character(s) except space
ctype_lower -- Check for lowercase character(s)
ctype_print -- Check for printable character(s)
ctype_punct -- Check for any printable character which is not whitespace or an alphanumeric character
ctype_space -- Check for whitespace character(s)
ctype_upper -- Check for uppercase character(s)
ctype_xdigit -- Check for character(s) representing a hexadecimal digit
The function in bold is of particular value.
-
The Monkey
- Forum Contributor
- Posts: 168
- Joined: Tue Mar 09, 2004 9:05 am
- Location: Arkansas, USA