Page 1 of 1
Form Validation
Posted: Thu Aug 04, 2005 4:30 pm
by Ree
I have decided to create my own form validation functions but I need to know which characters (or combinations of them) i should not accept from users. I'm not talking about 'you cannot enter alphabetic characters in age field' validation, this kind of validation is obvious. What I am looking for could be an article (or your own tips) indicating what kind of malicious user input should be denied. Probably only addslashes isn't enough... or is it? I have seen quite a few articles where they advice 'Filter your data!' but for me this doesn't say enough...
Posted: Thu Aug 04, 2005 5:03 pm
by feyd
I don't deny anything, I just convert it to a usable form the server can deal with and convert it back if the user needs to see it..
Posted: Fri Aug 05, 2005 5:30 am
by Ree
Let's take an example. Say, I have a registration form on my site with a field 'Your Name'. How should I check the $_POST['name'] to be sure nothing malicious is executed in my MySQL db? Should all characters be accepted or not (such as %, (, =, ...)? Would be nice if someone could just tell me how they would check the data of the 'Your Name' field. It would help me to get a better idea on what steps should be taken.
Posted: Fri Aug 05, 2005 6:15 am
by shiznatix
easiest idea would be to use mysql_real_escape_string which will basically escape all the characters
best idea would be to write a regular expression for each field and validate against that but that can be tricky because if you have a last name field then you would think using only letters would work but what if their name was O'Riley or somtin then you have to allow ' in it but then you have to add slashes. but if you think it through enough then you will be able to do it
Posted: Fri Aug 05, 2005 7:20 am
by timvw
Or use prepared statements (adodb can emulate them if your dbms doesn't support them), and don't worry about mysql_real_escape_string...
Posted: Mon Aug 08, 2005 12:40 pm
by Ashiro
There's a number of functions built into PHP that perform these operations anyway. Such as:
mysql_real_escape_string(string): Used to escape a string to be safely used in a MySQL queryu.
strip_tags(string): Used to strip potentially risky HTML tags from a string
addslashes(string): The most basic function which merely adds slashes where necessary to a provided string.
Posted: Mon Aug 08, 2005 1:20 pm
by Ambush Commander
Err, I think what Ree's asking about is what exactly should be in a Name field. For example, it's very unlikely that a person has a "%" or a "\" in their name.
Hmm, probably [a-zA-Z ] and maybe extra characters '-' and '.' and '&' and "'".
Posted: Mon Aug 08, 2005 1:56 pm
by Ashiro
In which case he could use the built in ctype functions:
ctype_alnum -- Check for alphanumeric character(s)
ctype_alpha -- Check for alphabetic character(s)
ctype_cntrl -- Check for control character(s)
ctype_digit -- Check for numeric character(s)
ctype_graph -- Check for any printable character(s) except space
ctype_lower -- Check for lowercase character(s)
ctype_print -- Check for printable character(s)
ctype_punct -- Check for any printable character which is not whitespace or an alphanumeric character
ctype_space -- Check for whitespace character(s)
ctype_upper -- Check for uppercase character(s)
ctype_xdigit -- Check for character(s) representing a hexadecimal digit
Taken from:
http://uk.php.net/ctype
The function in bold is of particular value.
Posted: Mon Aug 08, 2005 6:48 pm
by The Monkey
Wow, I had no idea about the ctype functions! Many thanks.