Page 1 of 1

Form Data > Validation and Cleaning

Posted: Tue Aug 21, 2007 12:27 am
by kkonline
I am using the following algorithm/flow/pseudocode for
validation and cleaning of data entered by the users
in the form( consisting of fields like name,
main article(text type in db),
mood for election(should ONLY be 1,2,3... 6).

Question >It seems everywhere i have to use if and else statements,
giving me around 8-10 if else statements in this check.
Please look at the approach and tell me if there is a better solution
or i am missing anything or tell if any check can be performed on a
particular field which is important and i have missed.

Basically i just want you to go through the algorithm and discuss it's weakpoints
and suggest some solution to it.

Initially faultflag=0;

A> Cross-Site Request Forgeries check
A1> Token checking -> if incorrect print "invalid source!" and exit;
A2> Timeout detection -> if timeout print "Timeout!" and exit;
A3> If the source is correct (correct domain) Goto B>


B> Check Captcha (prevents spambots)
B1> If wrong print "wrong captcha" $faultflag++;
B2> If correct, Goto C> (till now data from correct source and not a spambot)


C> C1> If( isset[$_POST['name']])
C2> If yes (some name was posted) THEN validate the maxlength<=30 and check D>
else print "too long" faultflag++;
C3> else print "you forgot to write name" faultflag++;



D> Similar to C, check for title and it's length
If valid goto E>

E> E1> If( isset[$_POST['maintext']])
E2> If yes (some article was posted) THEN validate ; if valid goto F>
E3> else print "you forgot to write article" faultflag++;


Ques 1> In point E2> if the article is posted then how should i validate
it. Because in the db I am using text type to store the value as
the article could be very long? Or should i use some other type
for articles in the db? Or should i use text(varchar(2500)) for example?


F> F1> If( isset[$_POST['mood']])
F2> If yes (some mood was posted) THEN validate it to be no. 1 to 6.
else print "wrong mood" faultflag++;
If valid goto G>
F3> else print "you forgot to write mood" faultflag++;


G> G1> If( faultflag>0) print "there are $faultflag errors, fill
the form again. link to the form;
G2> else (when no errors) connect to db

H> [Assuming the "clean" data is in name,mood,maintext]
mysql_real_escape() the name,mood,maintext
trim the name,mood,maintext

Store to db

For displaying the data after extracting it from db I am
converting it into XML format in use following protection
htmlentities($row_rsAll[$column], ENT_NOQUOTES, 'UTF-8');
on the data which is to be printed.

Ques 2> Should i ALSO use the class written by Christian Stocker
for prevention of xss before displaying the data in XML
http://svn.bitflux.ch/repos/public/popo ... linput.php
(and use htmlentities alone?)

Posted: Tue Aug 21, 2007 1:01 am
by matthijs
A good pattern to use in your form validation routines is the strategy pattern. See http://www.phppatterns.com/docs/design/strategy_pattern. We've talked about it a couple of times about using this, for example here.

Posted: Tue Aug 21, 2007 3:07 am
by Mordred
As I already answered here: viewtopic.php?p=411062#411062 , that code is not safe to use. I won't go into details here, as it is used in production code (albeit on a small scale).

htmlspecialchars() with ENT_QUOTES and the proper encoding should be enough (unless you do something stupid with the output, that is)