Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
What's the best practice for validating form fields before submitting to a database or e-mail? Up til now, I've been checking each field against a validateField function, which makes sure that the field is not empty and doesn't have funky characters. But what if I have 20 form fields? Instinct tells me to forget 20 if statements and use a foreach looping through my $POST array. But is this practice safe? Thanks.
This method works well...but is it the best for many fields?
Thanks for responding kaisellgren. Actually, I just want to know if the way I'm checking the fields BEFORE I sent them to validateFields_pf.php or hybMail.php is the best way. If I had 20 fields, should I create 20 different 'check' variables? Or should I use a foreach loop on my $_POST array?
cbearhoney wrote:Actually, I just want to know if the way I'm checking the fields BEFORE I sent them to validateFields_pf.php or hybMail.php is the best way.
What do you mean? You are not checking anything prior to sending to them to validateField(), are you? And I doubt your mail function does any data filtering.
cbearhoney wrote:If I had 20 fields, should I create 20 different 'check' variables? Or should I use a foreach loop on my $_POST array?
function callback_func($v)
{
if (!validateField($v))
die('...');
}
array_walk(array($_POST['ad_name'],$_POST['ad_co'],$_POST['ad_phone']),'callback_func');
Just a simple demonstration that you could use for validation.
I have a strong feeling that your validation is improper, though.