Validating textarea -> TEXT mysql column

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
seodevhead
Forum Regular
Posts: 705
Joined: Sat Oct 08, 2005 8:18 pm
Location: Windermere, FL

Validating textarea -> TEXT mysql column

Post by seodevhead »

When I validate a form field input for something like a "first name", that is to be put in a "first_name" MySQL database column of VARCHAR(15) type... I usually validate the form field by doing something like this:

Code: Select all

if(isset($_POST['firstName']) && is_string($_POST['firstName'] && strlen($_POST['firstName']) <= 15)
{
     echo 'Validated';
}
But how can I validate the length of a textarea input in a form that is to be put in a TEXT type MySQL column? Should I do this?

Code: Select all

if(strlen($_POST['textArea']) <= 65535)
65535 because that is the character max of the TEXT MySQL column-type. Is this advisable to do as far as length checking? Or is this overkill for something like a textarea? Thanks for any advice you can give! Take care.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

MySQL will automatically clip the text if it exceeds the length allowed.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Depends on how many characters you want to allow.

If you want to allow 65,353 or whatever characters then yes, mysql will clip it for you (but that's a lot of characters!)

If you want to limit it, do something like :

Code: Select all

$text = substr($_POST['text'],0,15000);
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Technocrat
Forum Contributor
Posts: 127
Joined: Thu Oct 20, 2005 7:01 pm

Post by Technocrat »

Probably better to write a function to validate this, since I am betting your going to do this more than once.

Something like:

Code: Select all

function stringValidate($string, $size=65535) {
    if(isset($string) && is_string($string) && !empty($string) && strlen($string) <= $size) return true;
    return false;
}
stringValidate($_POST['text']);
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

If I may ask: what is the reason to use is_string in this case? Is it an extra measure? Is the POST data (or GET if one uses that) not always a string?
(just curious, as I haven't used that function before)
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I would guess he uses is_string to make sure it is not an array? Just a guess.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

Yes, of course. But maybe I should refrase my question then: what happens if you leave that out? Isn't a POST variable (if you use the function for that) not always a string? What happens if you leave the is_string out and feed the function an array? Aargh, too many question :) I'll have to do some research myself I guess :wink:
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

No reference to empty()...

Should use ctype_* family of functions if it's a string with a specific restraint - alphanumeric/alphabetic/numeric (whole number)/etc.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Isn't a POST variable (if you use the function for that) not always a string?
Element of the POST array could be an array itself.
Post Reply