Re: basic user/input form questions... more validation!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



----- Original Message ----- From: "bruce" <bedouglas@xxxxxxxxxxxxx>
To: <php-general@xxxxxxxxxxxxx>
Sent: Thursday, September 22, 2005 8:05 PM
Subject:  basic user/input form questions... more validation!


hi...

forgive me!!!
Ok; -) Why? You're just asking... :-)


continuing the thread from yesterday regarding filtering. (and thanks to all
the msgs)

for simplicity. let's deal wit a simple user input form, that's going to
place the information in a db.

if the app allows the user to enter the input (call it 'foo') and then
submits the form via a POST, where the data is then written to the db, what kind of validation should occur? and where should the validation take place?
What kind of validation depends on your application. If the foo variable must be an integer, then you'll have to check if foo is numeric with is_numberic(). If foo is a string and the length matters, then you would have to validate so the length isn't more than expected with strlen()-function

But in all cases you'll have to check if the foo-variable is set with isset.



for my $0.02 worth, there should be be validation of the 'foo' var, to
determine if the var is legitimate. there should also be validation/filterin
of the var when it's placed in the db_sql command...

my question (and it's basic), what validation should be performed on the
'foo' var, and why? i've seen htmlspecialchars/magic_quotes/etc.. in varius
articles, but i can't find a definitive answer!!
You'll have to quote only the variables inside a sql-string. You must use mysql_real_escape_string for creating a "safe" db-string..

Example:
$sql = "SELECT ID from Table WHERE Foo=" . safeQuote($foo);

and the function safeQuote is like this...

function safeQuote($value)
{

  // Stripslashes
  if (get_magic_quotes_gpc()) {
      $foo = stripslashes($foo);
  }
  // Quote if not integer
  if (!is_numeric($value)) {
      $value = "'" . mysql_real_escape_string($foo) . "'";
  }

}

I hope this helps a little...

/G
http://www.varupiraten.se/


also, when inserting/updating a db item, what is the 'correct' process for
data? should all data that gets inserted into a db be quoted? if it should,
what's the 'standard' practice?

psuedo examples of this stuff would be really helpful!

thanks for clarifying some of these issues...

-bruce
bedouglas@xxxxxxxxxxxxx

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.11.4/109 - Release Date: 2005-09-21



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux