RE: basic user/input form questions... more validation!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



bruce <mailto:bedouglas@xxxxxxxxxxxxx>
    on Thursday, September 22, 2005 11:05 AM said:

> if the app allows the user to enter the input (call it 'foo') and then
> submits the form via a POST, where the data is then written to the
> db, what kind of validation should occur?

Depends on what kind of a form field 'foo' is. Is it a name? A zip code?
A phone number?

If it's a zip code you can do a simple regex "\d{5}(-\d{4})?" to make
sure it follows the correct (US) format. If it passes the test you know
it's safe to be put into the database. This kind of data does not need
to be escaped.

On the other hand if it's a name you'll first want to make sure it's the
correct length and contains only the characters you want it to. If the
data passes all the tests you'll definitely want to escape the string
before you insert it into the db because some names might have an
apostrophe in them which will cause an error during insertion. No need
to run htmlspecialchars() in this case since a name that has < or > (or
similar characters) should fail the test anyway.

> and where should the validation take place?

Validation should take place before the value is used.

<?php

  // include files

  // instantiate any objects if necessary

  // define default values for page specific variables if necessary

  // validate incoming data

  // deal with invalid data by displaying error messages or redirecting
  // to another page

  // if data is all clean continue processing like normal

?>

> for my $0.02 worth, there should be be validation of the 'foo' var, to
> determine if the var is legitimate. there should also be
> validation/filterin of the var when it's placed in the db_sql
> command...

No need to validate data twice. As stated above, validation should
happen before the data is used at all and I would do the escaping just
before the data is inserted into the db.

> my question (and it's basic), what validation should be performed on
> the 'foo' var, and why? i've seen htmlspecialchars/magic_quotes/etc..
> in varius articles, but i can't find a definitive answer!!

See above.

> also, when inserting/updating a db item, what is the 'correct'
> process for data? should all data that gets inserted into a db be
> quoted? if it should, what's the 'standard' practice?

Again, if the data requires escaping, escape it. If not, there's no
need.

If the data falls outside the realm of a-zA-Z0-9 it has a high potential
for escaping.

> psuedo examples of this stuff would be really helpful!
> 
> thanks for clarifying some of these issues...


hth,
Chris.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux