here's psuedo of what i envision now, in my psuedo code, i don't use the stripslashes/quotes/etc... so, i'm still trying to understand why these functions are needed/required? thoughts/comments/etc.... thanks -bruce -------------------------------------- index.php if isset($REQUEST['submit']) { if (isset($_REQUEST['foo']) { get the 'foo' var $foo = $_REQUEST['foo'] validate the foo var... $valid_chars = preg_match('valid char vars', $foo) $len = str_len($foo) >max_str_len if(valid_chars && len) { we have a valid 'foo' var!!! go ahead and add to the db... } else { 'foo' is invalid, set err msg and return to login } } else { gen err and redirect to login page } } else { <form php_self post> <input name=foo> <submit> </form> } function add_to_db($var) { assume that 'var' is valid, but it hasn't been quoted.. $test_sql = "insert into TestTBL name values (%s)"; $test_sql = sprintf($test_sql, $var); mysql_query($test_sql); } -----Original Message----- From: Gustav Wiberg [mailto:gustav@xxxxxxxxxxxxxx] Sent: Thursday, September 22, 2005 11:14 AM To: bedouglas@xxxxxxxxxxxxx; php-general@xxxxxxxxxxxxx Subject: Re: basic user/input form questions... more validation! ----- Original Message ----- From: "bruce" <bedouglas@xxxxxxxxxxxxx> To: <php-general@xxxxxxxxxxxxx> Sent: Thursday, September 22, 2005 8:05 PM Subject: basic user/input form questions... more validation! > hi... > > forgive me!!! Ok; -) Why? You're just asking... :-) > > continuing the thread from yesterday regarding filtering. (and thanks to > all > the msgs) > > for simplicity. let's deal wit a simple user input form, that's going to > place the information in a db. > > if the app allows the user to enter the input (call it 'foo') and then > submits the form via a POST, where the data is then written to the db, > what > kind of validation should occur? and where should the validation take > place? What kind of validation depends on your application. If the foo variable must be an integer, then you'll have to check if foo is numeric with is_numberic(). If foo is a string and the length matters, then you would have to validate so the length isn't more than expected with strlen()-function But in all cases you'll have to check if the foo-variable is set with isset. > > for my $0.02 worth, there should be be validation of the 'foo' var, to > determine if the var is legitimate. there should also be > validation/filterin > of the var when it's placed in the db_sql command... > > my question (and it's basic), what validation should be performed on the > 'foo' var, and why? i've seen htmlspecialchars/magic_quotes/etc.. in > varius > articles, but i can't find a definitive answer!! You'll have to quote only the variables inside a sql-string. You must use mysql_real_escape_string for creating a "safe" db-string.. Example: $sql = "SELECT ID from Table WHERE Foo=" . safeQuote($foo); and the function safeQuote is like this... function safeQuote($value) { // Stripslashes if (get_magic_quotes_gpc()) { $foo = stripslashes($foo); } // Quote if not integer if (!is_numeric($value)) { $value = "'" . mysql_real_escape_string($foo) . "'"; } } I hope this helps a little... /G http://www.varupiraten.se/ > > also, when inserting/updating a db item, what is the 'correct' process for > data? should all data that gets inserted into a db be quoted? if it > should, > what's the 'standard' practice? > > psuedo examples of this stuff would be really helpful! > > thanks for clarifying some of these issues... > > -bruce > bedouglas@xxxxxxxxxxxxx > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > > -- > No virus found in this incoming message. > Checked by AVG Anti-Virus. > Version: 7.0.344 / Virus Database: 267.11.4/109 - Release Date: 2005-09-21 > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php