Re: Sanity check on form validation code

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

This looks good for validation, except for something that i want to mention!

The first thing is not a 'problem' : but

$errorCount = 0;

would have been great! (Instead of initializing it as if it was string)

On your `test_input` function:
The combination of `stripslashes` and `htmlspecialchars` (called in this way) may increase your vulnerability on SQL injection (if you are using this form to do tasks on the database).
Although the `filter_var` does some work, it is advisable to use parameterized queries if you are planning to do some works on the database! 

--
cipher
fb/twitter/github: nootanghimire


On सोमबार 17 मार्च 2014 08:53 पूर्वाह्न, David Mehler wrote:

Hello,

I've got a form with various fields. One is a text input field called
name with a size and a maxlength of 30. I've got the following
validation code for this field. I'd appreciate feedback on it before I
do the others.

Thanks.
Dave.

$contact_page_errors = array();
$errorCount = "";
$name = "";

function test_input($data)
{
   $data = trim($data);
   $data = stripslashes($data);
   $data = htmlspecialchars($data);
   return $data;
  }

// Validate the name field
   if (empty($_POST["name"]))
     {
$contact_page_errors['name'] = "Name is Required";
$errorCount++;
}
   else
     { // trims, strips slashes, and runs through htmlspecialchars
$name = test_input($_POST["name"]);
// Field should be at least two characters maximum of 30 and non-numeric
if (!strlen($name <= 2)) {
       $contact_page_errors['name'] = "Name must have at least two characters\n";
$errorCount++;
}
if (strlen($name > 30)) {
       $contact_page_errors['name'] = "Name can not have more than 30
characters\n";
$errorCount++;
}
if (is_numeric($name)) {
       $contact_page_errors['name'] = "Name can not be numeric\n";
$errorCount++;
}
}
     // check if name only contains letters and whitespace
  if (!preg_match("/^[A-Z][a-zA-Z -]+$/",$name))
   {
       $contact_page_errors['name'] = "Name must be from letters,
dashes, spaces, first letter uppercase, and must not start

with dash.\n";
$errorCount++;
   }
// Use php's filter_var to sanitize what's left
$name = filter_var($name, FILTER_SANITIZE_STRING);
} // end of name checks


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux