On 03/16/2014 08:08 PM, David Mehler wrote:
Hello,
I've got a form with various fields. One is a text input field called
name with a size and a maxlength of 30. I've got the following
validation code for this field. I'd appreciate feedback on it before I
do the others.
Thanks.
Dave.
$contact_page_errors = array();
$errorCount = "";
$name = "";
function test_input($data)
{
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
// Validate the name field
if (empty($_POST["name"]))
{
$contact_page_errors['name'] = "Name is Required";
$errorCount++;
}
else
{ // trims, strips slashes, and runs through htmlspecialchars
$name = test_input($_POST["name"]);
// Field should be at least two characters maximum of 30 and non-numeric
if (!strlen($name <= 2)) {
$contact_page_errors['name'] = "Name must have at least two characters\n";
$errorCount++;
}
if (strlen($name > 30)) {
$contact_page_errors['name'] = "Name can not have more than 30
characters\n";
$errorCount++;
}
if (is_numeric($name)) {
$contact_page_errors['name'] = "Name can not be numeric\n";
$errorCount++;
}
}
// check if name only contains letters and whitespace
if (!preg_match("/^[A-Z][a-zA-Z -]+$/",$name))
{
$contact_page_errors['name'] = "Name must be from letters,
dashes, spaces, first letter uppercase, and must not start
with dash.\n";
$errorCount++;
}
// Use php's filter_var to sanitize what's left
$name = filter_var($name, FILTER_SANITIZE_STRING);
} // end of name checks
After cleaning up the code a little for readability, found a few errors.
See comments starting with ###
$contact_page_errors = array();
### if you plan to use it as a number, define is as one!
$errorCount = 0;
$name = "";
function test_input($data) {
$data = trim($data);
### Doing this without knowing if get_magic_quotes_gpc() was
### enabled, could do unexpected things to your data.
### So, do something like this instead...
if ( get_magic_quotes_gpc() )
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
// Validate the name field
if (empty($_POST["name"])) {
$contact_page_errors['name'] = "Name is Required";
$errorCount++;
} else {
// trims, strips slashes, and runs through htmlspecialchars
$name = test_input($_POST["name"]);
// Value: between 2 and 30 in length and non-numeric
### here you had (strlen($name <= 2))
if (strlen($name) <= 2) {
$contact_page_errors['name'] = "Name must have at least 2 characters";
$errorCount++;
}
### here you had (strlen($name > 30))
if (strlen($name) > 30) {
$contact_page_errors['name'] = "Name can not have more than 30 characters";
$errorCount++;
}
if (is_numeric($name)) {
$contact_page_errors['name'] = "Name can not be numeric";
$errorCount++;
}
}
// check if name only contains letters and whitespace
if ( !preg_match("/^[A-Z][a-zA-Z -]+$/", $name ) ) {
$contact_page_errors['name'] = "Name must be from letters, dashes, spaces,
first letter uppercase, and must not start with dash.";
$errorCount++;
}
// Use php's filter_var to sanitize what's left
$name = filter_var($name, FILTER_SANITIZE_STRING);
} // end of name checks
### Since you are trying to build an array of error messages,
### you should create them as a sub-array like the following
### example.
$contact_page_errors['name'][] = 'My error message';
### Then when you want to spit them out to the screen, do this
foreach ( $contact_page_errors AS $fname=>$fvalue )
echo "<div><h3>{$fname}</h3>\n<p>",
join("</p>\n<p>", $fvalue),
"</p></div>";
--
Jim Lucas
http://www.cmsws.com/
http://www.cmsws.com/examples/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
