On June 25, 2020 10:43:20 PM UTC, Kevin Waterson <kevin.waterson@xxxxxxxxx> wrote:
>So, you have a form, and you have a field named fname...
>As you suggest, this will typically be available in $_POST['fname'],
>which
>you then wish to store in a database.
>
>The minimum checks for any variable, should be for length and type.
>In this case, I will assume you would like fname to be a string, and
>with a
>minimum length of 2 characters, and a maximum length of 100 characters.
>Even though the database will support 255 in a VARCHAR, sanity tells us
>that any name which is longer than 100 characters is likely to be
>somebody
>trying something stupid.
>
>So, in code, this check might look something like this..
><?php
>
>$fname = 'Full Name';
>
>if( strlen( $fname ) < 2 && strlen( $fname ) > 100 && is_string( $fname
>) )
>{
> echo "$fname is a valid name";
>}
>else
>{
> echo "The variable supplied is invalid";
>}
>
>?>
>
>This sort of minimal validation will work fine and you can have
>confidence
>that the variable is of the correct type and length.
>However, this code would need to be repeated for _every_ form field
>which
>is a text or textarea field. That is a lot of code, so we can create a
>re-usable function, which we need to write only once to check.
>
><?php
>
>$fname = 'Full Name';
>
>if( isValidString( $fname, 2, 100 ) )
>{
> echo "$fname is valid";
>}
>else
>{
> echo "Full Name is invalid";
>}
>
>/**
> * Validate a string
> * @param string $string
> * @param int $min
> * @param int $max
> * @return bool
> */
>function isValidString( $string, $min, $max )
>{
> if( strlen( $string ) < 2 && strlen( $string ) > 100 && is_string(
>$string ) )
> {
> return true;
> }
> return false;
>}
>
>?>
>
>So, this function can now be used on any of your text based fields...
>however, whilst this function tells you if the variable is valid or
>not,
>there is no way to tell exactly why the variable is invalid. The end
>user
>would not know what they had done wrong.
>So, rather than returning false, the function could return an error
>message
>if validation fails.
>The following code adds an array of errors, which can be used to show
>an
>end user what the error is.
>Also, a check has been put into the function that only alpha characters
>may
>be used, with spaces.
>You may add whatever you need to the validation function, as you needs
>require.
><?php
>
>$fname = 'Full Name';
>
>$valid = isValidString( $fname, 2, 100 );
>
>if( $valid === true )
>{
> echo "$fname is valid";
>}
>else
>{
> foreach( $valid as $error )
> {
> echo "$error\n";
> }
>}
>
>/**
> * Validate a string
> * @param string $string
> * @param int $min
> * @param int $max
> * @return bool on success, false otherwise
> */
>function isValidString( $string, $min, $max )
>{
> // errors array
> $errors = [];
>
> if( strlen( $string ) <= 2 )
> {
> $errors[] = 'String is too short';
> }
>
> if( strlen( $string ) >= 100 )
> {
> $errors[] = 'String is too long';
> }
>
> if( !is_string( $string ) )
> {
> $errors[] = 'Variable must be a string';
> }
>
> if( !ctype_alpha( str_replace( ' ', '', $string ) ) )
> {
> $errors[] = 'String must consist of alpha characters';
> }
>
> // return true if no errors, or array of errors
> return sizeof( $errors ) == 0 ? true : $errors;
>}
>?>
>
>Enjoy
>Kev
>
>
>
That would end up blocking literally millions of valid names. Even if you assume that names will all originate from a specific country (so we don't have to deal with CJK, Cyrillic, or less common diacritics) you still have to deal with hyphens, apostrophes, and common diacritics. So names like Zöe, O'Reilly, Jean-Paul, André, would all be considered invalid by your code example. https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/ lists a ton of other things to be careful about blocking.
It's also worth pointing out that you're doing validation rather than sanitisation. These are different and aren't interchangeable.
Thanks,
Ash
