sennevb
02-15-2005, 03:11 AM
i'm not so long busy with php, and made a form + validation...
i just wanted to know what you had done otherwise...
i just wanted to know what you had done otherwise...
Click to See Complete Forum and Search --> : first script: form + validation
RossC0
02-15-2005, 05:29 AM
Hi,
It errors on my set!
Looking at the code - I would escape php for the majority of the html elements and I wouldn't hardcode the styles I would use css.
Also there is little validation of the actual posted fields - which could lead to sql injections if they were to be used with a database.
It errors on my set!
Looking at the code - I would escape php for the majority of the html elements and I wouldn't hardcode the styles I would use css.
Also there is little validation of the actual posted fields - which could lead to sql injections if they were to be used with a database.
sennevb
02-15-2005, 05:36 AM
ok , escape to html, havent tought about that...
and what do you mean, i'm gonna use sql to save the form, but thats later, what is the problem then with injection??
sorry for my bad english...
and what do you mean, i'm gonna use sql to save the form, but thats later, what is the problem then with injection??
sorry for my bad english...
RossC0
02-15-2005, 05:44 AM
No worries,
Escaping php has no cost (infact its quicker! albeit marginally.)
It up to you how you validate the form - it just didnt seem to have much validation!
The amount of validation is up to you - you could validate an email address. Ensure that a numeric field contains only numeric information etc.. (you can go over the top thou!)
As its a registration script I assumed you would be using sql to save the registered user. For security reasons you need to ensure that the user cannot get away with putting sql statements in your form fields - so that when you run sql based on the fields nothing bad can happen.
Check out:
SQL Injection (http://php.paradoxical.co.uk/manual/en/security.database.sql-injection.php)
Escaping php has no cost (infact its quicker! albeit marginally.)
It up to you how you validate the form - it just didnt seem to have much validation!
The amount of validation is up to you - you could validate an email address. Ensure that a numeric field contains only numeric information etc.. (you can go over the top thou!)
As its a registration script I assumed you would be using sql to save the registered user. For security reasons you need to ensure that the user cannot get away with putting sql statements in your form fields - so that when you run sql based on the fields nothing bad can happen.
Check out:
SQL Injection (http://php.paradoxical.co.uk/manual/en/security.database.sql-injection.php)
sennevb
02-15-2005, 05:50 AM
i just validate that there is something in the required fields, nothing more...
i'll have a look into injection...
i'll have a look into injection...
RossC0
02-15-2005, 05:54 AM
Good stuff!
It all depends on how its going to be used as to the amount of validation required for the job.
Always be aware of security! as losing a database I imagine would be a hard lesson!
I look forward to seeing the next revision of the code :)
It all depends on how its going to be used as to the amount of validation required for the job.
Always be aware of security! as losing a database I imagine would be a hard lesson!
I look forward to seeing the next revision of the code :)
sennevb
02-15-2005, 06:05 AM
i certainly will, thx for helping me and looking to my code
sennevb
02-21-2005, 02:16 PM
didnt had much time lately, i will post is soon...
chads2k2
02-22-2005, 02:59 AM
Originally posted by RossC0
Good stuff!
It all depends on how its going to be used as to the amount of validation required for the job.
Always be aware of security! as losing a database I imagine would be a hard lesson!
I look forward to seeing the next revision of the code :)
Good stuff? Who uses that? LOL.
Yeah defintly exit out of PHP and let HTML do what it does best. Look pretty and not kill server time with it. Yeah SQL Injection RULZ! Haha.
One quick way you can do a little validation:
<?php
// REQUIRED FIELD = $superman
if(str_len(trim($superman)) < 1)
{
$errors = 1;
$superman_error = 1;
}else{
$superman = addslashes($superman);
}
?>
That's one quick little dirty way of doing it. Don't ever use isset because yoru users can put just a space in it and well it technically counts. That is why you throw a trim in it so it will take out all the whitespace so a space doesn't count as a character.
It's late and I am going to bed.
Chad
Good stuff!
It all depends on how its going to be used as to the amount of validation required for the job.
Always be aware of security! as losing a database I imagine would be a hard lesson!
I look forward to seeing the next revision of the code :)
Good stuff? Who uses that? LOL.
Yeah defintly exit out of PHP and let HTML do what it does best. Look pretty and not kill server time with it. Yeah SQL Injection RULZ! Haha.
One quick way you can do a little validation:
<?php
// REQUIRED FIELD = $superman
if(str_len(trim($superman)) < 1)
{
$errors = 1;
$superman_error = 1;
}else{
$superman = addslashes($superman);
}
?>
That's one quick little dirty way of doing it. Don't ever use isset because yoru users can put just a space in it and well it technically counts. That is why you throw a trim in it so it will take out all the whitespace so a space doesn't count as a character.
It's late and I am going to bed.
Chad
RossC0
02-22-2005, 10:31 AM
Originally posted by chads2k2
That's one quick little dirty way of doing it. Don't ever use isset because yoru users can put just a space in it and well it technically counts. That is why you throw a trim in it so it will take out all the whitespace so a space doesn't count as a character.
It's late and I am going to bed.
Chad [/B]
Surely that will cause a notice error if the variable isn't set - which isnt exactly good practise.
Always remember that form validation / security should be examined on a case by case basis.
...users can put just a space...
Now this may cause problems for your script - or it may not. If it would then cater for it.
Javascript is a good solution for instant client checking - which might be preferable, in some instances. i.e. validate the user is providing an email address etc..
However, you must include server side checking also - to ensure the passed information is correct, valid and secure to process.
And Chad - please cut the txt speak - people from all over read and use these forums and it helps readability - even for people you use 'Good Stuff!'
That's one quick little dirty way of doing it. Don't ever use isset because yoru users can put just a space in it and well it technically counts. That is why you throw a trim in it so it will take out all the whitespace so a space doesn't count as a character.
It's late and I am going to bed.
Chad [/B]
Surely that will cause a notice error if the variable isn't set - which isnt exactly good practise.
Always remember that form validation / security should be examined on a case by case basis.
...users can put just a space...
Now this may cause problems for your script - or it may not. If it would then cater for it.
Javascript is a good solution for instant client checking - which might be preferable, in some instances. i.e. validate the user is providing an email address etc..
However, you must include server side checking also - to ensure the passed information is correct, valid and secure to process.
And Chad - please cut the txt speak - people from all over read and use these forums and it helps readability - even for people you use 'Good Stuff!'
bubblenut
02-22-2005, 11:51 AM
Here's a few things I use for validation, first and foremost I try to encapsulate as much as I can in a function. Here I've called it check()
<?php
function check($type, $value) {
switch($type) {
case 'unique_id':
//my unique identifiers are all integers and cannot be empty
//Amazon for example would have to make this differently as they
//have more complex identifiers (ASIN)
if(empty($value) || !is_numeric($value) || intval($value) != $value)
return false;
break;
case 'email':
$domain=explode('@', $_POST['email']);
if(!preg_match('/^[\d\w\.]+@[\d\w\.]\.{2,4}$/', $email) || gethostbyname($domain[1]) == $domain[1])
return false;
break;
default: //if we don't understand the type we have to fail it
return false;
}
return true;
}
?>
Now you can add all your validation rules in one place and use them all around your site. Then, when you need to modify one of these rules (and you'll always need to), there is only one place you need to make the change.
Take a look at the code below for some very flexible techniques for validation.
<?php
//Two arrays, one for required fields and one for allowed fields. The allowed fields is by nature going to be a superset of the required fields
//so we can just build the one from the other
$required_fields=array('requiredfield1', 'requiredfield2', 'requiredfield3');
$allowed_fields=array_merge($required_fields, array('notrequiredfield1', 'notrequiredfield2'));
//This array will hold any unknown fields which manage to work their way in (prehapse someone is trying to hack our script!)
$unknown_fields=array();
//Iterate through the whole POST array (or GET array or even COOKIE array) to weed out the unknown fields and unset ones which
//are present but blank
foreach($_POST as $key => $value) {
//Check if it's a known field
if(!in_array($key, $allowed_fields))
$unknown_fields[]="$key [$value]";
//Remove it if it's empty. This may not be something you want to do prehapse it would be better to
//if(in_array($key, $required_fields) && empty($value)) or something else, depends on your system
if(empty($value))
unset($_POST[$key]);
}
//If nothing is wrong they will pass so we initialize this switch to true
$pass=true;
//Determine which required fields are not present
$missing_fields=array_diff($required_fields, array_keys($_POST));
//Check the unknown fields
if(count($unknown_fields)>0) {
echo("The following unknown fields were used: ".implode(',', $unknown_fields)."<br />\n");
$pass=false;
}
//Check the missing fields
if(count($missing_fields)>0) {
echo("The following required fields were missing: ".implode(',', $missing_fields)."<br />\n");
$pass=false;
}
//exit if fail
if(!$pass) exit();
?>
HTH
<?php
function check($type, $value) {
switch($type) {
case 'unique_id':
//my unique identifiers are all integers and cannot be empty
//Amazon for example would have to make this differently as they
//have more complex identifiers (ASIN)
if(empty($value) || !is_numeric($value) || intval($value) != $value)
return false;
break;
case 'email':
$domain=explode('@', $_POST['email']);
if(!preg_match('/^[\d\w\.]+@[\d\w\.]\.{2,4}$/', $email) || gethostbyname($domain[1]) == $domain[1])
return false;
break;
default: //if we don't understand the type we have to fail it
return false;
}
return true;
}
?>
Now you can add all your validation rules in one place and use them all around your site. Then, when you need to modify one of these rules (and you'll always need to), there is only one place you need to make the change.
Take a look at the code below for some very flexible techniques for validation.
<?php
//Two arrays, one for required fields and one for allowed fields. The allowed fields is by nature going to be a superset of the required fields
//so we can just build the one from the other
$required_fields=array('requiredfield1', 'requiredfield2', 'requiredfield3');
$allowed_fields=array_merge($required_fields, array('notrequiredfield1', 'notrequiredfield2'));
//This array will hold any unknown fields which manage to work their way in (prehapse someone is trying to hack our script!)
$unknown_fields=array();
//Iterate through the whole POST array (or GET array or even COOKIE array) to weed out the unknown fields and unset ones which
//are present but blank
foreach($_POST as $key => $value) {
//Check if it's a known field
if(!in_array($key, $allowed_fields))
$unknown_fields[]="$key [$value]";
//Remove it if it's empty. This may not be something you want to do prehapse it would be better to
//if(in_array($key, $required_fields) && empty($value)) or something else, depends on your system
if(empty($value))
unset($_POST[$key]);
}
//If nothing is wrong they will pass so we initialize this switch to true
$pass=true;
//Determine which required fields are not present
$missing_fields=array_diff($required_fields, array_keys($_POST));
//Check the unknown fields
if(count($unknown_fields)>0) {
echo("The following unknown fields were used: ".implode(',', $unknown_fields)."<br />\n");
$pass=false;
}
//Check the missing fields
if(count($missing_fields)>0) {
echo("The following required fields were missing: ".implode(',', $missing_fields)."<br />\n");
$pass=false;
}
//exit if fail
if(!$pass) exit();
?>
HTH
sennevb
02-22-2005, 12:59 PM
i've allready have made something( i escaped to html), look in attachment, but didnt do anything else...
i'm gonna see how to use your validations of you guys and include it in my code...
(sorry for bad english..)
hope to post new version soon...
i'm gonna see how to use your validations of you guys and include it in my code...
(sorry for bad english..)
hope to post new version soon...
sennevb
02-23-2005, 03:51 PM
so instead of:
if((!isset($_POST['naam']) or (!isset($_POST['achternaam']) or
(!isset($_POST['straat']) or (!isset($_POST['nummer'])) or
(!isset($_POST['postcode']) or (!isset($_POST['stad']) or
(!isset($_POST['land']) or (!isset($_POST['telefoon']) or
(!isset($_POST['email']) or (!isset($_POST['login']) or
(!isset($_POST['pass']) and checkemail() ) {
i must use the if(str_len(trim($POSTvalue)) < 1) to be sure...
if((!isset($_POST['naam']) or (!isset($_POST['achternaam']) or
(!isset($_POST['straat']) or (!isset($_POST['nummer'])) or
(!isset($_POST['postcode']) or (!isset($_POST['stad']) or
(!isset($_POST['land']) or (!isset($_POST['telefoon']) or
(!isset($_POST['email']) or (!isset($_POST['login']) or
(!isset($_POST['pass']) and checkemail() ) {
i must use the if(str_len(trim($POSTvalue)) < 1) to be sure...
bubblenut
02-23-2005, 04:14 PM
No, for each you should use
if(!isset($_POST['value']) && empty($_POST['value']))
if(!isset($_POST['value']) && empty($_POST['value']))
sennevb
02-23-2005, 04:43 PM
not and, or, isnt it?
Weedpacket
02-23-2005, 07:50 PM
Originally posted by bubblenut
No, for each you should use
if(!isset($_POST['value']) && empty($_POST['value']))
But empty() also checks whether a variable isset or not.
No, for each you should use
if(!isset($_POST['value']) && empty($_POST['value']))
But empty() also checks whether a variable isset or not.
sennevb
02-24-2005, 11:04 AM
so i can do the if isset away
laserlight
02-24-2005, 11:20 AM
so i can do the if isset away
It depends.
isset() is used to test if the variable is set, i.e. if it exists at all and is not null.
empty() is used to test if the variable is empty, i.e. if it doesnt exist, is null, blank, or is a zero value.
You can (and should) do away with one of them, but which one depends on the exact requirement.
It depends.
isset() is used to test if the variable is set, i.e. if it exists at all and is not null.
empty() is used to test if the variable is empty, i.e. if it doesnt exist, is null, blank, or is a zero value.
You can (and should) do away with one of them, but which one depends on the exact requirement.
sennevb
02-24-2005, 12:11 PM
this is what i have now...
when you guys say this is fine (first wanna be sure that this is ok), i'll add mail confirmation + db insert
when you guys say this is fine (first wanna be sure that this is ok), i'll add mail confirmation + db insert
sennevb
02-26-2005, 06:49 AM
no one :(
PHP Builder
Copyright WebMediaBrands Inc. All Rights Reserved.
Copyright WebMediaBrands Inc. All Rights Reserved.