PHPBuilder - Check Data Page 2



RSS Twitter
Articles Application Architecture

Check Data - Page 2

by: Spencer P
|
November 3, 2000

Verify That Your Input Is Correct

Never trust the input you receive from someone else. You want your data to have perfect integrity, within the limits that you establish. If you write a routine that saves someone's address to your database, don't trust your routine to magically fix user error. Only you can make that happen.
Lets write some quick code to save those addresses:

<?php

function saveAddress($dbh,$firstName,$lastName,$streetAddress,$city,$zip) {
    
$stmt=OCIPrepare($dbh,"
        Insert into addressBook
            (firstName,lastName,streetAddress,city,zip)
        values
            ('$firstName','$lastName','$streetAddress','$city','$zip')"
);
    
OCIExecute($stmt);        
}
    
?>
So what happens if someone leaves the ZIP code out? What if they put "pr0nd00d" as their ZIP code? Do not trust your input. Some might argue that these checks should be done before this function. Well, what if your co-worker, Billy Bob, reuses this function? Now he has to do the checks too. And don't trust he'll do it, either. Billy Bob is a lazy man, and not too smart in the first place.
So let's define a function to make sure the ZIP code is right. After all, my zip code is not "I like cheese."

<?php

function validZipCode($zip) { 
    return(
ereg("^[[:digit:]]{5}(-[[:digit:]]{4})?$",$zip)); 
}
    
?>
The validZipCode() function takes a zip code and does a regular expression match against it. If it $zip begins with 5 digits, with an optional dash and 4 digit extension, return 1. Else return 0. Now, l ets integrate it with our current function.

<?php

function saveAddress($dbh,$firstName,$lastName,$streetAddress,$city,$zip) {
    if(!
validZipCode($zip))
        return(
0);
    
$stmt=OCIPrepare($dbh,"
        Insert into addressBook
            (firstName,lastName,streetAddress,city,zip)
        values
            ('$firstName','$lastName','$streetAddress','$city','$zip')"
);
    
OCIExecute($stmt);
    Return(
1);
}

?>
Now our current function requires a valid ZIP code. It won't accept a blank one, nor a non-USA one. (Note that our function doesn't simply require a non-blank string -- that would be A Bad Thing(tm).) If a ZIP isn't passed, our function returns a 0. But wait...we can reword the logic so that when valid ZipCode() returns a 0, an array or string can be returned with a more descriptive error.

<?php

If(!validZipCode($zip))
    
push_array($errors,"Invalid zip code.");
If(!
validStreetAddress($streetAddress))
    
push_array($errors,"Invalid address.");

?>
Etc...
Adding the validation functions is an exercise left to the user. Some things may not be economically or technologically feasible, as you cannot always afford to verify information beyond a certain point. For example, it would be too slow to confirm every bit of the input from the one hundred addresses per second you get. However, a simple check like the one outlined above, makes it MUCH harder to have data that doesn't make sense. After all, we know that valid U.S. ZIP codes are numeric and how long they can be, so why accept data that's obviously wrong?

« Previous Page
1
|
2
|
3
|
4
Next Page »

Comment and Contribute

Your comment has been submitted and is pending approval.

Author:
Spencer P

Comment:



Comment:

(Maximum characters: 1200). You have characters left.