----- Original Message -----
From: "bruce" <[EMAIL PROTECTED]>
To: <php-general@lists.php.net>
Sent: Thursday, September 22, 2005 8:05 PM
Subject: [PHP] basic user/input form questions... more validation!
hi...
forgive me!!!
Ok; -) Why? You're just asking... :-)
continuing the thread from yesterday regarding filtering. (and thanks to
all
the msgs)
for simplicity. let's deal wit a simple user input form, that's going to
place the information in a db.
if the app allows the user to enter the input (call it 'foo') and then
submits the form via a POST, where the data is then written to the db,
what
kind of validation should occur? and where should the validation take
place?
What kind of validation depends on your application. If the foo variable
must be an integer, then you'll have to check if foo is numeric with
is_numberic(). If foo is a string and the length matters, then you would
have to validate so the length isn't more than expected with
strlen()-function
But in all cases you'll have to check if the foo-variable is set with isset.
for my $0.02 worth, there should be be validation of the 'foo' var, to
determine if the var is legitimate. there should also be
validation/filterin
of the var when it's placed in the db_sql command...
my question (and it's basic), what validation should be performed on the
'foo' var, and why? i've seen htmlspecialchars/magic_quotes/etc.. in
varius
articles, but i can't find a definitive answer!!
You'll have to quote only the variables inside a sql-string. You must use
mysql_real_escape_string for creating a "safe" db-string..
Example:
$sql = "SELECT ID from Table WHERE Foo=" . safeQuote($foo);
and the function safeQuote is like this...
function safeQuote($value)
{
// Stripslashes
if (get_magic_quotes_gpc()) {
$foo = stripslashes($foo);
}
// Quote if not integer
if (!is_numeric($value)) {
$value = "'" . mysql_real_escape_string($foo) . "'";
}
}
I hope this helps a little...
/G
http://www.varupiraten.se/
also, when inserting/updating a db item, what is the 'correct' process for
data? should all data that gets inserted into a db be quoted? if it
should,
what's the 'standard' practice?
psuedo examples of this stuff would be really helpful!
thanks for clarifying some of these issues...
-bruce
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.11.4/109 - Release Date: 2005-09-21
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
