hey chris...
so you're sayng that if data is outside of a-zA-Z0-9 "'" then it should probably fail the regex anyway.. and it should error out.. if i understnad you, you're also saying that if the information has an " ' " in it, then it should be escaped, but you didn't say how.! also, what's the function of the 'addslashes', and when is it used?! -bruce -----Original Message----- From: Chris W. Parker [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 11:38 AM To: php-general@lists.php.net Subject: RE: [PHP] basic user/input form questions... more validation! bruce <mailto:[EMAIL PROTECTED]> on Thursday, September 22, 2005 11:05 AM said: > if the app allows the user to enter the input (call it 'foo') and then > submits the form via a POST, where the data is then written to the > db, what kind of validation should occur? Depends on what kind of a form field 'foo' is. Is it a name? A zip code? A phone number? If it's a zip code you can do a simple regex "\d{5}(-\d{4})?" to make sure it follows the correct (US) format. If it passes the test you know it's safe to be put into the database. This kind of data does not need to be escaped. On the other hand if it's a name you'll first want to make sure it's the correct length and contains only the characters you want it to. If the data passes all the tests you'll definitely want to escape the string before you insert it into the db because some names might have an apostrophe in them which will cause an error during insertion. No need to run htmlspecialchars() in this case since a name that has < or > (or similar characters) should fail the test anyway. > and where should the validation take place? Validation should take place before the value is used. <?php // include files // instantiate any objects if necessary // define default values for page specific variables if necessary // validate incoming data // deal with invalid data by displaying error messages or redirecting // to another page // if data is all clean continue processing like normal ?> > for my $0.02 worth, there should be be validation of the 'foo' var, to > determine if the var is legitimate. there should also be > validation/filterin of the var when it's placed in the db_sql > command... No need to validate data twice. As stated above, validation should happen before the data is used at all and I would do the escaping just before the data is inserted into the db. > my question (and it's basic), what validation should be performed on > the 'foo' var, and why? i've seen htmlspecialchars/magic_quotes/etc.. > in varius articles, but i can't find a definitive answer!! See above. > also, when inserting/updating a db item, what is the 'correct' > process for data? should all data that gets inserted into a db be > quoted? if it should, what's the 'standard' practice? Again, if the data requires escaping, escape it. If not, there's no need. If the data falls outside the realm of a-zA-Z0-9 it has a high potential for escaping. > psuedo examples of this stuff would be really helpful! > > thanks for clarifying some of these issues... hth, Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
