Hello,
On 10/30/2004 07:35 PM, Rjc wrote:
I have a form, that takes user input, and was wondering what are your thoughts of redisplaying user input back on the page after validation has failed.
Eg. they have to enter a date in format: 'yyyy-mm-dd' and they enter: <script>.....</script> etc. or anything for that matter. Although that would prob be too long for the field, but you get the idea.
How do other people out there tend to handle this? As it only affects the user that post the data if anything is malicious.
Some options that I have come up with are:
1. Displaying previous data (or empty field) for example if user is editing something.
2. Just displaying exactly what they entered again on the screen.
3. Stripping out certain undesirable characters before displaying.
I think you should always display exactly what the user entered but also never avoid doing server side validation before accepting a form with invalid values.
The only situation that I recommend discarding invalid values is when you pass context values (like for instance the id of a database field being edited) through an hidden field. If the field was hidden, it would not make much sense to tell the user that the value in the hidden field is invalid. An attacker already knows that the spoofed value is not valid. There is no point in bringing that up.
Anyway, if you expect a date, always use common methods like regular expressions to validate the accepted formats.
You may want to take a look at this forms generation and validation class that comes with several examples of how to validate all sorts of fields types and only accept the form until all that is submittted is valid.
It even comes with a plug-in that implements a custom date field made of several real fields that validates dates for you, including delimiting time ranges.
http://www.phpclasses.org/formsgeneration
--
Regards, Manuel Lemos
PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/
PHP Reviews - Reviews of PHP books and other products http://www.phpclasses.org/reviews/
Metastorage - Data object relational mapping layer generator http://www.meta-language.net/metastorage.html
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
