Safely Collect Form Data, how to?

@toptomatoApr 10.2011

Hi, Newbie here with a question.
it’s true right?, that when collecting form data you have ‘sanitize’ or make sure it’s not bad data, ie. someone hacking or messing up your site or DB.

I looking at tuts but can’t find how to do this, i think there are some predefined functions that do this? can someone recommend or tell me how to do this?, thanks!

to post a comment

PHP

@hastxApr 10.2011 — #You definately have to validate the data...i like to do this in stages...first using javascript, to reduce server load and make a richer experience, then using PHP for those with JS disabled...the PHP side needs to be tight. There are many functions available for free you can even search this site for 'validate zip code' etc.

But the basic idea is to ensure that someone entered a zip in the zip code field, and email in the email field, etc. The way to do this is to harvest the data from the form:

[code=php]
 $email = $_POST['email'];
 [/code]

Then run that through a function to test that it is at least conforms to a valid email format (again this uses a function of your own finding...we will call it 'testEmail':

[code=php]
 if(testEmail($email)){
 //fuction returns true if criteria are met, so do something with it
 }else{
 //bounce back to the form page.
 }
 [/code]

You also always want to control and be aware whether the data is being gathered vie GET, POST, or REQUEST.

This is just a basic example, you can get much more in depth with validation like checking that a zip code not only conforms to a zip format but also comparing it to a database of valid zips to make sure it is real.

@eval_BadCode_Apr 11.2011 — #Since you mention a DB, but didn't mention which flavor of SQL. I'll just assume MySQL =/

[code=php]
 mysql_query("
 
 CREATE  TABLE validate IF NOT EXISTS (
 validate_ID INT NOT NULL UNSIGNED AUTO_INCREMENT,
 int1 INT ZEROFILL UNSIGNED NOT NULL ,
 int2 INT ZEROFILL UNSIGNED NOT NULL ,
 double1 DOUBLE ZEROFILL UNSIGNED NOT NULL ,
 double2 DOUBLE ZEROFILL UNSIGNED NOT NULL ,
 string1 VARCHAR(45) BINARY NOT NULL ,
 PRIMARY KEY (validate_ID) )
 ENGINE = InnoDB
 DEFAULT CHARACTER SET = utf8
 COLLATE = utf8_general_ci
 PACK_KEYS = 1;
 
 ");
 
 if ( isset($_POST['int']) && isset($_POST['double']) && isset($_POST['string']) ) {
 $int1 = sprintf('&#37;d', $_POST['int']);
 $int2 = (int) $_POST['int'];
 $double1 = sprintf('%.2f',$_POST['double']);
 $double2 = (double) $_POST['double'];
 $string1 = mysql_real_escape_string($_POST['string']);
 
 mysql_query("
 INSERT INTO validate (int1,int2,double1,double2,string1) 
 VALUES 
 ($int1,$int2,$double1,$double2,'$string1');
 ");
 
 } else {
 die('lol ur doing it wrong, press back in your browser and try again');
 }
 
 //done -- close your established mysqld connection, make your server admin happy
 
 [/code]

You can also do much more advanced validation using regex, trim(). preg_replace(), preg_match(), etc.

There's also built in data validation classes if you prefer and OOP approach: PDO is the only one I have heard of, but you can likely find which ones you have on your sql version using phpinfo() or from bash sh@host> php -i

It's dangerous out there, not only are there people trying to break in-- there's end users who are "still learning", best of luck

@toptomatoauthorApr 11.2011 — #thanks guys, i'll try. not yet familiar with some of those functions.

man i love PHP, was a CSS'r for years.

Safely Collect Form Data, how to?

3 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

Safely Collect Form Data, how to?

3 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

3 Comments(s) _↴

Also in #PHP _↴