Data Validation

Hi

I am trying to write a php validation script that enables a user to input data that has the follwing limitations...
a) Can ONLY start with any letter or number... (I know this one ^[azAZ]|^[0-9])
b) and can only have ANY of ( or none) the following characters the following three charecters in it -(minus) /(forwardslash) and .(fullstop) .

I am trying to stop malicious input attack.
Any suggestions if this is adequate precautions?
This is a part number that will be directly be used by server to look up a mysql database running apache.

Thanking you in advance.

 

<?
function validate_user( $data )
{	
	if( !preg_match( "/^[a-zA-Z0-9]/", $data ) ):
		printf( "rule: first character has to be a number or letter : %s<br />\n", $data );
		return false;
	elseif( preg_match_all("#[\.]#", $data, $match ) > 1 ):
		printf( "rule: no more than one fullstop allowed : %s<br />\n", $data  );
		return false;
	elseif( preg_match_all("#[/]#", $data, $match ) > 1 ):
		printf( "rule: no more than one forward slash allowed : %s<br />\n", $data  );
		return false;
	elseif( preg_match_all("#[\-]#", $data, $match ) > 1 ):
		printf( "rule: no more than one minus sign allowed : %s<br />\n", $data  );
		return false;
	endif;
	
	return true;
}
if( validate_user( "asse/.-" ) ) :
	echo "Validation success\n";
else:
	echo "Validation failure\n";
endif;

PHP:

It's pretty hard to guess, it's easier to see what you want when you post the code you have....

 

Hi

Thanks for your post.
It looks fine, just one small correction.
They can have any number of / (forwardslash) .(full stop) or - (minus) or nothing at all.( they are not limited to just one)
They are the only other haracters allowed in the input.
Hope that makes sense.
thanks

 

<?
function validate_user( $data )
{	
	if( !preg_match( "/^[a-zA-Z0-9]/", $data ) ):
		printf( "rule: first character has to be a number or letter : %s<br />\n", $data );
		return false;
	elseif( preg_match("#[^a-zA-Z0-9_\\-/\\.\\-]#", $data, $match ) ):
		printf( "rule: only numbers letters . / and - are allowed : %s<br />\n", $data  );
		return false;
	endif;
	
	return true;
}
if( validate_user( "asse/.-" ) ) :
	echo "Validation success\n";
else:
	echo "Validation failure\n";
endif;

PHP:

 

Also check these built in functions.

ctype_alnum
php.net/ctype_alnum
ctype_alpha
php.net/manual/en/function.ctype-alpha.php
ctype_digit
php.net/manual/en/function.ctype-digit.php

 

Hi
Thanks for your replies.
Can you please tell me why this isn't working then?...




<?
function validate_user( $data )
{
if( !preg_match( "/^[a-zA-Z0-9]/", $data ) ):
printf( "rule: first character has to be a number or letter : %s<br />\n", $data );
return false;
elseif( preg_match("#[^a-zA-Z0-9_\\-/\\.\\-]#", $data, $match ) ):
printf( "rule: only numbers letters . / and - are allowed : %s<br />\n", $data );
return false;
endif;

return true;
}


?>


<?php



include("db.php");


?>
<html>
<head>
<title> Product List </title>




<style type="text/css">
}
.style11 {
color: #E1012F;
font-weight: bold;
font-style: italic;
font-size: 50px;
}
pns {
background-image: url(images/topbanner.jpg);
}
.style15 { font-style: italic; color: #E1012F; font-family: Georgia, "Times New Roman", Times, serif;
font-size: 55px;
}
.style16 {
color: #002675;
font-style: italic;
font-weight: bold;
font-size: 50px;
}
.style5 {
font-style: italic;
font-weight: bold;
font-size: 15px;
font-family: Georgia, "Times New Roman", Times, serif;
color: #002675;
}
.header form {
text-indent: 20px;
}
body {
margin-left: 20px;
}
.style17 {color: #255699}
.style18 {color: #255699;

font-weight: bold;
}

.style20 {color: #FFFFFF;

font-weight: bold;
}


.style19 {BACKGROUND-COLOR: #255699}


</style>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"></head>
<body bgcolor="#ffffff">


<table width="566" height="105" border="0" cellpadding="0" cellspacing="0" background="../../images/topbanner.jpg">
<tr>
<th width="469" height="57" valign="top" scope="col"><div align="left" ><span class="style15"><span class="style11">HPC</span><span class="style16"> my Gears </span></span></div></th>
<th width="96" rowspan="3" " scope="col"><img src="../../images/logo_hpc4.gif" alt="my gears logo" width="80" height="79" /></th>
</tr>
<tr>
<td align="center"><img src="../../images/neverbl.gif" alt="Never Knowlingly Outpriced" width="246" height="23" /></td>
</tr>
<tr>
<td><span class="style5">my gears</span></td>
</tr>

</table>




<h1 class="style17">Products</h1>


<table width="566" border="0" cellpadding="0" cellspacing="0" bgcolor="#255699">
<tr>
<td>
<form name="order" method="post" class="style19" >


<input class="style18" name="pn" value="" size="16" ">
<input class="style19" type="submit" name="submit" value="search" >





<?php




if (!isset($_POST['pn']) || trim(($_POST['pn']) == '' ) ) {

die( '<span style="color: #FFFFFF;">Please enter a valid my Gears part number!</span>');
}












elseif (!(validate_user("pn")))


{
echo "Validation failure\n";
}
else

{
global $dbServer, $dbUser, $dbPass, $dbName;
$cxn = @ConnectToDb($dbServer, $dbUser, $dbPass, $dbName);


$pn=$_REQUEST['pn'];

$result = mysql_query(" SELECT * FROM mynumberscart
WHERE part_number = '$pn' ") or die(mysql_error());
$row = mysql_fetch_array($result);
}

?>
<br>

<input class="style18" name="partn" value="<?php echo $row[part_number]; ?>" >
<input class="style18" name="pricee" value="<?php echo $row[price_each]; ?>" >

<br>









<a href="cart.php" class="style20">Your Shopping Cart &gt;&gt;</a>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<a href="cart.php?action=add_item&id=<?php echo $row["itemId"]; ?>&qty=1" class="style20"> Add Item</a>




</form>
</td></tr>
</table>



</body>
</html>

thanks

 

elseif (!(validate_user("pn")))

 

I am a starter at using PHP , so can you please give me a clue as whats wrong with the above code please.

elseif (!(validate_user("pn")))

Thanks.
jacka

 

elseif (!(validate_user("pn")))

should be

elseif (!(validate_user($_POST["pn"])))

assuming pn is the form field for the username or data you want to validate.

 

Hi

yes, pn is the actual part number user inputs.
Many thanks, you have been great help. It works just fine now .

Do you think this will be enough to stop malicious attacks getting into the server, now that you know how the data is going to be used?

Once again, thanks a million.
Jacka

 

No I don't, you should also use functions such as trim() stripslashes() and mysql_real_escape_string() before using that code in a production environment.

All those functions are documented on php.net

 

Hi
sorry to go on about it, but doesn't our code (well, your code) stop any one entering a string that has any spaces and backslashed ?
Why do I need stripslahes() and strip() functions for then?
thanks
jacka

 

yeah it does, as a matter of course when you recieve data from a form you should prepare it first and for me that's normally one or all of the three (or more) mentioned functions ......

 

So, I don't need any of the above mentioned fucnctions cos no data apart from alphanumeric - / and . can be typed in.
Or do I stlill need them?
I understand that in normal course of action I would need those functions for security purposes but since I do not allow any input characters apart from above, then I shouldn't need them.
Please advise.
jacka

 

checkdate() and strtotime() might be useful for you as well, when validating dates.

 

Hi,

I think you must see how to avoid sql injection .Please find the details here..

 

Hi

very useful and interesting pointers there.
many thanks.
Jacka