PHP Form validation

how would i go about vaildating my forms with is_numeric, or regex, and protecting against from sql injection using mysql_real_escape_string(), htmlspecialchars(). there are 3 things i would like to validate for/protect. each in a different form,

one for one or two words, 0-30 characters
one for a number, 1-3 digits
one for a text block (paragraph)

could someone explain how i would validate/protect each type of form.

thanks =]

 

is_numeric for a number

and what for letters can a text block contain (all or just only letters and no symbols?)

 

whatever would allow english to be spoken with no problems. Periods, quotes, commas, etc no slashes tho.

 

Here is a basic one
On recieving PHP end:

<?
if(isset($_POST['1']) == true && strlen($_POST['1'])<31) {
mysql_real_escape_string(strip_tags($_POST['1']));
// 30 chars or less and is sanitized.
}

if(is_numeric($_POST['2']) == true && strlen($_POST['2'])<4) {
//Is a number and is 3 chars or less
}

if(isset($_POST['3']) == true && strlen($_POST['3'])<1000) {
mysql_real_escape_string(strip_tags($_POST['3']));
//is less than 1000 chars and is sanitized;
}
?>

PHP:

 

.. i dont use an array to handle post.. i dont understand what this script is doing (im a complete noob to mysql_real_escape_string, strip_tags, htmlspecialchars and all that protection stuff) this is my first time using this type of form on a web page. Can you explain the code?

 

$_POST is a global array of all variables sent by a post form.
and mysql_real_escape_string adds backslashes to characters such as quotes and backslashes.
and strip_tags removes most tags that can be used in html and php.

 

could i use htmlspecialchars() as well, so that & and stuff will be correctly stored?

and could i get my $_POST like normal like $_POST['name'] instead of $_POST['1']?

thanks.

 

I dont think strip_tags strips & it only strips html such as "<". But yes you can use htmlspecialchars() instead of that.

and yes. the example was only if your input was say:

<input name="1" value="pie">

Code (markup):

 

okay, thanks, im pretty sure i understand how i would use this now. Thanks =] +rep'd

 

okay, this adds \ before all the excaped characters, but it also shows when it is echoed. is there any way i can strip the clashes (will strip_slashes work?)

 

FYI: Make sure your script filters metacharacters from user input so that your site would be 100% RFI (remote file inclusion) safe.

 

huh? metacharacters? im new to this php sanitization thing, can you explain this thing you call metacharacters?

 

Some metacharacters are:
^ $ \ / ( ) | ? + * [ ] { } < > , .

Can be used to inject malicious coding into a site.

 

would htmlspecialchars() strip that? and return it as &amp; or whatever?

because im using mysql_real_escape_string(htmlspecialchars());

would this filter those?, also, it puts slashes before " and other excaped characters, would strip_slashes(); get rid of these?

 

Yeah it might, give me a link to your site, Will see whether its RFI vulnerable. ( I'll cause no harm, just a simple test )

 

well all my forms are in my admin panel, (except login) and i dont exactly know how to sanitise that one, but i think phpbb3 may do that automatically (thats how the login script is handled). I will make a page that is accessibly to anyone.

EDIT: the site has been PM'd to you. (dont want 'hackers' to see this and exploit possibly loopholes i missed.)