That's a fairly open-ended question. Are you putting the user-supplied "address" in the DB? If so, sanitize it.
Are you trying to make sure that the user is a legitimate contact? Decide how far you want to go with checking. The extreme case would be something like sending an email to that address and requiring a click ... something similar to the registration process for a half-billion web sites.
Are you going to ignore the input? No validation necessary
/!!\ mysql_ is deprecated --- don't use it! Tell your hosting company you will switch if they don't upgrade!/!!!\ ereg() is deprecated --- don't use it!
dalecosp "God doesn't play dice." --- Einstein "Perl is hardly a paragon of beautiful syntax." --- Weedpacket
There's no guarantee posted data will even be sent using your form. A user can send that any way they see fit, assuming they have the skills to make an http post or get request, which isn't comlicated at all.
Personally, I always start out by making all my input fields type="text", then I validate and sanitize it with PHP, then I'll do the same with jQuery/Javascript, then finally I will change the input type to the correct version and tag a required tag on it (if it is required of course).
Is it really necessary? Probably not, but I would rather over validate user input then under validate it. Users are tricky, and some of them are still surfing on way old browsers that don't recognize the input type="email" fields.
I validate and sanitize it with PHP, then I'll do the same with jQuery/Javascript
Did I hear that right? JS first, then PHP ... or I am missing something fundamental about the way browsers and servers communicate?
/!!\ mysql_ is deprecated --- don't use it! Tell your hosting company you will switch if they don't upgrade!/!!!\ ereg() is deprecated --- don't use it!
dalecosp "God doesn't play dice." --- Einstein "Perl is hardly a paragon of beautiful syntax." --- Weedpacket
I believe he means he adds validation to php, and then when that's functional goes and adds it to javascript.
Sadly, nobody codes for anyone on this forum. People taste your dishes and tell you what is missing, but they don't cook for you. ~anoopmail I'd rather be a comma, then a full stop. User Authentication in PHP with MySQLi - Don't forget to mark threads resolved - MySQL(i) warning
yeah, I build the PHP validation first, because if I am doing it in JS first, then it wouldn't likely hit the PHP validation layer, until I get a user who has JavaScript disabled, and they would be the ones who screw up my world lol.
yeah, I build the PHP validation first, because if I am doing it in JS first, then it wouldn't likely hit the PHP validation layer, until I get a user who has JavaScript disabled, and they would be the ones who screw up my world lol.
You can always disable JavaScript in your browser to test it.
I believe he means he adds validation to php, and then when that's functional goes and adds it to javascript.
Ah, indeed. One of the reasons that, most days, I like PHP better than English
As it turns out, I do it in the same order; I don't know why I was thinking like a computer instead of like a programmer. Or, perhaps, I do.
/!!\ mysql_ is deprecated --- don't use it! Tell your hosting company you will switch if they don't upgrade!/!!!\ ereg() is deprecated --- don't use it!
dalecosp "God doesn't play dice." --- Einstein "Perl is hardly a paragon of beautiful syntax." --- Weedpacket
Well, it's going to be used to email the form somewhere? not stored.
So now you need to ask yourself (or your business analysts, etc.):
(1) What bad things happen if the user accidentally enters an invalid address (one that for any reason cannot reach an actual e-mailbox)?
(2) What bad things happen if the user intentionally (or accidentally, for that matter) enters someone else's email address? *
The answers to these and any other similar questions you might think of will help you decide how you want to go about validating it.
__________
* As a pretty bad case: imagine if this is a porn-related site, and you periodically send out explicit ads to the registered email addresses, and the user intentionally or accidentally enters a real address for someone else, who happens to be under-age.
Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be." ~ from Nation, by Terry Pratchett
"But the main reason that any programmer learning any new language thinks the new language is SO much better than the old one is because he’s a better programmer now!" ~ http://www.oreillynet.com/ruby/blog/...ck_to_p_1.html
* As a pretty bad case: imagine if this is a porn-related site, and you periodically send out explicit ads to the registered email addresses, and the user intentionally or accidentally enters a real address for someone else, who happens to be under-age.
As an even worse case, imagine they entered billy@email.com, joey @email.com, sally@email..., etc., etc..
or "email-server-list@fbi.gov", "members@house.gov", etc...
/!!\ mysql_ is deprecated --- don't use it! Tell your hosting company you will switch if they don't upgrade!/!!!\ ereg() is deprecated --- don't use it!
dalecosp "God doesn't play dice." --- Einstein "Perl is hardly a paragon of beautiful syntax." --- Weedpacket
Reply With Quote
Originally Posted by fire_cracker
Bookmarks