Making sure data is in the right format

Anon

Hi,

I'm taking user data from a web form and writing it to a MySQL database via a PHP application. I've two issues, tolerance and security. By tolerance, I mean that the application with deal with the fact that you can't write textual data to a numerical field, and so on.

I'm using ints, floats and year type in various places. I'm also using varchar(n) and need to report back to a user if their input has been truncated for writing as is the behaviour of MySQL. I assume this can be done best with regular expressions in which case I'd be grateful to see any 'standard' expressions for the inbuild MySQL datatypes if such standards exist.

My second issue - security. I'm already str_replace'ing less-than and greater-than to disable HTML code. I'm also delimiting quotes in textual fields. Is there anything else I should be doing?

Thanks

Ian

Anon

Tolerance:

For ints and float, you can use PHP's functions: is_int() an is_float(). PHP has more is_something() functions; check them out in the documentation.
For varchars, check the string with strlen() to see if the user exceeded the allowed length.

Security:

Check out: http://www.php.net/release_4_1_0.php . If you're still using the old mechanism, you might want to consider upgrading.

Diego