How does one validate input from HTML forms using PHP ?

bluwulf

How does one validate input from HTML forms using PHP ? I would need to input the data in a MySQL DB

Taking into consideration that the form contains input and textarea feilds and drop down-down menus. Well I'm really concerned with the input and textarea (as the user is forced to select the option from the drop-down menu)....how does one validate what the user enters in the input and textarea feilds...afterall my form is setup so that whatever the user enters as an input it would be a valid
input.It's just like the form that I filled out to make the very same post :?

Is there anything I need to even verify ? Also In my DB I use the data type TINYTEXT for my Subject and for my Message body (I call it somthing else though) I use the data type TEXT

If I'm not mistaken the data types can hold up to the following :

For TINYTEXT, 255 characters which would be same as VARCHAR(255)

AND for TEXT it is 65535 characters. (65535 chracters is appropriate for what I'm doing)

(The most I see that I can do is make sure that what the user enters falls within these limits...right ? Are there more appropriate data types)

I have also made sure that I have set the wrap attribute in the textarea tag to wrap="soft"...trying to follow W3C officila HTML 4.0 standard (this ensure that the lines will appear to wrap in the textarea however they are submitted as a single line to the DB for INSERTION)

I also read the following at PHPNexus

In some configurations, magic_quotes_gpc (the feature that automatically adds slashes to all input) is actually set to OFF. You can use the function get_magic_quotes_gpc() to see if it's on or not (it returns true or false). If it returns false, simply use addslashes() to add slashes to all of the input (it is easiest if you use $POST, $GET, and $_COOKIE or $HTTP_POST_VARS, $HTTP_GET_VARS, and $HTTP_COOKIE_VARS, instead of globals because you could step through those arrays using a foreach() loop and add slashes to each one).

So I turned on magic_quotes_gpc.....

I's there anything else I can do ? I would be very much appreciative of any suggestion ?

TheDefender

:queasy: Whew, there's a lot to this question... A lot of it depends on what you plan to do with the input... Sounds like you are trying to email it later... That being the case, you probably want to make sure any potentially harmful code is stripped out (JavaScript for example).

As far as "how to validate", you could do it client side, via JavaScript, before the form is passed on to the PHP page (after the submit button is pressed), or you could validate on the PHP page, and report any validation errors received to the user with an option to go back, or an option to redisplay the form with the errors listed...

Which part are you looking for advice on?

bluwulf

Originally posted by TheDefender

As far as "how to validate", you could do it client side, via JavaScript, before the form is passed on to the PHP page (after the submit button is pressed), or you could validate on the PHP page, and report any validation errors received to the user with an option to go back, or an option to redisplay the form with the errors listed...

Which part are you looking for advice on? [/B]

No....I don't intend to email this info (well....that wasn't part of the specifications given to me for the design....but may be I could take that into consideration.....but then that means more work for me.....what am I thinking...anyway)

I intend to have the user (at the click of a link on a page) simply be able to pull the data (previously submitted to the D😎 and re-display it on a webpage....thats all. (as you can expext whatever precautions I can take to ensure the security of the DB I intend to take....)

I note that you suggested client-side....however I prefer to stay server side If I can (really am pretty new to PHP....and don't kno any sever side scripting)

bluwulf

Originally posted by bluwulf
...I have also made sure that I have set the wrap attribute in the textarea tag to wrap="soft"...trying to follow W3C officila HTML 4.0 standard (this ensure that the lines will appear to wrap in the textarea however they are submitted as a single line to the DB for INSERTION)...

Ok this really didn't work....my tables got new lines in the rows....now this is a headache...I will have to go and drop the tables and the recreate them (luckily I got the scripts to do this and also this is a jus a test D😎

Is there some other solution to this ?

LordShryku

Just [man]str_replace[/man] out the newline characters...

bluwulf

Originally posted by LordShryku
Just [man]str_replace[/man] out the newline characters...

Ok I also went and folowed your advise and to my suprise it didn't work...this is what I tried:

<?php
$detail_submitted_no_newlines = str_replace("\n"," ", $details_submitted);

$sqlquery_details = "INSERT INTO details (submit_date,submit_time,subject_submitted,detail_submitted) VALUES ('$submit_date','$submit_time','$subject_submitted','$detail_submitted_no_newlines')";

mysql_query($sqlquery_details) or die("SELECT Error: " . mysql_error() . " in Query: $sqlquery_details");
?>

And I checked the variables names and they are all right. Would the fact that I have on magic_quotes_gpc