Checking Values

kathy7012

I am trying to stop someone from entering a character other than 0-9 in a text box and am not sure if I have it correct. I used the following syntax:

if($usecredits > 0)
{
     if($usecredits) 
{
         if (preg_match("/^([0-9]+)$/", $usecredits))
	echo 'Error: You may only enter a value 0 through 9';
}
         else{

            return $usecredits;
}

Just not sure if this is fullproof and it is important that it is since they are purchasing dollar amounts. Am I doing this correctly? Or am I not understanding it properly.
I appreciate your response.

devinemke

if (!ereg('^[0-9]*$', $usecredits)) {echo 'Error: You may only enter a value 0 through 9';}

kathy7012

Thank you so very much! You are wonderful.

jazz_snob

This will evaluate to true only if $num is single digit:

ereg( '^[0-9]{1}$', $num )

This will evaluate to true for 0 or more digits, including an empty string, eg "", because the * modifier matches 0 or more occurences:

ereg( '^[0-9]*$', $num )

Use curly braces to specify the number of digits you want.

LordShryku

Also, for these easy matches, there's the ctype functions, like [man]ctype_digit[/man].

kathy7012

I used the following code you suggested:

if (!ereg('^[0-9]*$', $usecredits)) {echo 'Error: You may only enter a value 0 through 9';}

But I am still having an issue with people trying to stump the system. They are entering +4000+ in the text box and it is allowing them to receive that many credits even when it gives a negative 4000 in the database. I don't know how to stop it. I have tried many combinations and am not getting the right syntax. Do you have any ideas? Or something I could research more?

I appreciate you taking the time.

Roger_Ramjet

Validate the input with javascript before you submit the page. If they enter illegal values then your page issues an alert message prompting the user for valid input, clears the input box, cancels the post and nothing is passed to your site.

LordShryku

If they don't have javascript turned off, that is.

Roger_Ramjet

You mean Java Machine don't you. Sure, plenty of people like to surf-safe and turn that off, but how do you turn off javascripts in IE? It's up to you, if they want to use your site then they will have to trust your scripts, just like I have to allow cookies if I want to use some sites.

LordShryku

Are you assuming everyone uses IE? You're certainly assuming everyone has javascript on. I'm not saying it's a bad idea. I even use it myself. But any validation you do in javascript you should also do in php. Javascript can be turned off, but php can't.

Roger_Ramjet

And I'm saying all input validation should be done client-side before submittion. Just basic good database design and practice regardless of platform.

No, I don't assume that everyone uses IE, only about 80% of the PCs in the world is all. I was just using it as a for-instance. Now I don't know what your site is for, where it is hosted, or who your target audience is.
I do know that it involves the issuing of credits, which I assume have some real monetary or material value. So I deduce that you have a commercial site of some sort. And I know that your stated problem that it was open to abuse, so I assume you are liable for some sort of monetary loss.
Now you have been having trouble validating this input in PHP, and the experienced and knowledgeable respondants have not been able to come up with an easy solution to what is, in javascript, a trivial problem. Every site that I have been involved with that used user input, used javascript to validate that input. Never a problem, and to my knowledge, no user has ever complained, or even noticed. The rare few (about 1-2% of surfers) who know enough to use a browser other than NS or IE generally also know enough to recognise a standard validation script from a nasty destructive one.
But it is your site. Can the javascript and use PHP by all means. I was only trying to help.

PS I don't even bother to write javascripts from scratch anymore, there are so many good ones on the java forums and resources.

kathy7012

Thank you all so much for your advice. I did end up using javascript to check at the client level. So far it is working. And yes, the site loses monetary value if they receive credits from entering false values. I just thought their was a way in php to stop it entirely. I used all the eregi methods (I hope correctly) preg_match methods and stuff but it was still allowing them to enter values on either side of the numbers, so I just limited characters (simple fix), well at least until they try to hack a new way. Just gave it a maxlength. So far it is working. Again thank you for all your input, I keep learning more every day.

Roger_Ramjet

Well, yes. A 'hacker' can always re-write your page on his client and bypass the javascript validation, very simple thing to do. My recommendation for using javascript is to stop the honest error and help and advise the user on the correct input before submitting the page. When there is money involved then overkill is the only answer. I would use at least 2 more levels of validation: in the script that receives and processes that input, and with rules implemented at the database itself.

In VB I would use the character matching LIKE [0-9] operator to validate 0-9 only, not sure what the corresponding PHP operator is. That way you bypass the +99 which numeric checking will accept as a valid integer, etc. Same with sql in Access, but don't know if it exists in mysql.

Take the user's input, write it to a temporary table. Validate every way you can think of and only then accept and update you db.

laserlight

In VB I would use the character matching LIKE [0-9] operator to validate 0-9 only, not sure what the corresponding PHP operator is.

ctype_digit(), as was suggested by LordShryku

kathy7012

Thank you all for such good advice. I am going to implement your suggestions. I appreciate you all taking time to help.