first script: form + validation

sennevb

i'm not so long busy with php, and made a form + validation...
i just wanted to know what you had done otherwise...

RossC0

Hi,

It errors on my set!

Looking at the code - I would escape php for the majority of the html elements and I wouldn't hardcode the styles I would use css.

Also there is little validation of the actual posted fields - which could lead to sql injections if they were to be used with a database.

sennevb

ok , escape to html, havent tought about that...
and what do you mean, i'm gonna use sql to save the form, but thats later, what is the problem then with injection??

sorry for my bad english...

RossC0

No worries,

Escaping php has no cost (infact its quicker! albeit marginally.)

It up to you how you validate the form - it just didnt seem to have much validation!

The amount of validation is up to you - you could validate an email address. Ensure that a numeric field contains only numeric information etc.. (you can go over the top thou!)

As its a registration script I assumed you would be using sql to save the registered user. For security reasons you need to ensure that the user cannot get away with putting sql statements in your form fields - so that when you run sql based on the fields nothing bad can happen.

Check out:

SQL Injection

sennevb

i just validate that there is something in the required fields, nothing more...

i'll have a look into injection...

RossC0

Good stuff!

It all depends on how its going to be used as to the amount of validation required for the job.

Always be aware of security! as losing a database I imagine would be a hard lesson!

I look forward to seeing the next revision of the code 🙂

sennevb

i certainly will, thx for helping me and looking to my code

sennevb

didnt had much time lately, i will post is soon...

chads2k2

Originally posted by RossC0
Good stuff!

It all depends on how its going to be used as to the amount of validation required for the job.

Always be aware of security! as losing a database I imagine would be a hard lesson!

I look forward to seeing the next revision of the code 🙂

Good stuff? Who uses that? LOL.

Yeah defintly exit out of PHP and let HTML do what it does best. Look pretty and not kill server time with it. Yeah SQL Injection RULZ! Haha.

One quick way you can do a little validation:

<?php
// REQUIRED FIELD = $superman
if(str_len(trim($superman)) < 1)
{
    $errors = 1;
    $superman_error = 1;
}else{
    $superman = addslashes($superman);
}
?>

That's one quick little dirty way of doing it. Don't ever use isset because yoru users can put just a space in it and well it technically counts. That is why you throw a trim in it so it will take out all the whitespace so a space doesn't count as a character.

It's late and I am going to bed.
Chad

RossC0

Originally posted by chads2k2

That's one quick little dirty way of doing it. Don't ever use isset because yoru users can put just a space in it and well it technically counts. That is why you throw a trim in it so it will take out all the whitespace so a space doesn't count as a character.

It's late and I am going to bed.
Chad [/B]

Surely that will cause a notice error if the variable isn't set - which isnt exactly good practise.

Always remember that form validation / security should be examined on a case by case basis.

...users can put just a space...

Now this may cause problems for your script - or it may not. If it would then cater for it.

Javascript is a good solution for instant client checking - which might be preferable, in some instances. i.e. validate the user is providing an email address etc..

However, you must include server side checking also - to ensure the passed information is correct, valid and secure to process.

And Chad - please cut the txt speak - people from all over read and use these forums and it helps readability - even for people you use 'Good Stuff!'

bubblenut

Here's a few things I use for validation, first and foremost I try to encapsulate as much as I can in a function. Here I've called it check()

<?php
function check($type, $value) {
    switch($type) {
        case 'unique_id':
            //my unique identifiers are all integers and cannot be empty
            //Amazon for example would have to make this differently as they
            //have more complex identifiers (ASIN)
            if(empty($value) || !is_numeric($value) || intval($value) != $value)
                return false;
            break;
        case 'email':
            $domain=explode('@', $_POST['email']);
            if(!preg_match('/^[\d\w\.]+@[\d\w\.]\.{2,4}$/', $email) || gethostbyname($domain[1]) == $domain[1])
                return false;
            break;
        default: //if we don't understand the type we have to fail it
            return false;
    }
    return true;
}
?>

Now you can add all your validation rules in one place and use them all around your site. Then, when you need to modify one of these rules (and you'll always need to), there is only one place you need to make the change.

Take a look at the code below for some very flexible techniques for validation.

<?php
//Two arrays, one for required fields and one for allowed fields. The allowed fields is by nature going to be a superset of the required fields
//so we can just build the one from the other
$required_fields=array('requiredfield1', 'requiredfield2', 'requiredfield3');
$allowed_fields=array_merge($required_fields, array('notrequiredfield1', 'notrequiredfield2'));
//This array will hold any unknown fields which manage to work their way in (prehapse someone is trying to hack our script!)
$unknown_fields=array();

//Iterate through the whole POST array (or GET array or even COOKIE array) to weed out the unknown fields and unset ones which
//are present but blank
foreach($_POST as $key => $value) {
    //Check if it's a known field
    if(!in_array($key, $allowed_fields))
        $unknown_fields[]="$key [$value]";
    //Remove it if it's empty. This may not be something you want to do prehapse it would be better to
    //if(in_array($key, $required_fields) && empty($value)) or something else, depends on your system
    if(empty($value))
        unset($_POST[$key]);
}
//If nothing is wrong they will pass so we initialize this switch to true
$pass=true;
//Determine which required fields are not present
$missing_fields=array_diff($required_fields, array_keys($_POST));
//Check the unknown fields
if(count($unknown_fields)>0) {
    echo("The following unknown fields were used: ".implode(',', $unknown_fields)."<br />\n");
    $pass=false;
}
//Check the missing fields
if(count($missing_fields)>0) {
    echo("The following required fields were missing: ".implode(',', $missing_fields)."<br />\n");
    $pass=false;
}
//exit if fail
if(!$pass) exit();
?>

HTH

sennevb

i've allready have made something( i escaped to html), look in attachment, but didnt do anything else...

i'm gonna see how to use your validations of you guys and include it in my code...

(sorry for bad english..)

hope to post new version soon...

sennevb

so instead of:

if((!isset($_POST['naam']) or (!isset($_POST['achternaam']) or 
											(!isset($_POST['straat']) or (!isset($_POST['nummer'])) or
											(!isset($_POST['postcode']) or (!isset($_POST['stad']) or
											(!isset($_POST['land']) or (!isset($_POST['telefoon']) or
											(!isset($_POST['email']) or (!isset($_POST['login']) or
											(!isset($_POST['pass']) and checkemail() ) {

i must use the if(str_len(trim($POSTvalue)) < 1) to be sure...

bubblenut

No, for each you should use

if(!isset($_POST['value']) && empty($_POST['value']))

sennevb

not and, or, isnt it?

Weedpacket

Originally posted by bubblenut
No, for each you should use
if(!isset($_POST['value']) && empty($_POST['value']))
[/B]

But empty() also checks whether a variable isset or not.

sennevb

so i can do the if isset away

laserlight

so i can do the if isset away

It depends.
isset() is used to test if the variable is set, i.e. if it exists at all and is not null.
empty() is used to test if the variable is empty, i.e. if it doesnt exist, is null, blank, or is a zero value.

You can (and should) do away with one of them, but which one depends on the exact requirement.

sennevb

this is what i have now...

when you guys say this is fine (first wanna be sure that this is ok), i'll add mail confirmation + db insert

sennevb

no one 🙁