Ive been reading some articles on "whitelist validating" your information before you use it in a script ... Secure PHP Development.
In this example , A user is Rating an Image Gallery (1 - 10) for the rating scale (integers) and Submitting it to the database using a form.
Once the user has submitted his rating .. Here's the code i wrote to validate the information , make sure the user is submitting only a number , and not allowing the data to be marked clean , if it this is not true.
Please tell me , if this is acceptable to be marked as " Secure PHP " , So to Speak.
I realize Their is pretty much always a way to manipulate data , so maybe my question should be , is this Safer php code? What else could i do / change .. Are their any holes in this?
Thanks for your feedback as i seek myself to be a more secure developer.
<?
include("./admin/config.php");
include("$include_path/common.php");
// include("$include_path/$table_file");
// CHECK TO MAKE SURE USER IS LOGGED IN
check_user_login();
// IF LOGGED IN , THEN INCLUDE THE CUSTOM FILE
include("$include_path/custom.php");
// CHECK TO MAKE SURE THIS PAGE IS BEING ACCESSED BY A POST
if(!isset($_POST['rating'])) {
header('Location: ' . getenv('HTTP_REFERER'));
exit();
}
// SET DATALOCK
$datalock = true;
$cleandata = '';
// IF THE FORM IS SUBMITTED USING POST AND THE RATING IS SET
if($_POST['rating']) {
$gallery_rating = $_POST['rating'];
if(is_allnumbers($gallery_rating)) {
// IF THE DATA RETURNED AS ALL NUMBERS , UNLOCK DATALOCK AND MARK DATA AS CLEAN
$cleandata = $gallery_rating;
$datalock = false;
// IF ANYTHING ELSE
} else {
$datalock = true;
$cleandata = '';
}
if($datalock = "false") {
// script to carry out if the lock is disabled
} else {
// bad data , execute header location to return user to previous page
// header would go here
exit();
}
?>
