jammaster82

Okay it was brought up that i might want to do
a tad bit more error checking and validation,
besides the preg_match that perkiset mentioned
what are some favorites?

perkiset

Gonna need a bit more context than that man... you mean for security? simple form field validation? what r u after?

jammaster82

okay, lets say for example you have a textarea
and you wanna make sure they havent put quotes in
it cause when you go to insert the text it will double
quote fault you or whatever.... okay ill get an example
and come back ...

perkiset

Some of that is doable client side as well.

There are really two issues here: a normal user that screws up and a bonehead trying to hack you.

Hacking is relatively easy because certain characters in any combination are simply a nono (quotes and backslashes come to mind). Just get rid of those SERVER side because if it's a hacker he will be posting outside of your code in any case.

For the normal user you want to check, then use JS to simply watch their input before they send it. For example, you want to verify that an email is correctly formed before you post: you'll put a function call in INSTEAD of a normal submit button and see if everything is ok, and if it is, then throw the post. Consider:


<html>
<head>

<script>
function validateAndPost()
{
var emailValue = document.getElementById('email').value;
if (!emailValue.match(/([A-Z0-9._%-]+@[A-Z0-9.-]+.[A-Z]{2,4})/i))
{
alert('You're pissing me off!');
return false;
}
document.main.submit();
}
</script>

</head>
<body>

<form name="main" method="POST">
Give me your email or I will come breaka you kneecaps, mook.<br>
<input type="text" name="email" id="email">
<input type="button" value="Post Form" onClick="validateAndPost()">
</form>

</body>
</html>


This little page will only let you POST an email that is correctly formed. Note that the only way that it is submitted is programmatically. That what you're looking for?

DangerMouse

I mentioned that with regards to $_REQUEST variables in the other thread jammaster as you seemed to be inserting them almost directly into a database?

I'm no expert on exactly how to go about this, but I'd treat any external data with extreme caution; almost assuming it is poisoned in some way. This post gives some good tips on how to go about the process of validation: http://www.0x000000.com/?i=424. Generally speaking its about checking that the data passed contains what is expected, and nothing malicious.

DM

nutballs

search the tubes for "SQL injection"
If you take ANY user input and store it to a database, you must be aware of how to cleanse the data. Unfortunately just cleaning quotes is not quite enough, but is a good start.

In addition if you are ever going to display user input to the page, lookup "HTML injection".


Perkiset's Place Home   Politics @ Perkiset's