The Cache: Technology Expert's Forum
 
*
Welcome, Guest. Please login or register. September 23, 2019, 11:30:53 AM

Login with username, password and session length


Pages: [1]
  Print  
Author Topic: Error Checking and Validation  (Read 2814 times)
jammaster82
Lifer
*****
Offline Offline

Posts: 666


Thats craigs list for ya


View Profile
« on: January 11, 2008, 03:26:12 PM »

Okay it was brought up that i might want to do
a tad bit more error checking and validation,
besides the preg_match that perkiset mentioned
what are some favorites?
Logged

The watched pot, never boils... But if you walk away from it , the soup burns.  What gives?
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #1 on: January 11, 2008, 03:34:59 PM »

Gonna need a bit more context than that man... you mean for security? simple form field validation? what r u after?
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
jammaster82
Lifer
*****
Offline Offline

Posts: 666


Thats craigs list for ya


View Profile
« Reply #2 on: January 11, 2008, 03:41:49 PM »

okay, lets say for example you have a textarea
and you wanna make sure they havent put quotes in
it cause when you go to insert the text it will double
quote fault you or whatever.... okay ill get an example
and come back ...
Logged

The watched pot, never boils... But if you walk away from it , the soup burns.  What gives?
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #3 on: January 11, 2008, 04:18:32 PM »

Some of that is doable client side as well.

There are really two issues here: a normal user that screws up and a bonehead trying to hack you.

Hacking is relatively easy because certain characters in any combination are simply a nono (quotes and backslashes come to mind). Just get rid of those SERVER side because if it's a hacker he will be posting outside of your code in any case.

For the normal user you want to check, then use JS to simply watch their input before they send it. For example, you want to verify that an email is correctly formed before you post: you'll put a function call in INSTEAD of a normal submit button and see if everything is ok, and if it is, then throw the post. Consider:

Code:
<html>
<head>

<script>
function validateAndPost()
{
var emailValue = document.getElementById('email').value;
if (!emailValue.match(/([A-Z0-9._%-]+@[A-Z0-9.-]+\.[A-Z]{2,4})/i))
{
alert('You're pissing me off!');
return false;
}
document.main.submit();
}
</script>

</head>
<body>

<form name="main" method="POST">
Give me your email or I will come breaka you kneecaps, mook.<br>
<input type="text" name="email" id="email">
<input type="button" value="Post Form" onClick="validateAndPost()">
</form>

</body>
</html>

This little page will only let you POST an email that is correctly formed. Note that the only way that it is submitted is programmatically. That what you're looking for?
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
DangerMouse
Expert
****
Offline Offline

Posts: 244



View Profile
« Reply #4 on: January 11, 2008, 04:29:39 PM »

I mentioned that with regards to $_REQUEST variables in the other thread jammaster as you seemed to be inserting them almost directly into a database?

I'm no expert on exactly how to go about this, but I'd treat any external data with extreme caution; almost assuming it is poisoned in some way. This post gives some good tips on how to go about the process of validation: http://www.0x000000.com/?i=424. Generally speaking its about checking that the data passed contains what is expected, and nothing malicious.

DM
« Last Edit: January 11, 2008, 06:01:37 PM by DangerMouse » Logged
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #5 on: January 11, 2008, 05:06:24 PM »

search the tubes for "SQL injection"
If you take ANY user input and store it to a database, you must be aware of how to cleanse the data. Unfortunately just cleaning quotes is not quite enough, but is a good start.

In addition if you are ever going to display user input to the page, lookup "HTML injection".
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
Pages: [1]
  Print  
 
Jump to:  

Perkiset's Place Home   Best of The Cache   phpMyIDE: MySQL Stored Procedures, Functions & Triggers
Politics @ Perkiset's   Pinkhat's Perspective   
cache
mart
coder
programmers
ajax
php
javascript
Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks


Valid XHTML 1.0! Valid CSS!