The Cache: Technology Expert's Forum
 
*
Welcome, Guest. Please login or register. September 18, 2019, 07:06:32 PM

Login with username, password and session length


Pages: [1] 2
  Print  
Author Topic: Validate a price field?  (Read 9247 times)
DangerMouse
Expert
****
Offline Offline

Posts: 244



View Profile
« on: May 08, 2008, 08:15:50 AM »

Hi all,

Newbie question time, and not up to the usual question caliber on these boards Smiley but how would you go about validating a price field?

Maybe a simple text field with some kind of regular expression that limits number of digits after a decimal point, and precludes any characters apart from digits before the decimal point? Equally, I guess there is no requirement that the price be decimalised... hmm suggestions anyone?

DM
Logged
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #1 on: May 08, 2008, 08:56:41 AM »

Don't have a submit button, have an input button that fires a javascript - onClick="doSubmit()"

in your doSubmit() function do something like this:

function doSubmit()
{
   var target = document.getElementById('thePricingFieldID');
   if (!target.match(/[0-9]+\.[0-9]{2}/)
   {
      alert('Please fill in the price field like this: NNN.NN');
      return false;
   }

   document.mainForm.submit();
}

(assumes your form's name is "mainForm")

You can put all the tests you want in there and don't submit until you're satisfied. If you try to do a key-by-key check (like with the onChange event) you'll run into all kinds if ickiness, so I'd stay away from that.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
jammaster82
Lifer
*****
Offline Offline

Posts: 666


Thats craigs list for ya


View Profile
« Reply #2 on: May 08, 2008, 09:06:24 AM »

Thanks for that post, i was wondering how to do that myself..
makes sure its validated before it ever gets back from the client.

nice.
Logged

The watched pot, never boils... But if you walk away from it , the soup burns.  What gives?
DangerMouse
Expert
****
Offline Offline

Posts: 244



View Profile
« Reply #3 on: May 08, 2008, 09:13:19 AM »

Yeah great idea, providing instant feedback sounds good, will definately be implementing that thanks Perk.

I'm going to validate server side too, just in case - I'm a bit paranoid about what sneaky people can do by bypassing javascript routines. Just tested out the same regex as above '/[0-9]+\.[0-9]{2}/' and found that I could get a string like '111111.11111.1111' past, do I need a different pattern for the PHP server side? (Am totally useless at regex sorry).

Cheers,

DM

Logged
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #4 on: May 08, 2008, 09:16:40 AM »

just a friendly note of evil reminders...
if its critical though, do not completely rely upon client side validation. Such as, if you are inserting that value into a database. Assume all users are hackers, and they have completely stripped all the client side stuff out of your webpage.
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
DangerMouse
Expert
****
Offline Offline

Posts: 244



View Profile
« Reply #5 on: May 08, 2008, 09:17:44 AM »

Just found '/^[0-9]+(\.[0-9]{2})?$/' which is pretty close, any ideas how to adjust that to disallow or ignore 0's at the beginning? Currently 045.45 validates.

DM

EDIT:

Assume all users are hackers, and they have completely stripped all the client side stuff out of your webpage.

Very true. I tend to think if I know how to submit forms programatically there must be millions of other far more talented people who can do the same.
« Last Edit: May 08, 2008, 09:22:57 AM by DangerMouse » Logged
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #6 on: May 08, 2008, 09:32:39 AM »

Din't know you were so regex useless  ROFLMAO

OK, something like this then:

/^[1-9]{1}[0-9]*\.[0-9]{2}$/
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #7 on: May 08, 2008, 09:36:00 AM »

BTW, tagging onto NBs and your comments, validating client and serverside with the exact same regex is excellent practice. The client side to help a surfer, the server side to protect you.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
DangerMouse
Expert
****
Offline Offline

Posts: 244



View Profile
« Reply #8 on: May 08, 2008, 09:43:16 AM »

Din't know you were so regex useless  ROFLMAO

OK, something like this then:

/^[1-9]{1}[0-9]*\.[0-9]{2}$/

That did the trick thanks!  Grin

To my shame I've never really bothered to learn regex - I blame google, it's nearly always provided the solution whenever I've needed to pattern match before  Roll Eyes!

Cheers,

DM
Logged
jammaster82
Lifer
*****
Offline Offline

Posts: 666


Thats craigs list for ya


View Profile
« Reply #9 on: May 08, 2008, 09:47:40 AM »

Very true. I tend to think if I know how to submit forms programatically there must be millions of other far more talented people who can do the same.

What exactly is the danger involved if someone posts phony data to your
form .    How can data infect your LAMP server?  (aside from just having
false info in there)

Logged

The watched pot, never boils... But if you walk away from it , the soup burns.  What gives?
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #10 on: May 08, 2008, 09:52:02 AM »

http://www.regular-expressions.info/tutorial.html

You will only benefit from every moment you invest in learning them. This site, and the book it promotes, are all you'll need.

Put the book by the toilet and read it several times, then use them as often as possible until they really set in. Once you really get it, it may be one of the best tools in your toolbox - particularly given the work that y'all do Wink
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #11 on: May 08, 2008, 10:11:06 AM »

Very true. I tend to think if I know how to submit forms programatically there must be millions of other far more talented people who can do the same.
What exactly is the danger involved if someone posts phony data to your
form .    How can data infect your LAMP server?  (aside from just having
false info in there)

Can have all your website urls please  Grin

http://en.wikipedia.org/wiki/SQL_injection
http://en.wikipedia.org/wiki/Cross-site_scripting
http://en.wikipedia.org/wiki/Csrf
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
DangerMouse
Expert
****
Offline Offline

Posts: 244



View Profile
« Reply #12 on: May 08, 2008, 10:16:05 AM »

What exactly is the danger involved if someone posts phony data to your
form .    How can data infect your LAMP server?  (aside from just having
false info in there)

I'm no web app security expert, but I've read enough to be fearfull lol. Basically the theory goes that anything, that comes from outside of your application, whether from $_POST, $_GET, cookies, headers etc should be treated with suspicion. I try to filter and validate any piece of data that comes into the application so that when I come to work with it later it can't cause any problems.

Specific security risks include SQL injection when inserting into a database, cross site scripting attacks, request forgery, and even more simple things like causing buffer overflows in PHP functions. Even though I like the fact that PHP is loosly typed, sometimes it can cause unforseen problems.

DM
Logged
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #13 on: May 08, 2008, 10:54:41 AM »

What exactly is the danger involved if someone posts phony data to your
form .    How can data infect your LAMP server?  (aside from just having
false info in there)

If you go directly from form fields on a website to the database, then people can VERY VERY easily use SQL injection vectors to make you wish you were dead.

The Right Way To Do Things: Do not EVER pass an uncleaned/pruned string into a database and make sure that it looks EXACTLY the way that you expect it to. Unless there is absolutely no way to avoid it, you should never allow anything like #'"=/?><\|}{[] and such... look up SQL Injection and be afraid... be very afraid.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #14 on: May 08, 2008, 11:01:52 AM »

the worst field to have to store is a free form text field. such as a "what is your problem?"

limited fields like price and such are easy to deal with, but free form text... bleh. cant everything be broken down into radio buttons and checkboxes? sheesh
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
Pages: [1] 2
  Print  
 
Jump to:  

Perkiset's Place Home   Best of The Cache   phpMyIDE: MySQL Stored Procedures, Functions & Triggers
Politics @ Perkiset's   Pinkhat's Perspective   
cache
mart
coder
programmers
ajax
php
javascript
Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks


Valid XHTML 1.0! Valid CSS!