Validate before submit?

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: egami, macek, gesf

Post Reply
User avatar
egami
php-forum GURU
php-forum GURU
Posts: 2192
Joined: Wed Oct 06, 2010 11:19 am
Location: Happy Valley, UT

Mon May 16, 2011 7:04 am

There are two ways to do form validation. And only one of them is a for sure way of cleansing.

The first is by using Javascript. But if said browser has JS disabled, then there isn't any validation.
So, using PHP to validate takes up server side resources, but it's the only way to really validate the input.

The first thing I would do is create an array of the items you want to validate.

1. Remember that variables are CaSe sensitive.
2. Create an array of all of the inputs you want to validate.
- ie.. $array = array('dbk_name','fdbk_company','fdbk_email');

3. Then iterate through the array and do a general check and remove nonsense from the input..
ie..

Code: Select all

foreach($array as $k => $v) { 
  $_POST[$k] = trim(strip_tags(mysql_real_escape_string($_POST[$k])));
}
 
This is a basic cleansing to remove any kind of HTML/PHP/SQL injections.

4. If you want to take it a step further.
$fdbk_name = preg_replace('/[^a-zA-Z\-\']/','',$_POST['fdbk_name']);
// this removes numbers, html special chars and tags, and only leaves the alphabet, a dash and apostrophe.

Check www.php.net/preg_replace for more information on cleaning your other variables.
The email checking/validation will be the trickiest.

Post Reply