Reply to RE: [PHP] basic user/input form questions... more validation!

Your name:

Reply:


Posted by "bruce" on 10/21/97 11:27

further investigation seems to imply that 'strings' that are to be inserted
into the mysql db should be 'backslashed' for the chars > \x00, \n, \r,
\,'," and \x1a. this implies that i can have a simple function to accomplish
this. the mysql_real_escape_string function requires a db connection and the
app might not have opened up a connection to the db at this point in the
code.. (or i could rewrite the code!!)

the other issue is with 'quoting' items to be inserted in the db. articles
that i've seen indicate that the following should be used:

numeric data:
-doesn't need quoting, but it shouldn't hurt to quote anyway..
(quote all numeric values inserted in the db...)
-but wouldn't this require the app to detect numeric vals in
the db, and to convert the 'type'!!)
-how does this affect date/float vars...

string/char data:
-backslash all data that's going to be added in the db


extracting data from the db:

numeric data
-get the data/val from the db
-check the type/convert the db to int/float/date/etc...

string data
-get the vals from the db,
-strip any slashes that were added to the data/vars
-process/use accordingly...


have i left anything out..??

thoughts/comments/etc.

-bruce








-----Original Message-----
From: bruce [mailto:bedouglas@earthlink.net]
Sent: Thursday, September 22, 2005 11:52 AM
To: 'Gustav Wiberg'; php-general@lists.php.net
Subject: RE: [PHP] basic user/input form questions... more validation!


here's psuedo of what i envision

now, in my psuedo code, i don't use the stripslashes/quotes/etc... so, i'm
still trying to understand why these functions are needed/required?

thoughts/comments/etc....

thanks

-bruce


--------------------------------------
index.php

if isset($REQUEST['submit'])
{
if (isset($_REQUEST['foo'])
{
get the 'foo' var
$foo = $_REQUEST['foo']

validate the foo var...
$valid_chars = preg_match('valid char vars', $foo)
$len = str_len($foo) >max_str_len
if(valid_chars && len)
{
we have a valid 'foo' var!!!
go ahead and add to the db...
}
else
{
'foo' is invalid, set err msg and return to login
}
}
else
{
gen err and redirect to login page
}

}
else
{
<form php_self post>

<input name=foo>
<submit>
</form>
}

function add_to_db($var)
{
assume that 'var' is valid, but it hasn't been quoted..

$test_sql = "insert into TestTBL name values (%s)";
$test_sql = sprintf($test_sql, $var);
mysql_query($test_sql);
}


-----Original Message-----
From: Gustav Wiberg [mailto:gustav@varupiraten.se]
Sent: Thursday, September 22, 2005 11:14 AM
To: bedouglas@earthlink.net; php-general@lists.php.net
Subject: Re: [PHP] basic user/input form questions... more validation!


----- Original Message -----
From: "bruce" <bedouglas@earthlink.net>
To: <php-general@lists.php.net>
Sent: Thursday, September 22, 2005 8:05 PM
Subject: [PHP] basic user/input form questions... more validation!


> hi...
>
> forgive me!!!
Ok; -) Why? You're just asking... :-)

>
> continuing the thread from yesterday regarding filtering. (and thanks to
> all
> the msgs)
>
> for simplicity. let's deal wit a simple user input form, that's going to
> place the information in a db.
>
> if the app allows the user to enter the input (call it 'foo') and then
> submits the form via a POST, where the data is then written to the db,
> what
> kind of validation should occur? and where should the validation take
> place?
What kind of validation depends on your application. If the foo variable
must be an integer, then you'll have to check if foo is numeric with
is_numberic(). If foo is a string and the length matters, then you would
have to validate so the length isn't more than expected with
strlen()-function

But in all cases you'll have to check if the foo-variable is set with isset.


>
> for my $0.02 worth, there should be be validation of the 'foo' var, to
> determine if the var is legitimate. there should also be
> validation/filterin
> of the var when it's placed in the db_sql command...
>
> my question (and it's basic), what validation should be performed on the
> 'foo' var, and why? i've seen htmlspecialchars/magic_quotes/etc.. in
> varius
> articles, but i can't find a definitive answer!!
You'll have to quote only the variables inside a sql-string. You must use
mysql_real_escape_string for creating a "safe" db-string..

Example:
$sql = "SELECT ID from Table WHERE Foo=" . safeQuote($foo);

and the function safeQuote is like this...

function safeQuote($value)
{

// Stripslashes
if (get_magic_quotes_gpc()) {
$foo = stripslashes($foo);
}
// Quote if not integer
if (!is_numeric($value)) {
$value = "'" . mysql_real_escape_string($foo) . "'";
}

}

I hope this helps a little...

/G
http://www.varupiraten.se/

>
> also, when inserting/updating a db item, what is the 'correct' process for
> data? should all data that gets inserted into a db be quoted? if it
> should,
> what's the 'standard' practice?
>
> psuedo examples of this stuff would be really helpful!
>
> thanks for clarifying some of these issues...
>
> -bruce
> bedouglas@earthlink.net
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.344 / Virus Database: 267.11.4/109 - Release Date: 2005-09-21
>
>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация