validation

validation

am 10.09.2007 17:11:54 von John

>>> I would do some validation of the POST data before sending possibly
malicious data to myself.



Can you write out how I would do validation in the code?


Thanks for all of the help so far.

Re: validation

am 10.09.2007 19:29:29 von John Murtari

John writes:

>>>> I would do some validation of the POST data before sending possibly
> malicious data to myself.
>
Below is a function I wrote a while back to screen
all input data for scripts. Part of it came out of a book
and part was home brewed. It assumes magic quotes are OFF
and register globals is OFF.
Frankly, I look at it now and I'm not sure all of it makes
sense -- although I must have had a reason at the time!

If you have a user form being submitted that contains a text
field called "NAME", the usage would be

$name = script_param("NAME");

FEEDBACK is welcome.
John

--------------------------
// This function takes a parameter name and checks both GET
// and POST arrays to find the parameter value.
function script_param ($name) {

global $HTTP_GET_VARS, $HTTP_POST_VARS;

unset ($val);
if (isset ($_GET[$name])) {
$val = $_GET[$name];
$val = stripcslashes($val);

} else if (isset ($_POST[$name])) {
$val = $_POST[$name];

if (is_string($val)) {
$val = mysql_real_escape_string($val);
}

} else if (isset ($HTTP_GET_VARS[$name])) {
$val = $HTTP_GET_VARS[$name];
$val = stripcslashes($val);

} else if (isset ($HTTP_POST_VARS[$name])) {
$val = $HTTP_POST_VARS[$name];

if (is_string($val)) {
$val = mysql_real_escape_string($val);
}

}

$value = @trim($val);
$value = htmlspecialchars($value);

// return @$val rather than $val to prevent "undefined value"
// messages in case $val is unset and warnings are enabled
return (@$value);
}

--
John
____________________________________________________________ _______
John Murtari Software Workshop Inc.
jmurtari@following domain 315.635-1968(x-211) "TheBook.Com" (TM)
http://thebook.com/

Re: validation

am 11.09.2007 13:32:52 von Lammi

you're not really into php, right?

for a basic validation you may use strip_tags and stripslashes and
htmlentities with all your datafields, f. e.

$name = strip_tags($_POST['name']);
$name = stripslashes($name);
$name = htmlentities($name, ENT_QUOTES);

that's usualy smart enough to prevent malicious code in the email
you'll get. if you wanna store the data in a database, a little more
work must be done. but as far as i remember, you're only looking for a
email-solution.

lorenz