Form Validation filter - Regex Q

Form Validation filter - Regex Q

am 10.11.2009 18:34:52 von Haig Davis

--005045016d074f9868047807ba97
Content-Type: text/plain; charset=ISO-8859-1

Morning All,

I've been figthing with this little problem for two days now, so far no luck
with google and am beginning to question my own sanity.

I have a application that has over one hundred forms some quite lengthy so
what I'm trying to achieve rather than writing a bunch of individual
sanitize statements then form validation statemenst that I could run $_POST
through a foreach loop and filter the values by form class i.e.is it an
emaill addreess or simply a text block with letters and numbers. The regex's
alone work fine as does the foreach loop the only issue I have is the IF
statement comparing $key to expected varieable names.

Heres the bit of code envolved.

if(isset($_POST['submit'])){
foreach($_POST as $keyTemp => $valueTemp){
$key = mysqlclean($keyTemp);
$value = mysqlclean($valueTemp);
$$key = $key;
$$key = $value;

if($key != ("$customerServiceEmail") || ("$billingEmail") ||
("$website")){
if(preg_match("/[^a-zA-Z0-9\s]/", $value)){
$style = "yellow";
$formMsg = "Invalid Characters";
$bad = $key;

}
}
if($key = ("$customerServiceEmail") || ("$billingEmail")){

if(preg_match("/^([a-zA-Z0-9._%-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{ 2,4})*$/",
$value)){
$style = "yellow";
$formMsg = "Invalid Characters";
$bad = $key;
}
}

}
}

Thanks for taking a peek.

Haig

--005045016d074f9868047807ba97--

Re: Form Validation filter - Regex Q

am 10.11.2009 18:49:43 von Al

Haig Davis wrote:
> Morning All,
>
> I've been figthing with this little problem for two days now, so far no luck
> with google and am beginning to question my own sanity.
>
> I have a application that has over one hundred forms some quite lengthy so
> what I'm trying to achieve rather than writing a bunch of individual
> sanitize statements then form validation statemenst that I could run $_POST
> through a foreach loop and filter the values by form class i.e.is it an
> emaill addreess or simply a text block with letters and numbers. The regex's
> alone work fine as does the foreach loop the only issue I have is the IF
> statement comparing $key to expected varieable names.
>
> Heres the bit of code envolved.
>
> if(isset($_POST['submit'])){
> foreach($_POST as $keyTemp => $valueTemp){
> $key = mysqlclean($keyTemp);
> $value = mysqlclean($valueTemp);
> $$key = $key;
> $$key = $value;
>
> if($key != ("$customerServiceEmail") || ("$billingEmail") ||
> ("$website")){
> if(preg_match("/[^a-zA-Z0-9\s]/", $value)){
> $style = "yellow";
> $formMsg = "Invalid Characters";
> $bad = $key;
>
> }
> }
> if($key = ("$customerServiceEmail") || ("$billingEmail")){
>
> if(preg_match("/^([a-zA-Z0-9._%-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{ 2,4})*$/",
> $value)){
> $style = "yellow";
> $formMsg = "Invalid Characters";
> $bad = $key;
> }
> }
>
> }
> }
>
> Thanks for taking a peek.
>
> Haig
>

1] Pear has several classes that will help you from reinventing the wheel.

2] I always, when possible, restrict what users are allowed to enter. Then, I
simply delete or warn them about anything that is not permissible. e.g., they
can enter any of the plain html tags. Any tags not in this list are removed.

//region******** Usable XHTML elements for user admin prepared user instructions
[Only these XHTML tags can be used] ********/

$inlineHtmlTagsArray = array('a', 'b', 'img', 'em', 'object', 'option',
'select', 'span', 'strong',);//Note img is both empty and inline
$blockHtmlTagsArray = array('div', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'p', 'pre',);
$emptyHtmlTagsArray = array('br', 'hr', 'img',);
$listHtmlTagsArray = array('li', 'ol', 'ul');
$tableHtmlTagsArray = array('col', 'table', 'tbody', 'td', 'th', 'thead', 'tr',);

I also do syntax and reverse DNS tests for all links and email addresses.


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Form Validation filter - Regex Q

am 10.11.2009 19:03:27 von Nathan Rixham

Haig Davis wrote:
> alone work fine as does the foreach loop the only issue I have is the IF
> statement comparing $key to expected varieable names.
>
> if($key != ("$customerServiceEmail") || ("$billingEmail") ||

multiple points here..

1: is the key name held in a php variable called $customerServiceEmail?

if you have then use:
if( $key != 'customerServiceEmail' )
?>

if you have then use:
if( $key != '$customerServiceEmail' )
?>


2: if you need to compare multiples then you need to use either..

if( !in_array( $key , array('customerServiceEmail' , 'billingEmail' ,
'website') ) ) {
?>

if( $key != 'customerServiceEmail' && $key != 'billingEmail' && $key !=
'website' )
?>

note in the above I've *ass*umed some mistyped logic, in that only
proceed if not ('customerServiceEmail' || 'billingEmail' || 'website') -
which is in correct because string || string || string *always* equals 1
- hence you need the 3 comparisons achieved by using and(&&) or in_array.


3: these two lines override each other, and variable variables aren't
needed here
$$key = $key;
$$key = $value;


here's a full version for you that should work as you expect:

if( isset($_POST['submit']) ) {
foreach($_POST as $keyTemp => $valueTemp){
$key = mysqlclean($keyTemp);
$value = mysqlclean($valueTemp);
if( in_array( $key , array( 'customerServiceEmail' , 'billingEmail'
) ) ) {
// only email validate if its an email field
if(
preg_match("/^([a-zA-Z0-9._%-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4 })*$/",
$value) ) {
$style = "yellow";
$formMsg = "Invalid Characters";
$bad = $key;
}
} else if( $key == 'website' ) {
// placeholder incase you want URL validation
} else {
// only gets here if not and email field, and not a website address
if(preg_match("/[^a-zA-Z0-9\s]/", $value)){
$style = "yellow";
$formMsg = "Invalid Characters";
$bad = $key;
}
}
}
}
?>

regards;

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Form Validation filter - Regex Q

am 12.11.2009 06:02:28 von Manuel Lemos

Hello,

on 11/10/2009 03:34 PM Haig Davis said the following:
> I've been figthing with this little problem for two days now, so far no luck
> with google and am beginning to question my own sanity.
>
> I have a application that has over one hundred forms some quite lengthy so
> what I'm trying to achieve rather than writing a bunch of individual
> sanitize statements then form validation statemenst that I could run $_POST
> through a foreach loop and filter the values by form class i.e.is it an
> emaill addreess or simply a text block with letters and numbers. The regex's
> alone work fine as does the foreach loop the only issue I have is the IF
> statement comparing $key to expected varieable names.

I am not a big fan of filtering. If the form has invalid data, do not
accept it, just show the form again to the user and make it fix it. He
may have made a mistake and if you fix his mistakes, you may be doing it
incorrectly.

What I suggest is to present the form again to the user denoting invalid
fields.

You may want to watch this tutorial video on this subject:

http://www.phpclasses.org/browse/video/1/package/1/section/u sage.html

Other than that, doing all validation by hand is painful. You may want
to try this forms generation and validation package that performs all
the necessary types of validation on the server side in PHP and on
browser side using Javascript generated by the class within your form
template.

http://www.phpclasses.org/formsgeneration

Take a look here for a live example:

http://www.meta-language.net/forms-examples.html?example=tes t_form

If you have many forms for CRUD (Create, Retrieve, Update and Delete)
operations, you may want to also use this plug-in that automates the
generation of tha types of forms so you can do it in a fraction of your
time.

http://www.meta-language.net/forms-examples.html?example=tes t_scaffolding_input


--

Regards,
Manuel Lemos

Find and post PHP jobs
http://www.phpclasses.org/jobs/

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Form Validation filter - Regex Q

am 12.11.2009 10:06:32 von news.NOSPAM.0ixbtqKe

On Tue, 10 Nov 2009 09:34:52 -0800, Haig Davis wrote:

> foreach($_POST as $keyTemp => $valueTemp){
> $key = mysqlclean($keyTemp);
> $value = mysqlclean($valueTemp);

Mysql and form validation are totally unrelated.
In my mind, this seems spectacularly misguided.

> if($key = ("$customerServiceEmail") || ("$billingEmail")){
>
> if(preg_match("/^([a-zA-Z0-9._%-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{ 2,4})*$/",
> $value)){

Just as almost every other email validation regexp
I have seen, this has a few imperfections:

* It does not allow some valid email addresses (mail!box@example.com)
* It does not allow some valid domains (*.museum)
* It allows invalid email addresses (.@example.com)
* It allows invalid domains (example..com)

> $style = "yellow";
> $formMsg = "Invalid Characters";
> $bad = $key;

Personally, I'd put the invalid keys in an array and
mark all the problematic fields at once.


/Nisse

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Form Validation filter - Regex Q

am 12.11.2009 16:03:21 von Al

Haig Davis wrote:
> Morning All,
>
> I've been figthing with this little problem for two days now, so far no luck
> with google and am beginning to question my own sanity.
>
> I have a application that has over one hundred forms some quite lengthy so
> what I'm trying to achieve rather than writing a bunch of individual
> sanitize statements then form validation statemenst that I could run $_POST
> through a foreach loop and filter the values by form class i.e.is it an
> emaill addreess or simply a text block with letters and numbers. The regex's
> alone work fine as does the foreach loop the only issue I have is the IF
> statement comparing $key to expected varieable names.
>
> Heres the bit of code envolved.
>
> if(isset($_POST['submit'])){
> foreach($_POST as $keyTemp => $valueTemp){
> $key = mysqlclean($keyTemp);
> $value = mysqlclean($valueTemp);
> $$key = $key;
> $$key = $value;
>
> if($key != ("$customerServiceEmail") || ("$billingEmail") ||
> ("$website")){
> if(preg_match("/[^a-zA-Z0-9\s]/", $value)){
> $style = "yellow";
> $formMsg = "Invalid Characters";
> $bad = $key;
>
> }
> }
> if($key = ("$customerServiceEmail") || ("$billingEmail")){
>
> if(preg_match("/^([a-zA-Z0-9._%-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{ 2,4})*$/",
> $value)){
> $style = "yellow";
> $formMsg = "Invalid Characters";
> $bad = $key;
> }
> }
>
> }
> }
>
> Thanks for taking a peek.
>
> Haig
>

Sorry about the misreading your request, earlier.

Here is a function that I use.

function checkEmailAddr($emailAddr)
{
if(empty($emailAddr))
{
throw new Exception("No email address provided");
}

if(!preg_match("%\w+@%", $emailAddr))
{
throw new Exception("Email address missing mailbox name, or syntax is
wrong. ");
}

if(!filter_var($emailAddr, FILTER_VALIDATE_EMAIL))
{
throw new Exception("Email address error. Syntax is wrong. ");
}
$domain = substr(strchr($emailAddr, '@'), 1);
if(!checkdnsrr($domain))
{
throw new Exception("Email address warning. Specified domain
\"$domain\" appears to be invalid. Check carefully.");
}
return true;
}

Use the function like this

try{
checkEmailAddr($userSubmitedDataArray[EMAIL_ADDR_FIELD]);
}

catch (Exception $e)
{
$userErrorMsg = $e->getMessage(); //Message text in check function
}


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php