In this day
and age and taking into consideration the evolution of the web,
allot of things are overlooked when programming and one of the main
subjects I see commonly being overlooked" is
validation.Validation isn't that difficult you just need to question the integrity of every string trying to be parsed, the most common use of validation is along side forms and that's what I am going to be discussing today.
Let's start with a simple form with a name, age, e-mail and comments form objects.
<form method="post">
<input type="text" name="name">
<input type="text" name="age">
<input type="text" name="email">
<textarea name="comments"> </textarea>
<input type="submit" name="submit">
</form>
Now, usually when a form is posted all the values are parsed and if we are using an e-mail script to send an e-mail then the e-mail script is venerable of being attacked using a technique called e-mail injection", this means that people can parse more information then you want them to.
Let's start with the name field, it is a required field so we need to validate that the name field has a value, to do this I am going to test the integrity of the value parsed using the function empty (http://learnhub.com/redirect?u=http%3A%2F%2Fuk3.php.net%2Fempty). This is how I would see if the field name is empty".
<?
If (empty($_POST['name']))
{
$errors[] = 'Please enter a name';
}
?>
As you can see from the above example I initiated an array called errors and added the value please enter a name, this array will be used later.
The next field is the age field, now because the value of the field should be a numeric value we will also check to see if the value parsed is numeric using the is_numeric (http://learnhub.com/redirect?u=http%3A%2F%2Fuk3.php.net%2Fis_numeric%29 function like so.
<?
if (empty($_POST['age']))
{
$errors[] = 'Please enter a age';
}
else if (!is_numeric($_POST['age']))
{
$errors[] = 'Please enter a valid age with a numeric value';
}
?>
Next we need to validate the e-mail address, I have seen this done many ways but the best way in my opinion is with a regular expression, so something like this should be sufficient enough to stop people trying to parse multiple e-mail addresses.
<?
if (empty($_POST['email']))
{
$errors[] = 'Please enter an e-mail';
}
else if (!eregi("^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+(.[a-z0-9-]+)*(.[a-z]{2,3})$", $_POST['email']))
{
$errors[] = 'Please enter a valid e-mail address';
}
?>
Finally comments, identical to the name field although because the comments field is a textarea we do not have any control over the length of the value, so if you think it's necessary you can add a length check like this.
<?
if (empty($_POST['comments']))
{
$errors[] = 'Please enter some comments';
}
else if (strlen ($_POST['comments']) > 255)
{
$errors[] = 'Your comment is too long, please do not submit more then 255 characters';
}
?>
Then once all the validation fields have been assigned you can utilize the error messages (if they exist) like so.
if (count($errors) == 0)
{
// Process form
}
else
{
echo $errors[0];
}
That's basically the round trip of validation, these are very important aspects of maintaining secure forms, just to make things easier here is the code in full and i have added a html table with labels for each field.
<?
if (empty($_POST['name']))
{
$errors[] = 'Please enter a name';
}
if (empty($_POST['age']))
{
$errors[] = 'Please enter a age';
}
else if (!is_numeric($_POST['age']))
{
$errors[] = 'Please enter a valid age with a numeric value';
}
if (empty($_POST['email']))
{
$errors[] = 'Please enter an e-mail';
}
else if (!eregi("^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+(.[a-z0-9-]+)*(.[a-z]{2,3})$", $_POST['email']))
{
$errors[] = 'Please enter a valid e-mail address';
}
if (empty($_POST['comments']))
{
$errors[] = 'Please enter some comments';
}
else if (strlen ($_POST['comments']) > 255)
{
$errors[] = 'Your comment is too long, please do not submit more then 255 characters';
}
if (count($errors) == 0)
{
// Process form
}
else
{
echo $errors[0];
}
?>
<form method="post">
<table>
<tr>
<td>Name:</td>
<td><input type="text" name="name"></td>
</tr>
<tr>
<td>Age:</td>
<td><input type="text" name="age"></td>
</tr>
<tr>
<td>E-mail:</td>
<td><input type="text" name="email"></td>
</tr>
<tr>
<td>Comments:</td>
<td><input name="comments" ></td>
</tr>
<tr>
<td colspan="2"><textarea name="comments"> </textarea></td>
</tr>
</table>
</form>
Post Comments