| SitePoint Sponsor |
Hi, im coding a form mailer.
A common validation problem of a user input data, like name, adress, etc.
A user submits a string outside the textbox max length, huuuge string.
I want to put a filter or validator for this case, and i'd like to hear some comments how do u handle this.
Validator is a query ("does it look ok?"), filter is an action ("make it look ok"). Which one to use is your decision.
They can accomplish the same goals or different ones. In other words you need not bother the user if an input has leading and trailing spaces, you would if the data they entered in an email field was not a valid email.
If a spammer hits your form, and tries to inject mail headers via your form fields, proper validation would reject that submission and not send mail. There is no reason to filter the data and send it, because what they want to send is garbage.
If you are inserting data into a database, what you validate and what you filter depends on the ability of the script to actually do something with the data to keep it in the desired format.
Once a dataset gets to be a few hundred records, it becomes valuable enough, that protecting the integrity of the data is important. All dates and phone numbers (ssn, etc.) should be the same format, emails should be valid and so on. If there is no way to filter a particular type of input to ensure the proper data format, then validate it and insist that it be entered correctly.
validate code from a user
filter code before inserting into a db
You shouldn't really accept code from a user in a non-valid way, and filter it to say "o I guess you meant this?". Its just not a good practice. Validate everything from the user to make sure its in the format you're expecting. Data filtering should be limited to make sure that its escaped correctly and safe for storing.
my utility belt tells me its to the bar batman
read the manual then google it then do a search THEN post....
Lets say you had a telephone no input box, and you set the html to MAXLENGTH that at 15 chars....and i'd like to hear some comments how do u handle this.
As you say, that could be 2GB of data they sent you, whether they send 16 chars or 16 million - someone's messsing about.PHP Code:if ( strlen( $_GET['tel']) > 15 ){
// abort everything, and redirect
}
OK. so you stipulate that they can only send numbers and spaces in the Tel input box.
Run a simple regex over it, right?
But what I would do before the regex is to replace and letter 'o' with a number '0' because that's the kind of mistake my mom would make.
Hence I don't wholeheartedly agree with this statement:
So THEN I'd verify there was only numbers and spaces and for good measure I'd *_real_escape_string() it as it goes in the db, because even I make mistakes.You shouldn't really accept code from a user in a non-valid way, and filter it to say "o I guess you meant this?". Its just not a good practice. Validate everything from the user to make sure its in the format you're expecting. Data filtering should be limited to make sure that its escaped correctly and safe for storing.
Now which is termed as filtering and what is validating I am not sure.
filtering implies a passive step, something which does not have a fail condition. Validating implies an agressive step which does have a fail condition. Anything where the data can fail and be refused to be used is counted as validating, anything where the data is vetted and then used without reporting an error is counted as filtering.
my utility belt tells me its to the bar batman
read the manual then google it then do a search THEN post....
Right, thanks for that explanation, santouras.
That strikes me as a bad idea. You should filter as close to input, as possible. What you're talking about, is probably escaping, which is something, you do, when embedding strings into an SQL query. That would happen close to the query being executed.Originally Posted by santouras
I like the doctrine, "Be liberal in what you accept, but conservative in what you output." Usually, filtering and validation are done in conjunction, although in your case, a form mailer, most of the fields will only need validation.
HTML Purifier - Standards-Compliant HTML filtering
Let me get this right then, validate as soon as you can do the easiest things first - then escape and store.
Stay away from describing that process as a "filter" ( I must admit that filter sounds like "send a to b or c depending on condition x", I mean I have done that, but not from a security POV )
Posting Permissions
Bookmarks