SitePoint Sponsor

User Tag List

Results 1 to 14 of 14
  1. #1
    SitePoint Addict
    Join Date
    Aug 2007
    Posts
    328
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Reasonable Method Of Validating Data?

    Hi Guys,
    I'm new to php and have come up with what I think is how you're supposed to check for valid data.
    Can you please tell me if I'm on the right track, and if I'm missing anything from this example:

    formfield1 id='name'
    formfield2 id='pass'

    $name = getElementByID('name')
    $pass = getElementByID('pass')

    $cleaner-name = stripslashes($name)
    $cleanest-name = mysql_real_escape_string($name)


    $cleaner-pass = stripslashes($pass)
    $cleanest-pass = mysql_real_escape_string($pass)

    $some-pattern = test

    if(!eregi($some-pattern,$cleanest-name))
    give error message
    else
    enter into database


    In other words, there are 2 form fields, both with their own id's, ("name" and "pass"). I assign them to variables "$name" and "$pass". I know I've kind of mixed in php and javascript, so if someone can tell me how to get a css id with php I'd really appreciate it.

    I pass both variables through stripslashes(), and mysql_real_escape_string() to ensure that any malicious code wont hurt the website.

    Then I compare the resulting values against my pattern to ensure that they're valid.
    If it's valid, it gets put into the database, if it's not, the user get's an error.

    Is there anything I've missed?

  2. #2
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,578
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    You can't get a CSS ID from PHP; there is no webpage, only an HTTP request containing the form post data. You can access the form fields by their name in the $_POST array.

    You should not need stripslashes() unless you have magic_quotes_gpc turned on, which is pretty rare. Calling stripslashes when extra slashes haven't been added could change the input which you don't want.

    You should check your pattern before calling mysql_real_escape_string
    Last edited by Dan Grossman; May 17, 2009 at 14:16.

  3. #3
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2006
    Location
    Augusta, Georgia, United States
    Posts
    4,192
    Mentioned
    17 Post(s)
    Tagged
    4 Thread(s)
    You should also add validation to check if the strings are empty.

  4. #4
    SitePoint Addict
    Join Date
    Aug 2007
    Posts
    328
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ah okay.
    So I should (Or rather CAN) only check for ids with javascript, and it's perfectly acceptable to simply grab the form fields with php and THEN assign them variables?

    In my case, magic quotes is turned on, don't know why.

    Why should I match the pattern before mysql_real_escape_string?

  5. #5
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2006
    Location
    Augusta, Georgia, United States
    Posts
    4,192
    Mentioned
    17 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by stevex33
    Why should I match the pattern before mysql_real_escape_string?
    If the match fails will the data be inserted into the database? – no. Therefore, the application is doing unnecessary work.

  6. #6
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,578
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    More importantly, mysql_real_escape_string() changes the input. Your pattern is written to test the user input is in some form, and it may be, but once you run it through mysql_real_escape_string(), it might no longer be in that form only because of added escape characters. You could reject valid input.

    For example, let's say one of your inputs is supposed to contain a URL. A valid URL may contain single quotes, but not backslashes. After calling mysql_real_escape_string(), the URL would have a backslash added before any single quote character. This URL would not match a pattern that tests for valid URLs, even though it is a valid URL. It would have matched if you tested before escaping.

  7. #7
    SitePoint Wizard wheeler's Avatar
    Join Date
    Mar 2006
    Location
    Gold Coast, Australia
    Posts
    1,369
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    you would access <input type="text" name="firstname"> as follows:
    $firstname = $_POST['firstname'];

    Another point is that you cannot use dashes in a variable name - use underscores instead. Dash is taken to mean minus.
    Studiotime - Time Management for Web Developers
    to-do's, messages, invoicing, reporting - 30 day free trial!
    Thomas Multimedia Web Development

  8. #8
    SitePoint Addict
    Join Date
    Aug 2007
    Posts
    328
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you that was very helpful.
    So, how can I strip out nasty characters, but intend on displaying them again?
    In your example of attempting to store a url with single quotations, how can I remove them sensibly when I want to retrieve the data from the database in it's original format?
    Last edited by stevex33; May 18, 2009 at 13:08.

  9. #9
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,578
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    mysql_real_escape_string() will escape the single quotes so they don't mess up the query, but the escape marks won't be there when you retrieve the URL back out of the database, it'll be exactly as the user typed it

  10. #10
    SitePoint Addict
    Join Date
    Aug 2007
    Posts
    328
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here's my attempt at a cleansing function, what do you think, and will it work as I expect it to?

    Code:
    <?php
    
    function cleanse($input){
    $one= escapeshellarg($input);
    $two = escapeshellcmd($one);
    $three = htmlentities($two);
    $four = strip_tags($three);
    $five = mysql_real_escape_string($four);
    $six = stripslashes($five);
    return $six;
    };
    
    $username=$_POST['username'];
    $password=$_POST['password'];
    
    echo cleanse($username);
    echo "<br />";
    echo cleanse($password);
    ?>
    Haven't got a database/connection up and running yet, so mysql_real_escape_string($four) is crashing on me.

  11. #11
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,578
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    What you do to "clean" input depends on what you're going to do with that input.

    If it's a rich text editor for a CMS, then calling strip_tags() destroys the valid input.

    If it's bound for insertion into a database, then you have no reason to call htmlentities() and convert text into HTML.

    escapeshellarg/escapeshellcmd should only be used if you're about to use the input in an exec()/shell_exec() call, otherwise you're destroying the data by adding unnecessary escape characters.

    And calling stripslashes() after several function that add slashes is like undoing the work you just did.

    If the data is destined for insertion into a database, then calling stripslashes() after mysql_real_escape_string() makes it unsuitable for putting into a query again.

    Hopefully you get the idea that looking up as many "cleaning" function as you can and stringing them together arbitrarily gives you back gibberish, it's not what you want to be doing.

  12. #12
    SitePoint Addict
    Join Date
    Aug 2007
    Posts
    328
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for that, I was hoping to create a super cleaner, but I understand your point, just because I CAN use all the security features available to me, it doesn't mean that it makes sense to.

    Gimmie a break I'm learning :P

    At the moment it's just for usernames and password entries to go into a database, be compared to later, and (In the case of the username) displayed on several pages throughout the website.

    In this situation, is mysql_real_escape_string() enough?
    Is it completely safe?

    The one thing I want to learn before anything else is security and learn what type of security is appropriate in certain scenarios.

  13. #13
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,578
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    There would be three things I'd do before storing the POSTed username and password:

    1) Check that they are not empty

    2) Check that they only contain characters you want to allow. You can skip that if you are OK with "hi^#@][::" as a username. And that's alright if you are.

    3) Lastly, and order counts, use mysql_real_escape_string()

    Separately, when you retrieve the username from the database and want to display it on a webpage, use htmlentities() to avoid someone injecting HTML or JavaScript into your page by making it part of the username.

  14. #14
    SitePoint Addict
    Join Date
    Aug 2007
    Posts
    328
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Okay, so do all my checks and pattern matching first, then mysql_real_escape_string(), then it's perfectly safe to store in a database.

    I don't quite understand how someone could inject html into my page. Do you mean, if someone includes some html as part of their name, and then I store it, it will pass through mysql_real_escape_string() without any troubles, but when I go to display it, it will actually display as html?

    So when getting anything from a database (To display on a webpage), it's standard practie to run it through htmlentities() first?

    I haven't quite got to the retrieval part just yet, but would it be something like:

    Store query as a variable, store result as a variable, $new_result = htmlentities(result), then do whatever I want with $new_result ?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •