Reasonable Method Of Validating Data?

**stevex33** · May 17, 2009 13:18

Hi Guys,
I'm new to php and have come up with what I think is how you're supposed to check for valid data.
Can you please tell me if I'm on the right track, and if I'm missing anything from this example:

formfield1 id='name'
formfield2 id='pass'

$name = getElementByID('name')
$pass = getElementByID('pass')

$cleaner-name = stripslashes($name)
$cleanest-name = mysql_real_escape_string($name)

$cleaner-pass = stripslashes($pass)
$cleanest-pass = mysql_real_escape_string($pass)

$some-pattern = test

if(!eregi($some-pattern,$cleanest-name))
give error message
else
enter into database

In other words, there are 2 form fields, both with their own id's, ("name" and "pass"). I assign them to variables "$name" and "$pass". I know I've kind of mixed in php and javascript, so if someone can tell me how to get a css id with php I'd really appreciate it.

I pass both variables through stripslashes(), and mysql_real_escape_string() to ensure that any malicious code wont hurt the website.

Then I compare the resulting values against my pattern to ensure that they're valid.
If it's valid, it gets put into the database, if it's not, the user get's an error.

Is there anything I've missed?

**Dan Grossman** · May 17, 2009 13:27

You can't get a CSS ID from PHP; there is no webpage, only an HTTP request containing the form post data. You can access the form fields by their name in the $_POST array.

You should not need stripslashes() unless you have magic_quotes_gpc turned on, which is pretty rare. Calling stripslashes when extra slashes haven't been added could change the input which you don't want.

You should check your pattern before calling mysql_real_escape_string

**oddz** · May 17, 2009 14:07

You should also add validation to check if the strings are empty.

**stevex33** · May 17, 2009 15:10

Ah okay.
So I should (Or rather CAN) only check for ids with javascript, and it's perfectly acceptable to simply grab the form fields with php and THEN assign them variables?

In my case, magic quotes is turned on, don't know why.

Why should I match the pattern before mysql_real_escape_string?

**oddz** · May 17, 2009 15:21

Originally Posted by stevex33

Why should I match the pattern before mysql_real_escape_string?

If the match fails will the data be inserted into the database? – no. Therefore, the application is doing unnecessary work.

**Dan Grossman** · May 17, 2009 15:27

More importantly, mysql_real_escape_string() changes the input. Your pattern is written to test the user input is in some form, and it may be, but once you run it through mysql_real_escape_string(), it might no longer be in that form only because of added escape characters. You could reject valid input.

For example, let's say one of your inputs is supposed to contain a URL. A valid URL may contain single quotes, but not backslashes. After calling mysql_real_escape_string(), the URL would have a backslash added before any single quote character. This URL would not match a pattern that tests for valid URLs, even though it is a valid URL. It would have matched if you tested before escaping.

**wheeler** · May 17, 2009 17:50

you would access <input type="text" name="firstname"> as follows:
$firstname = $_POST['firstname'];

Another point is that you cannot use dashes in a variable name - use underscores instead. Dash is taken to mean minus.

**stevex33** · May 18, 2009 11:08

Thank you that was very helpful.
So, how can I strip out nasty characters, but intend on displaying them again?
In your example of attempting to store a url with single quotations, how can I remove them sensibly when I want to retrieve the data from the database in it's original format?

**Dan Grossman** · May 18, 2009 13:41

mysql_real_escape_string() will escape the single quotes so they don't mess up the query, but the escape marks won't be there when you retrieve the URL back out of the database, it'll be exactly as the user typed it

**stevex33** · May 18, 2009 14:27

Here's my attempt at a cleansing function, what do you think, and will it work as I expect it to?

Code:

<?php

function cleanse($input){
$one= escapeshellarg($input);
$two = escapeshellcmd($one);
$three = htmlentities($two);
$four = strip_tags($three);
$five = mysql_real_escape_string($four);
$six = stripslashes($five);
return $six;
};

$username=$_POST['username'];
$password=$_POST['password'];

echo cleanse($username);
echo "<br />";
echo cleanse($password);
?>

Haven't got a database/connection up and running yet, so mysql_real_escape_string($four) is crashing on me.

**Dan Grossman** · May 18, 2009 15:09

What you do to "clean" input depends on what you're going to do with that input.

If it's a rich text editor for a CMS, then calling strip_tags() destroys the valid input.

If it's bound for insertion into a database, then you have no reason to call htmlentities() and convert text into HTML.

escapeshellarg/escapeshellcmd should only be used if you're about to use the input in an exec()/shell_exec() call, otherwise you're destroying the data by adding unnecessary escape characters.

And calling stripslashes() after several function that add slashes is like undoing the work you just did.

If the data is destined for insertion into a database, then calling stripslashes() after mysql_real_escape_string() makes it unsuitable for putting into a query again.

Hopefully you get the idea that looking up as many "cleaning" function as you can and stringing them together arbitrarily gives you back gibberish, it's not what you want to be doing.

**stevex33** · May 18, 2009 16:08

Thanks for that, I was hoping to create a super cleaner, but I understand your point, just because I CAN use all the security features available to me, it doesn't mean that it makes sense to.

Gimmie a break I'm learning :P

At the moment it's just for usernames and password entries to go into a database, be compared to later, and (In the case of the username) displayed on several pages throughout the website.

In this situation, is mysql_real_escape_string() enough?
Is it completely safe?

The one thing I want to learn before anything else is security and learn what type of security is appropriate in certain scenarios.

**Dan Grossman** · May 18, 2009 16:29

There would be three things I'd do before storing the POSTed username and password:

1) Check that they are not empty

2) Check that they only contain characters you want to allow. You can skip that if you are OK with "hi^#@][::" as a username. And that's alright if you are.

3) Lastly, and order counts, use mysql_real_escape_string()

Separately, when you retrieve the username from the database and want to display it on a webpage, use htmlentities() to avoid someone injecting HTML or JavaScript into your page by making it part of the username.

**stevex33** · May 19, 2009 10:43

Okay, so do all my checks and pattern matching first, then mysql_real_escape_string(), then it's perfectly safe to store in a database.

I don't quite understand how someone could inject html into my page. Do you mean, if someone includes some html as part of their name, and then I store it, it will pass through mysql_real_escape_string() without any troubles, but when I go to display it, it will actually display as html?

So when getting anything from a database (To display on a webpage), it's standard practie to run it through htmlentities() first?

I haven't quite got to the retrieval part just yet, but would it be something like:

Store query as a variable, store result as a variable, $new_result = htmlentities(result), then do whatever I want with $new_result ?

User Tag List

Thread: Reasonable Method Of Validating Data?

Thread Tools

Display

Reasonable Method Of Validating Data?

Bookmarks

Bookmarks

Posting Permissions