sonal Posted July 16, 2012 Share Posted July 16, 2012 Does following form validation done in the right order? Do I need all of it? Or are these just extra lines of code? if(isset($_POST['quote']) && is_string($_POST['quote'])) { //to check data is filled. //sanitize incoming quote: if(preg_match('/^[A-Z \'.-]{20,800}$/i', $_POST['quote'])) { //reg exp will check only allowed characters are present. $_POST['quote'] = filter_var($_POST['quote'], FILTER_SANITIZE_STRING); //same as reg exp?? $_POST['quote'] = filter_var($_POST['quote'], FILTER_SANITIZE_SPECIAL_CHARS); //reg exp won't let come here..?? $_POST['quote'] = mysqli_real_escape_string($dbc, trim($_POST['quote'])); } //if(preg_match['quote']. Link to comment Share on other sites More sharing options...
Antonio Conte Posted July 16, 2012 Share Posted July 16, 2012 You need to tell us more about what 'Quote' is before we can tell you the validation is good enough. Link to comment Share on other sites More sharing options...
sonal Posted July 17, 2012 Author Share Posted July 17, 2012 oh, ok. here 'Quote' is a simple string (quotable quotes like thing). (I have kept its length from 20 characters to 800 alphabetic characters.) Link to comment Share on other sites More sharing options...
HartleySan Posted July 17, 2012 Share Posted July 17, 2012 sonal, that is way too much overkill. I recommend checking out each of the functions and arguments you mentioned on PHP.net for details about exactly which characters they strip. It seems to me that the only thing you need to be careful of is HTML and JavaScript being injected into your quote. To that end, the htmlspecialchars function should work fine. Link to comment Share on other sites More sharing options...
Antonio Conte Posted July 17, 2012 Share Posted July 17, 2012 I agree with Jon here. Just make sure data is not harmful. You can't really guard against anyone monkeying around and using weird data. All you can do is make sure it'll not break your application. That won't be a problem here. It's much easier validating data like numbers, dates or emails. A normal string you just filter out the bad data. Link to comment Share on other sites More sharing options...
Recommended Posts