Jump to content
Larry Ullman's Book Forums

Recommended Posts

Does following form validation done in the right order? Do I need all of it? Or are these just extra lines of code?




if(isset($_POST['quote']) && is_string($_POST['quote'])) { //to check data is filled.


//sanitize incoming quote:

if(preg_match('/^[A-Z \'.-]{20,800}$/i', $_POST['quote'])) { //reg exp will check only allowed characters are present.

$_POST['quote'] = filter_var($_POST['quote'], FILTER_SANITIZE_STRING); //same as reg exp??

$_POST['quote'] = filter_var($_POST['quote'], FILTER_SANITIZE_SPECIAL_CHARS); //reg exp won't let come here..??

$_POST['quote'] = mysqli_real_escape_string($dbc, trim($_POST['quote']));

} //if(preg_match['quote'].

Link to comment
Share on other sites

sonal, that is way too much overkill.

I recommend checking out each of the functions and arguments you mentioned on PHP.net for details about exactly which characters they strip.


It seems to me that the only thing you need to be careful of is HTML and JavaScript being injected into your quote. To that end, the htmlspecialchars function should work fine.

Link to comment
Share on other sites

I agree with Jon here. Just make sure data is not harmful. You can't really guard against anyone monkeying around and using weird data. All you can do is make sure it'll not break your application. That won't be a problem here.


It's much easier validating data like numbers, dates or emails. A normal string you just filter out the bad data.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...