Jump to content
Larry Ullman's Book Forums

Recommended Posts

Does following form validation done in the right order? Do I need all of it? Or are these just extra lines of code?

 

 

 

if(isset($_POST['quote']) && is_string($_POST['quote'])) { //to check data is filled.

 

//sanitize incoming quote:

if(preg_match('/^[A-Z \'.-]{20,800}$/i', $_POST['quote'])) { //reg exp will check only allowed characters are present.

$_POST['quote'] = filter_var($_POST['quote'], FILTER_SANITIZE_STRING); //same as reg exp??

$_POST['quote'] = filter_var($_POST['quote'], FILTER_SANITIZE_SPECIAL_CHARS); //reg exp won't let come here..??

$_POST['quote'] = mysqli_real_escape_string($dbc, trim($_POST['quote']));

} //if(preg_match['quote'].

Link to comment
Share on other sites

sonal, that is way too much overkill.

I recommend checking out each of the functions and arguments you mentioned on PHP.net for details about exactly which characters they strip.

 

It seems to me that the only thing you need to be careful of is HTML and JavaScript being injected into your quote. To that end, the htmlspecialchars function should work fine.

Link to comment
Share on other sites

I agree with Jon here. Just make sure data is not harmful. You can't really guard against anyone monkeying around and using weird data. All you can do is make sure it'll not break your application. That won't be a problem here.

 

It's much easier validating data like numbers, dates or emails. A normal string you just filter out the bad data.

Link to comment
Share on other sites

 Share

×
×
  • Create New...