While using javascript makes for a better user experience and prohibits
casual form submissions with empty or malformed fields, it is not a
replacement for server side validation.
By simply turning off javascript in the browser, a mischevious user can
circumvent the validation, and submit any data they please. There are
several (read dozens) of free firefox extensions that will allow you to
submit any POST or GET data to a script and manipulate cookie data, etc,
regardless of HTML or javascript limitations on the page.
Server-side validation is the only acceptable method for checking user
input.
I consider the following to be development canon: Never trust the user.
Now, the following is my basic view of form minimums:
Forms should be 'sticky'. By this I mean, if you 'fail' validation, your
input should remain populated in the form field. This is achieved simply:
<input type="text" id="foo" name="foo" value="<?php echo $foo; ?>" />
A short, 'template' tag allows:
<input type="text" id="foo" name="foo" value="<?= $foo; ?>" />
To do this you need to accomplish a few things:
1. Initilize $foo.
This step can be circumvented by:
<input type="text" id="foo" name="foo" value="<?= isset($foo) ? $foo : '';
?>" />
but that really does us no good, as we can still end up with garbage. So,
instead we can just assign $foo to '', thereby casting it as a string while
making it exist. So, before the form we can just set $foo = '', and leave
our value echoing $foo. I know it will not populate yet, just keep reading.
2. Make $foo show the submitted form data.
So, our user has submitted a form with errors. Now we are redisplying the
form, and need to redisply the data (presumeably displaying errors as
well). So, we need to set $foo to $_POST['foo'
method:
if (isset($_POST[
{
$foo = $_POST['foo'
}
else
{
$foo = '';
}
would replace our $foo = ''; or we can make it a bit easier on the eyes:
$foo = isset($_POST[
3. Make $foo "safe"
If you don't filter user input, you form can break. Even with casual users
that make a mistake. And it can happen extremely simply.
Using what we have now, if a user submitted a " or ">, the form would break.
Someting like:
"/><!--
The rest of your page would be "commented out"
If this was emailed to someone, or displayed as HTML output for the
recipient of the data, it could have gotten better. Think iframes and
javascript with a side of email and reporting pages. This could be a
security nightmare
.
So, we need to fix our users input to encode all the 'bad characters' to
html entities. Thankfully for php, this is easy using htmlspecialchars(
$foo = isset($_POST[
Now, we have no worries with HTML breaking with our user's input, and our
form field is sticky.
You can use foreach() to iterate through your $_POST array and set the key
of each to a safe version of the user input for forms longer than one or two
entries:
foreach ($_POST as $k => $v)
{
$$k = htmlspecialchars(
}
If you have never seen the $$ before, you can find more about it here:
php.net/variables.
Now all your form fields can be sticky, with the 'name' of each field having
a value of '$name'.
If you are going to be inserting your input into a database, you will
certainly want to prevent SQL injection.
If you don't know what SQL injection is, Google it. This is must know
information for all web developers, especially when using native php.
Essentially, your user could input:
OR 1=1 Blah Blah Blah
And have your 'value' become part of the SQL query. This is the ruin of
many databases, and an oppertunity for data theft.
To prevent this, just run ALL post data that is going into a SQL query
through mysql_real_escape_
database if it is not MySQL.
foreach ($_POST as $k => $v)
{
$_POST[$k] = mysql_real_escape_
}
THEN process your POST data into your SQL statement.
Although this just touches the absolute basics for safe forms, you will want
to check your users input and return errors, messages, etc. And adding some
javascript to make it easier on the user is always a nice touch.
WOW. That was a long rant. I should make it a blog post.
Hope that helps,
~Jason Straughan
http://www.tutlist.
On Tue, Jul 7, 2009 at 7:21 PM, azamin zainol abidin
<azamin7@pd.jaring.
>
>
> use javascript submitting the form to check if there is empty
> fields... if there is empty field, users have to fill in the field.
> After there is no empty field.. then the form can be submitted to....
>
> google this for the javascript..
>
> http://www.google.
>
>
> Chris Parnell wrote:
>
> >Hi All,
> >
> >Apologies if this seems a silly question but I am struggling to find a
> >decent answer.
> >I have forms that I use that enter information into a MySQL database
> >and I want some form of validation to ensure that there are no empty
> >fields... that's all.
> >
> >Any help would really be appreciated.
> >
> >Thanks
> >Chris
> >
> >
> >-----------
> >
> >-----------
> >
> >Come to the monthly meetings at UTD in Richardson, TX.
> >Second Tuesday of every month.Yahoo! Groups Links
> >
> >
> >
> >
> >
> >
>
>
>
[Non-text portions of this message have been removed]
Come to the monthly meetings at UTD in Richardson, TX.
Second Tuesday of every month.
Change settings via the Web (Yahoo! ID required)
Change settings via email: Switch delivery to Daily Digest | Switch format to Traditional
Visit Your Group | Yahoo! Groups Terms of Use | Unsubscribe
0 Comments:
Post a Comment