...

View Full Version : PHP Form Validation (Discussion)



ClubCosmic
07-09-2005, 06:56 PM
Hi everyone,

Although I use methods for form validations, I was wondering how do you go about validating textareas? Is it possible to prevent sql injection attacks when your form contains textareas for user comments?

Hope this makes a good thread, perhaps we can all learn something. :D

c.c.

delinear
07-09-2005, 07:24 PM
I don't see how textareas are any different to other form elements that allow for user input. Generally I find addslashes() is fine for my requirements :)

ClubCosmic
07-09-2005, 07:43 PM
How does using addslashes() benefit you when you're validating text in your forms?

delinear
07-09-2005, 10:43 PM
I meant regarding sql injection attacks. As for validation... well, it depends what the data is that I'm validating and what criteria that data has to meet.

ClubCosmic
07-09-2005, 11:10 PM
I'm just using it to echo user comments

do you think validating this sort of info nessecary?

delinear
07-09-2005, 11:14 PM
Well in that case you probably don't need any validation more advanced than checking that some text was entered? I just use trim() (to make sure they didn't enter just whitespaces) and empty() to do that:

$_POST['textarea'] = (isset($_POST['textarea']) ? trim($_POST['textarea']) : '');
// this will set $_POST['textarea'] to empty if it's unset or if only whitespaces were entered by the user

if(empty($_POST['textarea'])) {
// this tests if the value is empty, if it is, I return the user to the form and flag the textarea as requiring text
}

ClubCosmic
07-09-2005, 11:20 PM
thank you, even though user comments are optional i wanted to make sure i wasnt presenting a loophole for some sort os sql attack.

so when i add user commments i should use addslashes() to prevent sql injection attacks.

a little paranoia is healthy sometimes. :D

delinear
07-10-2005, 12:24 AM
If you're saving them in a database, then yes, addslashes() will escape any dangerous characters for you and when you come to display it back in the browser just use stripslashes() so that users don't see ugly escape characters.

If you have magic quotes enabled in PHP then the server will automatically addslashes to all $_POST, $_GET and $_COOKIE data for you though, so it's worth checking if this is enabled first because escaping data twice will just give you headaches.

Paranoia is definitely a good trait where this stuff is concerned :D



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum