PHP Form Validation (Discussion)

ClubCosmic · 07-09-2005, 06:56 PM

Hi everyone,

Although I use methods for form validations, I was wondering how do you go about validating textareas? Is it possible to prevent sql injection attacks when your form contains textareas for user comments?

Hope this makes a good thread, perhaps we can all learn something.

c.c.

delinear · 07-09-2005, 07:24 PM

I don't see how textareas are any different to other form elements that allow for user input. Generally I find addslashes() is fine for my requirements

ClubCosmic · 07-09-2005, 07:43 PM

How does using addslashes() benefit you when you're validating text in your forms?

delinear · 07-09-2005, 10:43 PM

I meant regarding sql injection attacks. As for validation... well, it depends what the data is that I'm validating and what criteria that data has to meet.

ClubCosmic · 07-09-2005, 11:10 PM

I'm just using it to echo user comments

do you think validating this sort of info nessecary?

delinear · 07-09-2005, 11:14 PM

Well in that case you probably don't need any validation more advanced than checking that some text was entered? I just use trim() (to make sure they didn't enter just whitespaces) and empty() to do that:

PHP Code:


			
$_POST['textarea'] = (isset($_POST['textarea']) ? trim($_POST['textarea']) : '');

// this will set $_POST['textarea'] to empty if it's unset or if only whitespaces were entered by the user



if(empty($_POST['textarea'])) {

    // this tests if the value is empty, if it is, I return the user to the form and flag the textarea as requiring text

}

ClubCosmic · 07-09-2005, 11:20 PM

thank you, even though user comments are optional i wanted to make sure i wasnt presenting a loophole for some sort os sql attack.

so when i add user commments i should use addslashes() to prevent sql injection attacks.

a little paranoia is healthy sometimes.

delinear · 07-10-2005, 12:24 AM

If you're saving them in a database, then yes, addslashes() will escape any dangerous characters for you and when you come to display it back in the browser just use stripslashes() so that users don't see ugly escape characters.

If you have magic quotes enabled in PHP then the server will automatically addslashes to all $_POST, $_GET and $_COOKIE data for you though, so it's worth checking if this is enabled first because escaping data twice will just give you headaches.

Paranoia is definitely a good trait where this stuff is concerned