Comments on: Smart web form validation with PHP http://briancray.com/2009/09/18/web-form-validation-php/ User Experience Design, Web Development, and Internet Marketing Fri, 30 Jul 2010 19:34:04 +0000 hourly 1 http://wordpress.org/?v=3.0 By: Brian Cray http://briancray.com/2009/09/18/web-form-validation-php/#comment-29216 Brian Cray Mon, 21 Sep 2009 17:42:14 +0000 http://briancray.com/?p=1288#comment-29216 Tutorial City: Very cool, I didn't realize those existed on top of filter_var. Tutorial City: Very cool, I didn’t realize those existed on top of filter_var.

]]> By: Tutorial City http://briancray.com/2009/09/18/web-form-validation-php/#comment-29214 Tutorial City Mon, 21 Sep 2009 16:05:42 +0000 http://briancray.com/?p=1288#comment-29214 <strong>Just a note:</strong> <em>filter_var_array</em> and <em>filter_input_array</em> were created to handle arrays, sou you do not need to use <em>array_map</em> Just a note: filter_var_array and filter_input_array were created to handle arrays, sou you do not need to use array_map

]]> By: Brian Cray http://briancray.com/2009/09/18/web-form-validation-php/#comment-29132 Brian Cray Sat, 19 Sep 2009 17:30:53 +0000 http://briancray.com/?p=1288#comment-29132 Brian: cool use of the array_map function for sure, and good point about the XSS attack. I wanted to emphasize the methodology and extra filtering should always occur on user input, such as htmlspecialchars or strip_tags, depending on how the input data will be displayed. Thanks so much for your insight! Brian: cool use of the array_map function for sure, and good point about the XSS attack. I wanted to emphasize the methodology and extra filtering should always occur on user input, such as htmlspecialchars or strip_tags, depending on how the input data will be displayed. Thanks so much for your insight!

]]> By: Brian Reavis http://briancray.com/2009/09/18/web-form-validation-php/#comment-29131 Brian Reavis Sat, 19 Sep 2009 17:16:33 +0000 http://briancray.com/?p=1288#comment-29131 As Michael said, control of data validation should never be put in the hands of the user. It'd be super easy for me to open Firebug and adjust the 'name' attribute on your form fields to insert whatever I like in your database. That's not hacking session vars. If you use this with the assumption that the data going into your database is solid (like most app developers would, for basic fields like email addresses at least), XSS holes will pop up all over the place. I could change "email_required_emailaddress" to "email" and send: <code>"><script type="text/javascript">/*send cookie data to remote source here*/</script></code> ...to steal users' passwords. If people have accounts and data on your CMS, security really should be a concern---no matter how difficult you perceive hacking to be. Data validation isn't something that just affects the person sending the form. If data isn't validated/sanitized properly, it becomes everyone's problem and concern. Also, a bit of a side note: The <em>array_map</em> function is a really handy one to use. Your sanitation step could be a lot faster and smaller: <code>$postVars = array_map('trim', get_magic_quotes_gpc() ? array_map('stripslashes', $_POST) : $_POST);</code> Anyways, just my two cents. All the best. As Michael said, control of data validation should never be put in the hands of the user.

It’d be super easy for me to open Firebug and adjust the ‘name’ attribute on your form fields to insert whatever I like in your database. That’s not hacking session vars. If you use this with the assumption that the data going into your database is solid (like most app developers would, for basic fields like email addresses at least), XSS holes will pop up all over the place. I could change “email_required_emailaddress” to “email” and send:

"><script type="text/javascript">/*send cookie data to remote source here*/</script>

…to steal users’ passwords. If people have accounts and data on your CMS, security really should be a concern—no matter how difficult you perceive hacking to be. Data validation isn’t something that just affects the person sending the form. If data isn’t validated/sanitized properly, it becomes everyone’s problem and concern.

Also, a bit of a side note: The array_map function is a really handy one to use. Your sanitation step could be a lot faster and smaller:

$postVars = array_map('trim', get_magic_quotes_gpc() ? array_map('stripslashes', $_POST) : $_POST);

Anyways, just my two cents. All the best.

]]> By: Brian Cray http://briancray.com/2009/09/18/web-form-validation-php/#comment-29129 Brian Cray Sat, 19 Sep 2009 16:38:13 +0000 http://briancray.com/?p=1288#comment-29129 David: You're right, the idea here is to separate back-end and front-end development in cases where it's handled by two different people. Great suggestions! Baba Nutboltoo: filter_var is definitely the way to go, as I outlined in "Things to consider about this method." However, many people are not running PHP 5.2.0 or above, which is required to use filter_var. I do like the idea to stay with KISS =) David: You’re right, the idea here is to separate back-end and front-end development in cases where it’s handled by two different people. Great suggestions!

Baba Nutboltoo: filter_var is definitely the way to go, as I outlined in “Things to consider about this method.” However, many people are not running PHP 5.2.0 or above, which is required to use filter_var. I do like the idea to stay with KISS =)

]]> By: AntonioCS http://briancray.com/2009/09/18/web-form-validation-php/#comment-29126 AntonioCS Sat, 19 Sep 2009 15:44:57 +0000 http://briancray.com/?p=1288#comment-29126 This method is great for client side validation, if you also have server side validation. I thinks there is a jQuery plugin that does something like this (looks at the fields name to know how to validate it). Good article :) This method is great for client side validation, if you also have server side validation.

I thinks there is a jQuery plugin that does something like this (looks at the fields name to know how to validate it).

Good article :)

]]> By: Smart Web Form Validation With PHP | Design Newz http://briancray.com/2009/09/18/web-form-validation-php/#comment-29125 Smart Web Form Validation With PHP | Design Newz Sat, 19 Sep 2009 15:32:26 +0000 http://briancray.com/?p=1288#comment-29125 [...] Smart Web Form Validation With PHP [...] [...] Smart Web Form Validation With PHP [...]

]]> By: Tutorial City http://briancray.com/2009/09/18/web-form-validation-php/#comment-29116 Tutorial City Sat, 19 Sep 2009 11:13:33 +0000 http://briancray.com/?p=1288#comment-29116 I think it's a good decision to use <em>filter_var</em>. this library has almost anything you would want to, and even an option to use your own regular expressions. The best idea(my opinion) is to create a class to hold all validation, and use it across all the projects(maybe almost all). ;) I think it’s a good decision to use filter_var. this library has almost anything you would want to, and even an option to use your own regular expressions. The best idea(my opinion) is to create a class to hold all validation, and use it across all the projects(maybe almost all). ;)

]]> By: Baba Nutboltoo http://briancray.com/2009/09/18/web-form-validation-php/#comment-29114 Baba Nutboltoo Sat, 19 Sep 2009 09:38:46 +0000 http://briancray.com/?p=1288#comment-29114 Your clients won't pay you more for web services if you make them in this way!! "This actually isn’t what I’m using in my CMS, but I thought about it while I was writing my CMS, and I thought it was unique enough to share." - Please don't share things which you didn't use. First use it, test it, check if there is any error or hole then fix them and after then share it. PHP has a good set of functions to check these validations : filter_var, ctype_alnum, ctype_alpha etc.. Then why take the heck to write those regular expressions? Just learn how to KISS and effective :D Your clients won’t pay you more for web services if you make them in this way!!

“This actually isn’t what I’m using in my CMS, but I thought about it while I was writing my CMS, and I thought it was unique enough to share.”

- Please don’t share things which you didn’t use. First use it, test it, check if there is any error or hole then fix them and after then share it. PHP has a good set of functions to check these validations : filter_var, ctype_alnum, ctype_alpha etc.. Then why take the heck to write those regular expressions? Just learn how to KISS and effective :D

]]> By: david http://briancray.com/2009/09/18/web-form-validation-php/#comment-29108 david Sat, 19 Sep 2009 08:07:32 +0000 http://briancray.com/?p=1288#comment-29108 If your method is only used to set php validation it's a bad process. And why can't you use a fieldname that is also a rulename? The fieldname gets split off before the the rules are checked. I think the use of the underscore to split the fieldname and the rules is very limiting. It's better to use more metacharacters, for example fieldname.rule1-rule2:param A way to improve security is to process the html to extract the rules from the fields and only leave the name of the field when the form gets displayed. It's not a bad idea if you think about giving CMS mods the rights to create forms without messing with code but it's too basic to call it smart. If your method is only used to set php validation it’s a bad process. And why can’t you use a fieldname that is also a rulename? The fieldname gets split off before the the rules are checked.

I think the use of the underscore to split the fieldname and the rules is very limiting. It’s better to use more metacharacters, for example fieldname.rule1-rule2:param

A way to improve security is to process the html to extract the rules from the fields and only leave the name of the field when the form gets displayed.

It’s not a bad idea if you think about giving CMS mods the rights to create forms without messing with code but it’s too basic to call it smart.

]]>