Best way to validate a HTML form?

[bigboss]

I am designing a registration script for a small business, I was wondering what method I should use to validate the information.

 

Should I use a foreach loop to loop thought the $_POST and check for blank fields and erroneous data, or should I use a series of if statements on their own or in a validate function?

 

Any views are very much appreciated.

[WolfRage]

I recommend using a loop for all of the basic stuff, like trim(), htmlspecialchars() and or htmlentities(), depending on the data. But then as the data becomes more specific you will need to further break down the validation and scrutinization of the variables and you will have to begin breaking them into smaller groups and eventually single entities.

[MiCR0]

A Series of if statements on their own with a validate function I would use,

 

if (check_if_null($_POST['somedata']))

{

$nameerrormessage = 'You can not leave Name Blank';

}

// check length same way etc

 

function check_if_null($string)

{

if ($string == NULL)

{

return false;

}

 

}

 

As for the whole security side of it use this function at the top of your page.

if ($_POST) 
{
  	foreach ($_POST as $k => $v) 
	{
    	$_POST[$k] = mysql_real_escape_string(RemoveXSS(trim(stripslashes ($v))));
	$length = strlen($v);
	if ($length > 20 )
		{
		$v="";
		}
    	if (is_numeric ($v)) 
		{
		$length = strlen($v);
		if ($length > 11 )
			{
			$_POST[$k]="";
			}
      		$_POST[$k] = intval ($v);
    		}
  		}
}

function RemoveXSS($val) 
{
$val = preg_replace('/([\x00-\x08][\x0b-\x0c][\x0e-\x20])/', '', $val);
   
   $search = 'abcdefghijklmnopqrstuvwxyz';
   $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
   $search .= '1234567890!@#$%^&*()';
   $search .= '~`";:?+/={}[]-_|\'\\';
   for ($i = 0; $i < strlen($search); $i++) 
   		{
      	$val = preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); 
     	$val = preg_replace('/(&#0{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); 
   		}
   
   $ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base');
   $ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload');
   $ra = array_merge($ra1, $ra2);
   
   $found = true; 
   while ($found == true) {
      $val_before = $val;
      for ($i = 0; $i < sizeof($ra); $i++) {
         $pattern = '/';
         for ($j = 0; $j < strlen($ra[$i]); $j++) {
            if ($j > 0) {
               $pattern .= '(';
               $pattern .= '(&#[xX]0{0,8}([9ab])';
               $pattern .= '|';
               $pattern .= '|(&#0{0,8}([9|10|13])';
               $pattern .= ')*';
            }
            $pattern .= $ra[$i][$j];
         }
         $pattern .= '/i';
         $replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); 
         $val = preg_replace($pattern, $replacement, $val);
         if ($val_before == $val) 
	 	{
            
            $found = false;
		}
	  }
   }
   return $val;
}

[bigboss]

I have wrote a series of if statements that work, however I have also wrote a foreach loop that does work for blank fields.

 

I have also changed from using one register page to two pages, and using GET to pass the errors back to the register page. I know this seems stupid but this is the only way that I can use a header function.

 

I have got confused on how I would use a loop to insert values into my database. Any ideas?