bigboss Posted March 11, 2009 Share Posted March 11, 2009 I am designing a registration script for a small business, I was wondering what method I should use to validate the information. Should I use a foreach loop to loop thought the $_POST and check for blank fields and erroneous data, or should I use a series of if statements on their own or in a validate function? Any views are very much appreciated. Quote Link to comment Share on other sites More sharing options...
WolfRage Posted March 11, 2009 Share Posted March 11, 2009 I recommend using a loop for all of the basic stuff, like trim(), htmlspecialchars() and or htmlentities(), depending on the data. But then as the data becomes more specific you will need to further break down the validation and scrutinization of the variables and you will have to begin breaking them into smaller groups and eventually single entities. Quote Link to comment Share on other sites More sharing options...
MiCR0 Posted March 11, 2009 Share Posted March 11, 2009 A Series of if statements on their own with a validate function I would use, if (check_if_null($_POST['somedata'])) { $nameerrormessage = 'You can not leave Name Blank'; } // check length same way etc function check_if_null($string) { if ($string == NULL) { return false; } } As for the whole security side of it use this function at the top of your page. if ($_POST) { foreach ($_POST as $k => $v) { $_POST[$k] = mysql_real_escape_string(RemoveXSS(trim(stripslashes ($v)))); $length = strlen($v); if ($length > 20 ) { $v=""; } if (is_numeric ($v)) { $length = strlen($v); if ($length > 11 ) { $_POST[$k]=""; } $_POST[$k] = intval ($v); } } } function RemoveXSS($val) { $val = preg_replace('/([\x00-\x08][\x0b-\x0c][\x0e-\x20])/', '', $val); $search = 'abcdefghijklmnopqrstuvwxyz'; $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; $search .= '1234567890!@#$%^&*()'; $search .= '~`";:?+/={}[]-_|\'\\'; for ($i = 0; $i < strlen($search); $i++) { $val = preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); $val = preg_replace('/(�{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); } $ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base'); $ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload'); $ra = array_merge($ra1, $ra2); $found = true; while ($found == true) { $val_before = $val; for ($i = 0; $i < sizeof($ra); $i++) { $pattern = '/'; for ($j = 0; $j < strlen($ra[$i]); $j++) { if ($j > 0) { $pattern .= '('; $pattern .= '(&#[xX]0{0,8}([9ab])'; $pattern .= '|'; $pattern .= '|(�{0,8}([9|10|13])'; $pattern .= ')*'; } $pattern .= $ra[$i][$j]; } $pattern .= '/i'; $replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); $val = preg_replace($pattern, $replacement, $val); if ($val_before == $val) { $found = false; } } } return $val; } Quote Link to comment Share on other sites More sharing options...
bigboss Posted March 11, 2009 Author Share Posted March 11, 2009 I have wrote a series of if statements that work, however I have also wrote a foreach loop that does work for blank fields. I have also changed from using one register page to two pages, and using GET to pass the errors back to the register page. I know this seems stupid but this is the only way that I can use a header function. I have got confused on how I would use a loop to insert values into my database. Any ideas? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.