Validating using class - not working :(

[Drongo_III]

Hi Guys

 

Can anyone tell me why this doesn't work?

 

<?php

$form = "<form action='test.php' method='POST'><input type='text' name='test' /> <input type='submit'>";

echo $form;

$name = $_POST['test'];



class validate
{

function check_input($data)
{
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}

}


$z = new validate();
echo $z->check_input($name);


?>

 

 

Also, when it comes to validating POST data that's input via a form and retrieving it is it secure to set a variable for the Post i.e.

$name = $_POST['test'];

or is more secure to pass

 $_POST['test'] 

straight into the validation? It just occurs to me if you pull the post into a variable then you're inviting insecure code into your script. Though i am a complete noob at this so might be talking rubbish!

 

Any light you can shed on why my little script isn't working would be appreciated and any tips on the best method for validating data securely would also be welcome

 

Thank you

 

Drongo

[kenrbnsn]

You never terminate the <form> with a </form>, so your form may not work in all browsers.

 

Also, the $_POST array is only set once the form is submitted, so you need some logic in you code to only do the validation if the form was submitted.

 

Ken

[Drongo_III]

Hi Ken

 

Thanks for the reply.

 

Ooops didn't spot the closing form tag. Been staring at the screen too long.

 

This is just a test page at the moment.

 

The thing is this function just refuses to work and i can't figure out why.

 

Even when i use just a variable it doesn't seem to be getting passed into the function

 

<?php

$form = "<form action='test2.php' method='POST'><input type='text' name='test' /> <input type='submit'></form>";

echo $form;

$name = $_POST['test'];

$name2 = '<?php echo "hello";';

class validate
{

function check_input($data)
{
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}

}


$z = new validate();
echo $z->check_input($name2);


?>

 

V confused as i can't see what is wrong :/

[Drongo_III]

btw the variable above "$name2" was just to test the clean up process. No joy tho

[fugix]

try to keep your function var consistent with your post var. So if your post var is $name, then your function var will be $name

class validate
{

function check_input($name)
{
    $data = trim($name);
    $data = stripslashes($name);
    $data = htmlspecialchars($name);
    return $name;
}

}

[Drongo_III]

Thanks Fugix

 

I tried that but still not luck :/ I think i am cursed as nothing i seem to try works at the moment!

 

Also, is that a rule about param names? I thought just $data would represent whatever param i supplied - i.e. so i could reuse the function on multiple types of form input. Or am i wrong?

 

 

 

 

try to keep your function var consistent with your post var. So if your post var is $name, then your function var will be $name

class validate
{

function check_input($name)
{
    $data = trim($name);
    $data = stripslashes($name);
    $data = htmlspecialchars($name);
    return $name;
}

}

[fugix]

try to make name equal to a simple string...

$name = 'test';

[kenrbnsn]

What makes you think it's not working?

 

Ken

[jcbones]

How is it NOT working?  How are you determining that it is NOT working?  Not working can mean many things!

 

 

I bet if you would look at "page source" you would find that your string is indeed, translated to html chars.

[waubain]

I tried using the same example i found  for validation and it also did not work. The function works if you leave the form blank and returns the error message, but the other parts did work. I tested mine by redirecting to a different page and echo the $_SESSION variable. If I typed in <123456>, this is what echoed on the second page. It did not strip the markup characters.

 

Here is what I tried.

 

<?php
session_start();
if (isset($_POST['submit']))
{
$patient_id = check_input($_POST['patient_num'], "Enter Patient ID");
$_SESSION['patientid'] = $patient_id;
header('Location: pt_found.php');
exit();
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Patient Call Form</title>
<link rel="stylesheet" type="text/css" href="main.css" />
</head>

<body>
<form name="patientfindform" action="#" method="post">
<div>
<label>Patient ID:</label>
<input type="text" name="patient_num" /><br />
</div>

<div>
<label> </label>
<input type="submit" name="submit" value="Find Patient" /><br />

</div>
</form>
<script>
type="text/javascript">
document.patientfindform.patient_num.focus();
</script>
</div>
</body>
</html>
<?php
function check_input ($data, $problem='')
{
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
if ($problem && strlen($data)== 0)
{
die($problem);
}
return $data;
}
?> 

[jcbones]

Are you looking at your browser window, or at the page source file for the 'It did not strip the markup characters'.  You do know that the browser will display the markup char, by their given entities?

[kenrbnsn]

Do a "show source", there you will see that the characters are replaced. If they hadn't been, you would have seen nothing, since the browser would have eaten any thing the looks like an HTML tag.

 

Ken

[waubain]

Are you looking at your browser window, or at the page source file for the 'It did not strip the markup characters'.  You do know that the browser will display the markup char, by their given entities?

 

JCBones,

 

In all honestly, I did not know that nor much about all of this. I am an old ICU pharmacist trying to create a better hospital pharmacy simulation for my pharmacy students. Six months ago I had no clue what HTML, CSS, and  PHP even stood and  I am slowly plugging away, but it is hard to teach an old dog a new trick. The last time I took a computer class, I had to carry stacks of punch cards to the computer room!

 

Thanks for everyone's suggestions. 

[anupamsaha]

If you are using PHP5, please try the following:

 

class validate
{
function __construct() {}

function check_input($name)
       {
           $data = trim($name);
           $data = stripslashes($name);
           $data = htmlspecialchars($name);
           return $name;
       }	
}

 

Thanks!

[Drongo_III]

Ahh yes you were right chaps. It was just the output to the browser. The source shows them encoded. I didn't realise it would do that - noob mistake.

 

So that just leaves two questions:

 

1) Does that function does the necessaries in the correct order

 

2) Is it secure to pass the Post values to a variable and then clean them or should you clean straight from accessing the POST array?

 

Thanks,

 

Drongo

[jcbones]

Not a n00b mistake at all, it catches all of us from time to time.  Sometimes staring at the monitor for to long, just gets to ya.

 

1.) Yes, the function is fine, but I would add mysql_real_escape_string() to the variable, if I was inserting to a mysql database.

 

2.) Yes, perfectly secure.  Although it is less coding to run it straight through.

[Drongo_III]

Thanks JC! That helps a lot.

 

Well I think the case of the phantom validator is solved. I shall have Watson chronicle this in my memoires Right onwards and upwards.

 

Thanks chaps!

 

 

 

Not a n00b mistake at all, it catches all of us from time to time.  Sometimes staring at the monitor for to long, just gets to ya.

 

1.) Yes, the function is fine, but I would add mysql_real_escape_string() to the variable, if I was inserting to a mysql database.

 

2.) Yes, perfectly secure.  Although it is less coding to run it straight through.

[DavidAM]

Drongo_III - At some point someone suggested changing your method to this:

 

function check_input($name)
       {
           $data = trim($name);
           $data = stripslashes($name);
           $data = htmlspecialchars($name);
           return $name;
       }

 

If you take a close look at it, that method DOES NOTHING. It returns EXACTLY WHAT WAS PASSED IN. All of the operations in it are performed against $name and assigned to $data, but $name is returned UNMODIFIED.

 

Make sure you fix this method. Your original method was fine - I don't know why it was suggested to change the parameter name from $data to $name, but you either need to change all of the $name variables to $data or change all of the $data variables to $name.

 

[Drongo_III]

Thanks David

 

I changed it back to the original as when i checked the source i realised nothing was happening when $name as the parameter and now you've pointed out the logic i can see why.  Wrapping your head around the logical way the system deals with input is starting to click into place - slowly!

 

Thanks for the help!

 

Drongo_III - At some point someone suggested changing your method to this:

 

function check_input($name)
       {
           $data = trim($name);
           $data = stripslashes($name);
           $data = htmlspecialchars($name);
           return $name;
       }

 

If you take a close look at it, that method DOES NOTHING. It returns EXACTLY WHAT WAS PASSED IN. All of the operations in it are performed against $name and assigned to $data, but $name is returned UNMODIFIED.

 

Make sure you fix this method. Your original method was fine - I don't know why it was suggested to change the parameter name from $data to $name, but you either need to change all of the $name variables to $data or change all of the $data variables to $name.