PHP MySQL Forms - Only allow numbers in a textfield

[Stalingrad]

Hey again guys! I'm back already today. XD Okay, so... I'm building a script, right. I have a form that is a simple text field. I do NOT want to use javascript. I want to be able to use PHP to be able to do this. Here is the form exactly as it is now:

 

<form action="<?php echo "$PHP_SELF"; ?>" method="POST">
<input type="text" name="price">

 

How would I only allow a number, and up to 5 digits long, like, for example, a zip code. I know I can always limit the char space, but they might be able to "inject" it?

 

On another note for forms, what would I have to do to get rid of people being able to run a script through a form; is it the strip_tags(); function?

Thanks for your help in advance guys!

[scootstah]

You could use is_int() to see if it is a number. And you could use strlen() to see if it is a certain amount of characters.

$price = $_POST['price'];

if (is_int($price) && strlen($price) == 5) {
     // good to go
}

 

What do you mean by "run a script"? strip_tags() will remove HTML tags, which could prevent XSS attacks.

[Stalingrad]

Thanks! I'll check and see if that works. The other thing, um.. A while back I let this guy try out my site. He made his name in his profile scroll. XD I want to avoid attacks AND also stop people from running scripts and stuff in places they shouldn't. thanks again!

[requinix]

is_int() will never work on $_GET or $_POST values. They are always strings and is_int() only accepts actual integers.

 

Use ctype_digit.

[Stalingrad]

thanks!

[ialsoagree]

Alternatively, you could use is_numeric(), which is meant to determine if a variable is an integer, or if it is a string variable with only a number (which can include a sign, decimal, exponential, or can be in hex form without sign, decimal, or exponential).