Jump to content

Form Validation


phreak3r

Recommended Posts

form processing code should -

  1. detect that a post method form was submitted.
  2. trim all input data (this can be done with one statement), so that you can detect if all white-space characters were entered. this is the only 'modification' of the form data that should be done.
  3. if there can be more than one form, you need some control logic (switch/case statement is one way) to detect a unique value (hidden field) to control which form processing code gets executed.
  4. the validation logic needs to store the validation errors in an array, with the array's main index being the field name (this index is used for 'dependent' validation steps to let you test if there is or is not already an error for a field and if you are outputting the error near the form field it applies to.) this array is also an error flag. if the array is empty, there are no errors, if the array is not empty, there are errors.
  5. if there are more than about 2-3 form fields, you should dynamically validate and process the form data, by defining a data structure (array or database table) that contains elements for each field that control what general purpose code does, such as defining 'required' fields, what type of validation rules to apply, and which type of processing code the field is used in.
  6. after the validation logic, if there are no errors, use the submitted data for whatever purpose it is intended for.
  7. after the data has been used, if there are no errors, perform a redirect to the exact same URL of the form processing code to cause a get request for the page.
  8. if there are errors, the code continues and re-displays the form, with any error messages (either all at once or with each one near the field it applies to), and repopulate the (appropriate) fields with the previously submitted data values (applying htmlentities() to help prevent cross site scripting), so that the user doesn't need to keep reentering the same data.
Edited by mac_gyver
Link to comment
Share on other sites

Never sanitize input data?  Why on earth would you NOT do that?  Hackers can put anything into an input field and your script has to be prepared to handle it or face the consequences.  The rule might be 'never alter input'.  But for sure you have to sanitize it to avoid damage to your database or whatever your script is doing with the data.

Link to comment
Share on other sites

On 7/29/2019 at 1:41 PM, ginerjm said:

Never sanitize input data?  Why on earth would you NOT do that?  Hackers can put anything into an input field and your script has to be prepared to handle it or face the consequences.  The rule might be 'never alter input'.  But for sure you have to sanitize it to avoid damage to your database or whatever your script is doing with the data.

How would you sanitize input without changing or mangling it?

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.