form validation

[adam291086]

Hello,

 

I have a form that inserts data into a db via mysql. I want to validate the form to check people aren't inputting code to destroy my database and website. How can i go about this? Any good tutorials?

 

Thanks

[Orio]

Best tutorial... The manual:

http://www.php.net/manual/en/security.database.php

 

Orio.

[adam291086]

thanks thats helped a little, but what about validating form input to check for code. I have heard stories about whole databases being dumped through a form being submitted

[aschk]

Determine what fields you are passing through (from the user).

Put each field through a rigorous test based on what type you expect it to be.

 

i.e. if you're expecting an integer is the is_int() function.

If you're also expecting it to be in a range, then if x>0 and x<50 will do. Or you could write a range($lower,$upper) function to do that for you.

 

If you want avoid characters in strings then perform a regular expression.

 

It's all basic really.

ANY input from a user (whether $_POST OR $_GET) is insecure and should be verified before delivering.

[revraz]

Check for empty values

Make sure you use mysql_real_escape_string on variables

Make sure you stripslashes

[aschk]

mysql_real_escape_string will only work if you are utilising a MySQL connection at the time, which might not be the case, and thus will throw a warning (perhaps causing erratic behaviour dependent upon your setup).

Of course you could mention just mysql_escape_string() instead, however again I would say that unless you are utilising MySQL this function might not give you expected results. Are the quote parameters not different for different databases?