Form Field Check

Re: Form Field Check


"ratlhead" <ratlhead@ratlh ead.com> wrote in message
news:fd9c5ab3.0 307102311.7e4dd 6be@posting.goo gle.com...[color=blue]
> Hey all,
>
> I've provided a form for a client of the company I work for that
> basically emails the form data to an email address. Only a couple of
> the many fields are required...noth ing too fancy.
>
> However, the sys admin has made the following request:
>
> "All fields, not just the required fields, need validation for syntax,
> shell escape characters and string length. This is a security issue."[/color]

It might become an issue when you build a DB driven site and someone uses a
text field to insert SQL to delete the entire database, for example.
[color=blue]
>
> On no site have I ever had to deal with this being a "security
> issuue"... I mean, is having escape characters in a form field really
> a big deal? Or having an empty form field? At most, they get put
> into a variable that's then sent in an email.[/color]

Forms don't just send e-mails. Look on almost any e-commerce site and you
will find examples of database searches driven by HTML forms. An empty form
field might cause an SQL command to fail. SQL error messages displayed on
the client's browser don't look very proefssional.
[color=blue]
>
> If I need to check for escape characters, what's the best way to
> approach doing so? Thanks y'all![/color]

One way to validate from entries is to use regular expression patterns to
check the form entries fit a specific template, ie numbers only, text, text
and spaces.

check to see if a forename field entry is composed only of letters
if(!preg_match( "/^[a-zA-Z]+$/",$_POST["Nforename"]))
{
// invalid form entry. go back to form
}

/^[0-9]+$/ - only digits 0 - 9 allowed

/^[a-zA-Z\s]+$/ - letters and spaces

/^[a-zA-Z0-9\.]$/ - letters, numbers and periods
[color=blue]
>
> -Mike[/color]