PDA

View Full Version : PHP user input validation



4fit?
09-17-2008, 12:13 PM
I am writing a modification package for the forum software that my site uses. In it, I have a form where the user enters data and then clicks the save button. This fires a PHP validation check before saving the settings. However, I have a couple problems.

#1 - For some reason, the code below is not working. I simply want to set these fields equal to 0 if they are empty when Save is clicked. Any ideas why this isn't working?


if (empty($_POST['countdown_hour']))
$_POST['countdown_hour'] = 0;
if (empty($_POST['countdown_minute']))
$_POST['countdown_minute'] = 0;
if (empty($_POST['countdown_second']))
$_POST['countdown_second'] = 0;


#2 - I have been asked by the modification team to ensure that no HTML, Javascript, etc languages can be submitted in the fields that except text values. How can I do this?

Currently, this is the entire save portion of my script. Any and all help anyone can provide is tremendously appreciated! Thanks in advance!



$countdown_err = '';
// Saving?
if (isset($_GET['save']))
{
if (!empty($_POST['enable_countdown']))
{
if (empty($_POST['countdown_title']))
$countdown_err .= $txt['countdown_title_error'];
if ($func['strlen']($_POST['countdown_year']) != 4)
$countdown_err .= $txt['countdown_year_error'];
if (($_POST['countdown_month'] < 1) || ($_POST['countdown_month'] > 12) || (empty($_POST['countdown_month'])))
$countdown_err .= $txt['countdown_month_error'];
if (($_POST['countdown_day'] < 1) || ($_POST['countdown_day'] > 31) || (empty($_POST['countdown_day'])))
$countdown_err .= $txt['countdown_day_error'];
if ((!empty($_POST['countdown_hour'])) && (($_POST['countdown_hour'] < 0) || ($_POST['countdown_hour'] > 23)))
$countdown_err .= $txt['countdown_hour_error'];
if ((!empty($_POST['countdown_minute'])) && (($_POST['countdown_minute'] < 0) || ($_POST['countdown_minute'] > 59)))
$countdown_err .= $txt['countdown_minute_error'];
if ((!empty($_POST['countdown_second'])) && (($_POST['countdown_second'] < 0) || ($_POST['countdown_second'] > 59)))
$countdown_err .= $txt['countdown_second_error'];
if (!ereg("^[-]?[0-9]+([\.][0-9]+)?$", $_POST['countdown_year']))
$countdown_err .= $txt['countdown_year_nan'];
if (!ereg("^[-]?[0-9]+([\.][0-9]+)?$", $_POST['countdown_month']))
$countdown_err .= $txt['countdown_month_nan'];
if (!ereg("^[-]?[0-9]+([\.][0-9]+)?$", $_POST['countdown_day']))
$countdown_err .= $txt['countdown_day_nan'];
if (!empty($_POST['countdown_hour']) && (!ereg("^[-]?[0-9]+([\.][0-9]+)?$", $_POST['countdown_hour'])))
$countdown_err .= $txt['countdown_hour_nan'];
if (!empty($_POST['countdown_minute']) && (!ereg("^[-]?[0-9]+([\.][0-9]+)?$", $_POST['countdown_minute'])))
$countdown_err .= $txt['countdown_minute_nan'];
if (!empty($_POST['countdown_second']) && (!ereg("^[-]?[0-9]+([\.][0-9]+)?$", $_POST['countdown_second'])))
$countdown_err .= $txt['countdown_second_nan'];
if (empty($_POST['countdown_reached_message']))
$countdown_err .= $txt['countdown_reached_message_error'];

if (empty($_POST['countdown_hour']))
$_POST['countdown_hour'] = 0;
if (empty($_POST['countdown_minute']))
$_POST['countdown_minute'] = 0;
if (empty($_POST['countdown_second']))
$_POST['countdown_second'] = 0;

if (!empty($countdown_err))
fatal_error($countdown_err, false);

}

saveDBSettings($config_vars);
writeLog();

redirectexit('action=featuresettings;sa=countdown');
}

Nile
09-18-2008, 01:37 AM
First of all, try this:


if ((empty($_POST['countdown_hour']))) {
$_POST['countdown_hour'] = 0;
}
if ((empty($_POST['countdown_minute']))) {
$_POST['countdown_minute'] = 0;
}
if ((empty($_POST['countdown_second']))) {
$_POST['countdown_second'] = 0;
}

Also, if that doesn't work, try using false and true.

jim123
09-20-2008, 12:14 PM
You can use this function to check the numeric values.

<?php
// check number is greater than 0 and $length digits long
// returns TRUE on success
function checkNumber($num, $length){
if($num > 0 && strlen($num) == $length)
{
return TRUE;
}
}
?>



With this function we can also check our numbers are correct for our use.

<?php
// check all our variables are set
if(checkSet() != FALSE)
{
// check the POST variable userName is sane, and is not empty
if(empty($_POST['userName'])==FALSE && sanityCheck($_POST['userName'], 'string', 25) != FALSE)
{
$userName = $_POST['userName'];
}
else
{
echo 'Username is not set';
exit();
}
// here we test for the sanity of userAddress, we dont need to stop the
// the script if it is empty as it is not a required field.
if(sanityCheck($_POST['userAddress'], 'string', 100) != FALSE)
{
$userAddress = $_POST['userAddress'];
}
else
{
$userAddress = '';
}
// here we test for the sanity of userCity, we dont need to stop the
// the script if it is empty as it is not a required field.
if(sanityCheck($_POST['userCity'], 'string', 25) != FALSE)
{
$userCity = $_POST['userCity'];
}
else
{
$userCity = '';
}
// check the sanity of the number and that it is greater than zero and 5 digits long
if(sanityCheck($_POST['userZip'], 'numeric', 5) != FALSE && checkNumber($_POST['userZip'], 5) == TRUE)
{
$userZip = $_POST['userZip'];
}
else
{
$userZip='';
}
}
else
{
// this will be the default message if the form accessed without POSTing
echo '<p>Please fill in the form above</p>';
}
?>


http://www.infysolutions.com (http://www.infysolutions.com)
--------------------------------------------------------------------------
Outsourcing software development (http://www.infysolutions.com)