PHP user input validation

[4fit?]

I am writing a modification package for the forum software that my site uses. In it, I have a form where the user enters data and then clicks the save button. This fires a PHP validation check before saving the settings. However, I have a couple problems.

#1 - For some reason, the code below is not working. I simply want to set these fields equal to 0 if they are empty when Save is clicked. Any ideas why this isn't working?

PHP Code:

      if (empty($_POST['countdown_hour']))
        $_POST['countdown_hour'] = 0;
      if (empty($_POST['countdown_minute']))
        $_POST['countdown_minute'] = 0;
      if (empty($_POST['countdown_second']))
        $_POST['countdown_second'] = 0; 


#2 - I have been asked by the modification team to ensure that no HTML, Javascript, etc languages can be submitted in the fields that except text values. How can I do this?

Currently, this is the entire save portion of my script. Any and all help anyone can provide is tremendously appreciated! Thanks in advance!

PHP Code:

  $countdown_err = '';
    // Saving?
    if (isset($_GET['save']))
    {
        if (!empty($_POST['enable_countdown']))
    {
      if (empty($_POST['countdown_title']))
        $countdown_err .= $txt['countdown_title_error'];
      if ($func['strlen']($_POST['countdown_year']) != 4)
        $countdown_err .= $txt['countdown_year_error'];
      if (($_POST['countdown_month'] < 1) || ($_POST['countdown_month'] > 12) || (empty($_POST['countdown_month'])))
        $countdown_err .= $txt['countdown_month_error'];
      if (($_POST['countdown_day'] < 1) || ($_POST['countdown_day'] > 31) || (empty($_POST['countdown_day'])))
        $countdown_err .= $txt['countdown_day_error'];
      if ((!empty($_POST['countdown_hour'])) && (($_POST['countdown_hour'] < 0) || ($_POST['countdown_hour'] > 23)))
       $countdown_err .= $txt['countdown_hour_error'];
      if ((!empty($_POST['countdown_minute'])) && (($_POST['countdown_minute'] < 0) || ($_POST['countdown_minute'] > 59)))
        $countdown_err .= $txt['countdown_minute_error'];
      if ((!empty($_POST['countdown_second'])) && (($_POST['countdown_second'] < 0) || ($_POST['countdown_second'] > 59)))
        $countdown_err .= $txt['countdown_second_error'];
      if (!ereg("^[-]?[0-9]+([\.][0-9]+)?$", $_POST['countdown_year']))
        $countdown_err .= $txt['countdown_year_nan'];
      if (!ereg("^[-]?[0-9]+([\.][0-9]+)?$", $_POST['countdown_month']))
        $countdown_err .= $txt['countdown_month_nan'];
      if (!ereg("^[-]?[0-9]+([\.][0-9]+)?$", $_POST['countdown_day']))
        $countdown_err .= $txt['countdown_day_nan'];
      if (!empty($_POST['countdown_hour']) && (!ereg("^[-]?[0-9]+([\.][0-9]+)?$", $_POST['countdown_hour'])))
        $countdown_err .= $txt['countdown_hour_nan'];
      if (!empty($_POST['countdown_minute']) && (!ereg("^[-]?[0-9]+([\.][0-9]+)?$", $_POST['countdown_minute'])))
        $countdown_err .= $txt['countdown_minute_nan'];
      if (!empty($_POST['countdown_second']) && (!ereg("^[-]?[0-9]+([\.][0-9]+)?$", $_POST['countdown_second'])))
        $countdown_err .= $txt['countdown_second_nan'];
      if (empty($_POST['countdown_reached_message']))
        $countdown_err .= $txt['countdown_reached_message_error'];
        
      if (empty($_POST['countdown_hour']))
        $_POST['countdown_hour'] = 0;
      if (empty($_POST['countdown_minute']))
        $_POST['countdown_minute'] = 0;
      if (empty($_POST['countdown_second']))
        $_POST['countdown_second'] = 0;
        
      if (!empty($countdown_err))
        fatal_error($countdown_err, false);
        
    }

        saveDBSettings($config_vars);
        writeLog();

        redirectexit('action=featuresettings;sa=countdown');
    } 


[Nile]

First of all, try this:

PHP Code:

      if ((empty($_POST['countdown_hour']))) {
        $_POST['countdown_hour'] = 0;
      }
      if ((empty($_POST['countdown_minute']))) {
        $_POST['countdown_minute'] = 0;
      }
      if ((empty($_POST['countdown_second']))) {
        $_POST['countdown_second'] = 0;
      } 


Also, if that doesn't work, try using false and true.

[jim123]

You can use this function to check the numeric values.

<?php
// check number is greater than 0 and $length digits long
// returns TRUE on success
function checkNumber($num, $length){
if($num > 0 && strlen($num) == $length)
{
return TRUE;
}
}
?>



With this function we can also check our numbers are correct for our use.

<?php
// check all our variables are set
if(checkSet() != FALSE)
{
// check the POST variable userName is sane, and is not empty
if(empty($_POST['userName'])==FALSE && sanityCheck($_POST['userName'], 'string', 25) != FALSE)
{
$userName = $_POST['userName'];
}
else
{
echo 'Username is not set';
exit();
}
// here we test for the sanity of userAddress, we dont need to stop the
// the script if it is empty as it is not a required field.
if(sanityCheck($_POST['userAddress'], 'string', 100) != FALSE)
{
$userAddress = $_POST['userAddress'];
}
else
{
$userAddress = '';
}
// here we test for the sanity of userCity, we dont need to stop the
// the script if it is empty as it is not a required field.
if(sanityCheck($_POST['userCity'], 'string', 25) != FALSE)
{
$userCity = $_POST['userCity'];
}
else
{
$userCity = '';
}
// check the sanity of the number and that it is greater than zero and 5 digits long
if(sanityCheck($_POST['userZip'], 'numeric', 5) != FALSE && checkNumber($_POST['userZip'], 5) == TRUE)
{
$userZip = $_POST['userZip'];
}
else
{
$userZip='';
}
}
else
{
// this will be the default message if the form accessed without POSTing
echo '<p>Please fill in the form above</p>';
}
?>


http://www.infysolutions.com
--------------------------------------------------------------------------
Outsourcing software development