Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    Regular Coder
    Join Date
    May 2004
    Posts
    144
    Thanks
    0
    Thanked 0 Times in 0 Posts

    PHP Form Validation (Discussion)

    Hi everyone,

    Although I use methods for form validations, I was wondering how do you go about validating textareas? Is it possible to prevent sql injection attacks when your form contains textareas for user comments?

    Hope this makes a good thread, perhaps we can all learn something.

    c.c.

  • #2
    Regular Coder
    Join Date
    Feb 2005
    Location
    West Midlands, UK
    Posts
    623
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I don't see how textareas are any different to other form elements that allow for user input. Generally I find addslashes() is fine for my requirements

  • #3
    Regular Coder
    Join Date
    May 2004
    Posts
    144
    Thanks
    0
    Thanked 0 Times in 0 Posts
    How does using addslashes() benefit you when you're validating text in your forms?
    Last edited by ClubCosmic; 07-09-2005 at 09:39 PM.

  • #4
    Regular Coder
    Join Date
    Feb 2005
    Location
    West Midlands, UK
    Posts
    623
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I meant regarding sql injection attacks. As for validation... well, it depends what the data is that I'm validating and what criteria that data has to meet.

  • #5
    Regular Coder
    Join Date
    May 2004
    Posts
    144
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I'm just using it to echo user comments

    do you think validating this sort of info nessecary?
    Last edited by ClubCosmic; 07-10-2005 at 12:14 AM.

  • #6
    Regular Coder
    Join Date
    Feb 2005
    Location
    West Midlands, UK
    Posts
    623
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Well in that case you probably don't need any validation more advanced than checking that some text was entered? I just use trim() (to make sure they didn't enter just whitespaces) and empty() to do that:
    PHP Code:
    $_POST['textarea'] = (isset($_POST['textarea']) ? trim($_POST['textarea']) : '');
    // this will set $_POST['textarea'] to empty if it's unset or if only whitespaces were entered by the user

    if(empty($_POST['textarea'])) {
        
    // this tests if the value is empty, if it is, I return the user to the form and flag the textarea as requiring text


  • #7
    Regular Coder
    Join Date
    May 2004
    Posts
    144
    Thanks
    0
    Thanked 0 Times in 0 Posts
    thank you, even though user comments are optional i wanted to make sure i wasnt presenting a loophole for some sort os sql attack.

    so when i add user commments i should use addslashes() to prevent sql injection attacks.

    a little paranoia is healthy sometimes.
    Last edited by ClubCosmic; 07-10-2005 at 12:23 AM.

  • #8
    Regular Coder
    Join Date
    Feb 2005
    Location
    West Midlands, UK
    Posts
    623
    Thanks
    0
    Thanked 0 Times in 0 Posts
    If you're saving them in a database, then yes, addslashes() will escape any dangerous characters for you and when you come to display it back in the browser just use stripslashes() so that users don't see ugly escape characters.

    If you have magic quotes enabled in PHP then the server will automatically addslashes to all $_POST, $_GET and $_COOKIE data for you though, so it's worth checking if this is enabled first because escaping data twice will just give you headaches.

    Paranoia is definitely a good trait where this stuff is concerned


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •