NYCPHP Meetup

NYPHP.org

[nycphp-talk] PHP Form Validation

Jonathan hendler at simmons.edu
Thu Sep 1 13:02:49 EDT 2005 

Without looking at the PHP builder article - I think there are many 
things wrong with embedding $_POST in form html:

   1. if you display warning messages in your PHP ini it will display a
      warning on the first pass
   2. you can't run filters before display like htmlentities - the user
      can input javascript, html, or other ickiness like even a double
      quote can break the form
   3. what if you have a form with 10 steps and you want the user to be
      able to go back to a stage 3 and modify the data they had entered?
   4. html should probably be in a template file

What's trying to be accomplished is in a sense "state preservation" as 
well as cleaning/checking of the data. Just embedding $_REQUEST, $_POST, 
or $_GET is insufficient for any larger application.

Aaron Fischer wrote:

>If the $_POST['var'] doesn't have a value or hasn't been created, 
>nothing is outputted, so the form just has value="" in the html form.  
>Nothing wrong with that as far as I know.  I use something similar in my 
>forms, haven't run into any problems.
>
>-Aaron
>
>
>Cliff Hirsch wrote:
>
>  
>
>>PHPBuilder just posted this article: PHP Form Validation System: An 
>>Object-Oriented Approach
>>See: http://www.phpbuilder.com/columns/weiner20050831.php3 
>> 
>>Beside the primary validation content, the article uses the following 
>>example, which I often see:
>><input type="text" name="email" value="<?=$_POST['email']?>" /> 
>> 
>>I often wonder (but not when I'm with my wife) what the pros and cons 
>>are of using value= $_POST['something'] versus value = $fresh_variable.
>> 
>>First, can't $_POST['email'] create an error, since on first pass, the 
>>'email' key would not exist.
>> 
>>Second, how do you set default values? You would be setting the Post 
>>array, which changes the source of the value from a form post to a 
>>program. Doesn't seem right to me.
>> 
>>Third, if you do want to "scrub" the input, that implies modifying 
>>$_POST['something'], which is in direct conflict with Chris 
>>Shiftlett's $clean_array approach. Ok, so what's the harm in letting a 
>>user send him/herself a potential <nastystuff> script -- still seems 
>>wrong to me.
>> 
>>Comments?
>> 
>>Cliff Hirsch
>>    
>>
>
>
>_______________________________________________
>New York PHP Talk Mailing List
>AMP Technology
>Supporting Apache, MySQL and PHP
>http://lists.nyphp.org/mailman/listinfo/talk
>http://www.nyphp.org
>  
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050901/e3343350/attachment.html>

More information about the talk mailing list