NYCPHP Meetup

NYPHP.org

[nycphp-talk] PHP Form Validation

Billy Reisinger mail at billyreisinger.com
Thu Sep 1 13:06:28 EDT 2005 

Cliff Hirsch wrote:

It would seem to me that, whether you plan on using a 
$_REQUEST['variable'] or a $fresh_variable directly in your form, you 
will still need to do the same sort of validation and security checking 
on it. 

> PHPBuilder just posted this article: PHP Form Validation System: An 
> Object-Oriented Approach
> See: http://www.phpbuilder.com/columns/weiner20050831.php3 
>  
> Beside the primary validation content, the article uses the following 
> example, which I often see:
> <input type="text" name="email" value="<?=$_POST['email']?>" /> 
>  
> I often wonder (but not when I'm with my wife) what the pros and cons 
> are of using value= $_POST['something'] versus value = $fresh_variable.
>  
> First, can't $_POST['email'] create an error, since on first pass, the 
> 'email' key would not exist.

Yeah, using an unset variable will throw a warning; you wouldn't see it 
unless your error reporting is set to see warnings.  You can use a few 
lines of code to set a bunch of variables that are used in your forms.  
I think it is good practice to set all variables before using them - 
many other programming languages require this.

$array_of_variable_names = array("email", "name", "blah");
foreach($array_of_variable_names as $variable_name) {
    if (!isset($_REQUEST[$variable_name])) {
       $_REQUEST[$variable_name] = "";
    }
}

>  
> Second, how do you set default values? You would be setting the Post 
> array, which changes the source of the value from a form post to a 
> program. Doesn't seem right to me.

use the isset() function to detect whether the variable has been set by 
the user ... if it hasn't, create a default value.  You can even do this 
one quickly, too.

//load an array with names of variables and default values
$variables_and_defaults = array("variable1"=>"value1", 
"variable2"=>"value2");

//cycle through the array
foreach($variables_and_defaults as $variable_name => $variable_value) {
   
    //if this variable is not set,
    if (!isset($$variable_name)) {

       //assign it the default value you associated with it above.
       $$variable_name = $variable_value;
    }
}
That's the general idea; I haven't checked it for errors, but it should 
work.

>  
> Third, if you do want to "scrub" the input, that implies modifying 
> $_POST['something'], which is in direct conflict with Chris 
> Shiftlett's $clean_array approach. Ok, so what's the harm in letting a 
> user send him/herself a potential <nastystuff> script -- still seems 
> wrong to me.
>
A number of reasons! The mail() script can be hijacked in any number of 
ways; it is always a good idea to thoroughly clean any variables that 
are used in that function.  mysql queries are vulnerable to attack, too, 
so be sure never to trust any variable that passes from page to page.
Cheers,
Billy Reisinger

More information about the talk mailing list