php validation for a beginner

Question

I've used html, css, javascript, and jQuery validation and I think I'm ready to load variables in php. My webpage has about 300 elements (20 text(area)s, 40 radio, and 250 check-boxes with only a few that are required.

I found this code for php validation and have 3 newbie questions:

<?php
// define variables and set to empty values
$name = $email = $gender = $comment = $website = "";

if ($_SERVER["REQUEST_METHOD"] == "POST") {
  $name = test_input($_POST["name"]);
  $email = test_input($_POST["email"]);
  $website = test_input($_POST["website"]);
  $comment = test_input($_POST["comment"]);
  $gender = test_input($_POST["gender"]);
}

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}
?>

1- Have I left out any important steps?

2- Do only text(area)s need this kind of server validation or do I need to do this for the radio and checkboxes?

3- Can null elements go through this cleaning process or do I have to test for and exclude null elements first?

Thanks, Dan

score 1 · Answer 1 · edited May 23 '17 at 12:14

1

I'll start by stating this: You can never trust any user input. Never trust any user input. You should program with the view that each user accessing your form is doing so with malicious intent.(i.e. they want to hack your site)

1 Yes, you're leaving out important steps. You aren't preventing SQL Injection. (If you're saving the details to a database.). If you are saving it to a database, you're best to use libraries that are designed to protect you through proper use, like PDO or MySQLi Prepared Statements. It's actually rather simple to do:

try {
    $dbh = new PDO('mysql:host=localhost;dbname=test', $user, $pass);
    $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    $statement = $link->prepare("INSERT INTO testtable(`name`, `lastname`, `age`)
    VALUES(:fname, :sname, :age)");
    $statement->execute(array(
    "fname" => "Bob",
    "sname" => "Desaunois",
    "age" => "18"
));
} catch (PDOException $e) {
    print "Error!: " . $e->getMessage() . "<br/>";
    die();
}

^Source

2 Yes you should make sure all, and I mean all user input is validated.

Inspect element

As you can see in the image above, it's not hard at all to change the checkbox values to what you want.

3 Why would you want to do it for null elements? Do you mean empty elements? It's always good to clean any and all user input, but if it's null theoretically you aren't going to use it, right?

edited May 23 '17 at 12:14

Community

1
1

answered Jun 24 '15 at 00:48

Darren

13,050
4
41
79

Almost all of the checkboxes will be used whether they are checked or unchecked. A group of checkboxes A-F will eventually be used to make a sentence like; They have A, C, E, and F, but not B or D. I haven't figured out whether I want to do the concatenation on the web server, office server, or my desktop client. Does that make any difference? – tiredeyes Jun 24 '15 at 01:01
Doesn't make a difference at all, you'll just have to store each of these inputs somewhere for later reference! – Darren Jun 24 '15 at 01:03
1

one thing about that other link, is that they didn't think about `name` https://dev.mysql.com/doc/refman/5.5/en/keywords.html – Funk Forty Niner Jun 24 '15 at 01:15
@Fred-ii- Good spot! Didn't think of that at all. Always watching what I do sir, you're like a cool batman ;-) – Darren Jun 24 '15 at 01:18
1

funny though, how that column name comes up in questions lately. 99% of them ignore my comment about it. But you didn't ;-) – Funk Forty Niner Jun 24 '15 at 01:19
1

It's always until the issues come isn't it! – Darren Jun 24 '15 at 01:20

score -2 · Answer 2 · answered Jun 24 '15 at 00:44

I have made some changes based on some assumptions to address your concerns and questions. I am assuming that the "name" field is required so we will do a check to see if it is set. Also I am assuming you will be storing this data into a database. If so I have included some MYSQL to help with cleaning for storage into a MYSQL database.

<?php
// define variables and set to empty values
$name = $email = $gender = $comment = $website = "";

if (isset($_POST["name"])) {
  $name = test_input($_POST["name"]);
  $email = test_input($_POST["email"]);
  $website = test_input($_POST["website"]);
  $comment = test_input($_POST["comment"]);
  $gender = test_input($_POST["gender"]);
}
else
{
   // tell the user they missed something.
}

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  $data = mysql_real_escape_string($data);
  return $data;
}
?>

To address your other questions, no you don't need to validate fields like check boxes and radio buttons, however, be aware that the user can post their own values to your form with Javascript turned off and thereby circumvent your Javascript checks for form validation. So anything you think the user might supply information for like a selection menu should be cleaned before storing into the database. You don't need to check for NULL values.

you do need to validate anything that comes from the user - checkboxes, radios, etc. — Royal Bg, Jun 24 '15 at 00:48
Thank you for the code! So an unchecked checkbox A (I don't know whether that is empty or null yet) can go through the "cleaning" and produce an empty/null $A variable without throwing an error? Thanks — tiredeyes, Jun 24 '15 at 01:05
Yes, you don't have to worry about a NULL value variable producing an error; and as stated in Darren's answer, you should check all user input including check boxes. I overlooked this because I don't actually use their input when I code something like this. I only check to see if they checked the box (Boolean value). — V_RocKs, Jun 24 '15 at 01:56
**Warning** This function will unnecessarily damage your data. Do not use it if you do not know what you are doing. — Dharman, Jul 29 '19 at 19:52

php validation for a beginner

2 Answers2