| Re: Simpler way to validate form fields? [message #179796 is a reply to message #179795] |
Wed, 05 December 2012 10:52   |
M. Strobel
Messages: 386
Registered: December 2011
Karma:
|
Senior Member |
|
|
Am 05.12.2012 11:36, schrieb Gilles:
> On Wed, 05 Dec 2012 10:56:24 +0100, "M. Strobel"
> <sorry_no_mail_here(at)nowhere(dot)dee> wrote:
>> Too basic. My user input reader is
>>
>> function getStringFromForm($key, $l=255, $val=null) {
>> return (isset($_REQUEST[$key])) ?
>> filter_var(substr($_REQUEST[$key],0,$l), FILTER_SANITIZE_STRING) :
>> $val;
>> }
>>
> [...]
>> I read $_REQUEST, because the first thing my dispatcher does is a check for GET/POST,
>> and POST form values can be as easily manipulated as get values. So EVERY string
>> input uses this function.
>
> Thanks much for the code. I'm not sure I understand what you mean
> about checking for GET/POST. Do you mean this?
>
> ============
> if ($_SERVER['REQUEST_METHOD'] === 'POST') {
> //Call getStringFromForm, getEmailFromForm, and getIntFromForm
> //for each form field
> }
> ============
> ?
Yes. The idea is to read only expected data.
Then the idea is to have your input filter adjusted in one place if it fails somehow.
This must be coupled with prepared statements for the database insert (against SQL
injection), and a output filter that converts special chars to entities (against XSS).
That's about it.
/Str.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]