Re: Validate Radio Buttons? [message #182375 is a reply to message #182372] |
Thu, 01 August 2013 20:47 |
bill
Messages: 310 Registered: October 2010
Karma:
|
Senior Member |
|
|
On 2013-07-31 5:37 PM, Denis McMahon wrote:
> On Wed, 31 Jul 2013 15:07:17 -0400, Jerry Stuckle wrote:
>
>> On 7/31/2013 2:20 PM, Twayne wrote:
>
>>> Should one Validate Radio Buttons for an online website contact form?
>
>> Good practice means you ALWAYS validate ALL information from the user.
>> You may have a radio button on your form - but there is no guarantee the
>> request comes on from your form.
>
> As a follow up to Jerry, radio buttons and select lists are probably the
> easiest elements to validate in the server side code because, by
> definition, you expect them to be one of a discrete set of values, and if
> they're not a member of that set of values, then someone is playing silly
> buggers.
Well ... that's why I thought it wasn't much necessary other than to see
they were in the range I wanted and weren't empty. They're all
single-character results, 0 thru 9, and 0 thru 3 in one case, and I
thought all I needed to do was validate them to be within the ranges I
specified or throw an error otherwise.
I wondered though, if errant data came in, would it be possible to
hurt me before I did the checks on them?
Today I wrote a couple of functions to check things with; one for
nearly all data and a slightly less stringent one to allow a URL to
appear within a textarea.
the major commonly used function consists of
--------------
function checkIt_1($data)
$data = trim($data);
$data = stripslashes($data);
$data = strip_tags( $data);
$data = htmlspecialchars($data);
return $data;
-------------
With that I'm still able to read any munged text due to the function
although if the visitor saw it it might be pretty confusing to him. It's
not an issue to me though. I even run the functions on my SESSIONs data
when I call it in, just in case it somehow was tainted.
So ... if I applied that function or one similar to it, would you
say I've made a step in the right direction or have I wasted my time?
Is the stripslashes worth the machine cycles or does it just waste
time?
I've also thought about using htmlentities but it seems a little
redundant. Yes?
I'm pretty ignorant yet on just how XSS and the various injection
methods work although I now have a couple of what I think are good sites
to read through. It's taken me a long time to find easy-to-read
tutorials or instructions for absolute beginners like I am in that area,
on those subjects; there's SO much junk around it's sometimes pretty
difficult to tell whether an author knows what he's talking about or not.
>
> You could use in_array to check that the value received is in an array of
> expected values, and then use the value directly; or you could switch on
> the value received, with a case for each of the expected values. In both
> cases, you can detect and respond as you feel appropriate for unexpected
> values.
>
Arrays are probably a good idea but for me if they're not straight-up
1-dimensional arrays I get easily mixed up keeping track of their
contents. Last time I tried I ended up leaving some holes that even I
knew better than to do <grin>.
Thanks for all the food for thought, and allowing me to explain a bit
about what's up.
Anything further anyone has to add here is most welcome. I also respond
promptly to any & all question/clarifications anyone may want.
Best regards,
Twayne`
|
|
|