Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Is more validation necessary? 2

Status
Not open for further replies.
Zilflic

Zilflic

Programmer
Feb 23, 2005
17
US
I am assigned to adding validation to our project. It is a web application for internal use in small companies and we are selling the package requiring javascript. Our forms include customer entry, inventory entry, invoice entry, and several number collecting screens. In this stage, we are not sending out e-mails from our system.

That being said, I have several validation patterns for our data collection in javascript:
zip code, e-mail, not empty, only numbers, only numbers and not 0, correct decimal places, password, currency, date, and time.

In PHP I check for uniqueness and if it successfully saved. My question is what else should I be checking for in PHP. What do you normally include when you are adding your validation functions?

I have checked the PHP FAQs and not found any more ideas.

Thanks,

Ann
 
Sort by date Sort by votes
Ann-

It depends on where your storing the information. I would assume that you are storing the data in a mySql database or simmilar. If this is the case then watch out for special characters that might mean something to the database. For example if someone typed "f'); DROP * WHERE (1);--" into one of your fields and you send that to the database thinking its someones name then you could have a problem.

The normal characters I check for are asterisk, single quote, newline, and semi-colon (* ' ; \n).

However before you go off and write all this massive amounts of code to encode and decode these characters, check this function out:

php library to the rescue!;-)

Robert Carpenter
"You and I have need of the strongest spell that can be found to wake us from the evil enchantment of worldliness." - C.S. Lewis (The Weight of Glory)

 
Upvote 0 Downvote
Zilflic:
To my way of thinking, all input validation should be performed server-side, not client-side.

A hostile entity can easily get access to your JavaScript code and tweak it to suit his purposes because the code is transmitted to the client every time. In order to tweak server-side code for hostile purposes requires a lot more work and greater skill.




Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

cmayo
  • Locked
  • Question
Is PHP/PEAR MDB2 dead? Which PHP abstraction layer should I use?
Replies
1
Views
154
spamjim
spamjim
cmayo
  • Locked
  • Question
ZipArchive::close is terribly slow when executed by Apache2
Replies
3
Views
471
cmayo
cmayo
coldbohemia
  • Locked
  • Question
network folder inaccessible from php is_dir function
Replies
2
Views
313
coldbohemia
coldbohemia
BobMCT
  • Locked
  • Question
Anyone familiar with interpolateQuery which is part of EPDOStatement.php?
Replies
3
Views
162
vacunita
vacunita
Brianfree
  • Locked
  • Question
Delay / Pause Header Refresh is mouse is moved
Replies
4
Views
172
southbeach
southbeach

Part and Inventory Search

Sponsor

Back
Top