 |
 |
 |
 |
|
|
|
Checking Data
Verify That Your Input Is Correct
Never trust the input you receive from someone else. You want your data to
have perfect integrity, within the limits that you establish. If you
write a routine that saves someone's address to your
database, don't trust your routine to magically fix user error. Only you can make that happen.
Lets write some quick code to save those addresses:
<?php
function saveAddress($dbh,$firstName,$lastName,$streetAddress,$city,$zip) {
$stmt=OCIPrepare($dbh,"
Insert into addressBook
(firstName,lastName,streetAddress,city,zip)
values
('$firstName','$lastName','$streetAddress','$city','$zip')");
OCIExecute($stmt);
}
?>
So what happens if someone leaves the ZIP code out?
What if they put "pr0nd00d" as their ZIP code? Do not trust your input.
Some might argue that these checks should be done before this function.
Well, what if your co-worker, Billy Bob, reuses this function? Now he
has to do the checks too. And don't trust he'll do it, either. Billy
Bob is a lazy man, and not too smart in the first place.
So let's define a function to make sure the ZIP code is right. After
all, my zip code is not "I like cheese."
<?php
function validZipCode($zip) {
return(ereg("^[[:digit:]]{5}(-[[:digit:]]{4})?$",$zip));
}
?>
The validZipCode() function takes a zip code and does a regular
expression match against it. If it $zip begins with 5 digits, with an optional
dash and 4 digit extension, return 1. Else return 0. Now, l
ets integrate
it with our current function.
<?php
function saveAddress($dbh,$firstName,$lastName,$streetAddress,$city,$zip) {
if(!validZipCode($zip))
return(0);
$stmt=OCIPrepare($dbh,"
Insert into addressBook
(firstName,lastName,streetAddress,city,zip)
values
('$firstName','$lastName','$streetAddress','$city','$zip')");
OCIExecute($stmt);
Return(1);
}
?>
Now our current function requires a valid ZIP code. It won't accept a
blank one, nor a non-USA one. (Note that our function doesn't simply
require a non-blank string -- that would be A Bad Thing(tm).) If
a ZIP isn't passed, our function returns a 0. But wait...we can reword
the logic so that when valid ZipCode() returns a 0, an array or string
can be returned with a more descriptive error.
<?php
If(!validZipCode($zip))
push_array($errors,"Invalid zip code.");
If(!validStreetAddress($streetAddress))
push_array($errors,"Invalid address.");
?>
Etc...
Adding the validation functions is an exercise left to the user. Some things may not be
economically or technologically feasible,
as you cannot always afford to verify information beyond a certain point.
For example, it would be too slow to confirm every bit of the input from the
one hundred addresses per second you get. However, a simple check like the one
outlined above, makes it MUCH harder to have data that
doesn't make sense. After all, we know that valid U.S. ZIP
codes are numeric and how long they can be, so why accept data that's
obviously wrong?
[ Next Page ]
| Comments: | ||
| Do you wanna buy Credit Card ? | Migawa | 12/29/04 01:54 |
| how do i hack credit cards | tosin | 11/18/04 13:43 |
| RE: Credit card hack -- will that work?? | john smith | 02/07/04 20:29 |
| A generic validation script for web forms? | Kelvin Poon | 09/19/03 11:22 |
| RE: Where to check? | Jester | 04/05/03 12:03 |
| Where to check? | Ian | 10/09/02 02:11 |
| Real Time Data | John | 10/06/02 10:27 |
| RE: What about this ? | Chris | 09/23/02 17:02 |
| What about this ? | Staffan Söderström | 09/13/02 06:37 |
| RE: Credit card hack -- will that work?? | Andy Christianson | 09/06/02 01:50 |
| RE: Credit card hack -- will that work?? | Andy Christianson | 09/03/02 16:51 |
| RE: Javascript form validation workaround | Mark Bembnowski | 08/20/02 11:54 |
| Security of $_POST[] | Jeremy Brown | 07/28/02 15:55 |
| RE: Very dangerous sql code possible | Daniel Tsadok | 07/16/02 06:24 |
| Javascript form validation workaround | Daniel Tsadok | 07/16/02 05:56 |
| Somebody has hacked my credit card | Parul Asha Singh | 07/14/02 11:11 |
| RE: When is it too much | Hari Usmayadi | 07/07/02 22:29 |
| check input | Wolfgang Hamann | 04/14/02 03:28 |
| unknown extension | Peter van Rooijen | 04/03/02 02:13 |
| excellent !! | mika | 02/02/02 09:15 |
| Un Normalised Table Into Un Normalised Data | Mehmood Ahmed Chadhar | 09/26/01 03:00 |
| RE: Credit card hack -- will that work?? | Grasso | 08/06/01 00:23 |
| RE: ...basic problem.. | Frans-Jan Wind | 07/24/01 02:38 |
| Page Caching | Unknown | 07/19/01 02:16 |
| ...basic problem.. | Van Tri | 05/04/01 08:49 |
| RE: Very dangerous sql code possible | Chris Boget | 04/04/01 13:16 |
| good solution | igor | 03/22/01 13:24 |
| RE: Credit card hack -- will that work?? | Michael McGinley | 03/13/01 11:44 |
| RE: http_refferer | Josh | 03/11/01 02:19 |
| Credit card hack -- will that work?? | Chuck Clayton | 02/15/01 11:13 |
| RE: Very dangerous sql code possible | Wojtek | 12/24/00 07:18 |
| RE: http_refferer | Michael Rowe | 11/26/00 00:46 |
| Very dangerous sql code possible | Greg MacLellan | 11/22/00 12:18 |
| Checking for bad SQL | Martijn | 11/14/00 11:05 |
| http_refferer | Adam Zochowski | 11/13/00 12:51 |
| It's array_push not push_array | John Miller | 11/10/00 15:34 |
| RE: Also need to strip HTML tags from input | spencer p | 11/10/00 11:53 |
| Also need to strip HTML tags from input | John Lim | 11/09/00 10:03 |
| RE: When is it too much | spencer p | 11/04/00 16:59 |
| RE: When is it too much | Tim Frank | 11/03/00 23:38 |
| When is it too much | CCBCREG | 11/03/00 13:35 |
| Article | Marc | 11/03/00 03:14 |
| Excellent ! | Bjorn Sodergren | 11/03/00 01:23 |
|
If you are looking for help, please post on the appropriate forum here. Your questions will be answered much more quickly. | ||
