[PHP] Re: Form Validation filter - Regex Q
Haig Davis wrote: Morning All, I've been figthing with this little problem for two days now, so far no luck with google and am beginning to question my own sanity. I have a application that has over one hundred forms some quite lengthy so what I'm trying to achieve rather than writing a bunch of individual sanitize statements then form validation statemenst that I could run $_POST through a foreach loop and filter the values by form class i.e.is it an emaill addreess or simply a text block with letters and numbers. The regex's alone work fine as does the foreach loop the only issue I have is the IF statement comparing $key to expected varieable names. Heres the bit of code envolved. if(isset($_POST['submit'])){ foreach($_POST as $keyTemp => $valueTemp){ $key = mysqlclean($keyTemp); $value = mysqlclean($valueTemp); $$key = $key; $$key = $value; if($key != ("$customerServiceEmail") || ("$billingEmail") || ("$website")){ if(preg_match("/[^a-zA-Z0-9\s]/", $value)){ $style = "yellow"; $formMsg = "Invalid Characters"; $bad = $key; } } if($key = ("$customerServiceEmail") || ("$billingEmail")){ if(preg_match("/^([a-za-z0-9._%...@[a-za-z0-9.-]+\.[a-za-z]{2,4})*$/", $value)){ $style = "yellow"; $formMsg = "Invalid Characters"; $bad = $key; } } } } Thanks for taking a peek. Haig Sorry about the misreading your request, earlier. Here is a function that I use. function checkEmailAddr($emailAddr) { if(empty($emailAddr)) { throw new Exception("No email address provided"); } if(!preg_match("%...@%", $emailAddr)) { throw new Exception("Email address missing mailbox name, or syntax is wrong. "); } if(!filter_var($emailAddr, FILTER_VALIDATE_EMAIL)) { throw new Exception("Email address error. Syntax is wrong. "); } $domain = substr(strchr($emailAddr, '@'), 1); if(!checkdnsrr($domain)) { throw new Exception("Email address warning. Specified domain \"$domain\" appears to be invalid. Check carefully."); } return true; } Use the function like this try{ checkEmailAddr($userSubmitedDataArray[EMAIL_ADDR_FIELD]); } catch (Exception $e) { $userErrorMsg = $e->getMessage(); //Message text in check function } -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Form Validation filter - Regex Q
On Tue, 10 Nov 2009 09:34:52 -0800, Haig Davis wrote: > foreach($_POST as $keyTemp => $valueTemp){ > $key = mysqlclean($keyTemp); > $value = mysqlclean($valueTemp); Mysql and form validation are totally unrelated. In my mind, this seems spectacularly misguided. > if($key = ("$customerServiceEmail") || ("$billingEmail")){ > > if(preg_match("/^([a-za-z0-9._%...@[a-za-z0-9.-]+\.[a-za-z]{2,4})*$/", > $value)){ Just as almost every other email validation regexp I have seen, this has a few imperfections: * It does not allow some valid email addresses (mail!...@example.com) * It does not allow some valid domains (*.museum) * It allows invalid email addresses (@example.com) * It allows invalid domains (example..com) > $style = "yellow"; > $formMsg = "Invalid Characters"; > $bad = $key; Personally, I'd put the invalid keys in an array and mark all the problematic fields at once. /Nisse -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Form Validation filter - Regex Q
Hello, on 11/10/2009 03:34 PM Haig Davis said the following: > I've been figthing with this little problem for two days now, so far no luck > with google and am beginning to question my own sanity. > > I have a application that has over one hundred forms some quite lengthy so > what I'm trying to achieve rather than writing a bunch of individual > sanitize statements then form validation statemenst that I could run $_POST > through a foreach loop and filter the values by form class i.e.is it an > emaill addreess or simply a text block with letters and numbers. The regex's > alone work fine as does the foreach loop the only issue I have is the IF > statement comparing $key to expected varieable names. I am not a big fan of filtering. If the form has invalid data, do not accept it, just show the form again to the user and make it fix it. He may have made a mistake and if you fix his mistakes, you may be doing it incorrectly. What I suggest is to present the form again to the user denoting invalid fields. You may want to watch this tutorial video on this subject: http://www.phpclasses.org/browse/video/1/package/1/section/usage.html Other than that, doing all validation by hand is painful. You may want to try this forms generation and validation package that performs all the necessary types of validation on the server side in PHP and on browser side using Javascript generated by the class within your form template. http://www.phpclasses.org/formsgeneration Take a look here for a live example: http://www.meta-language.net/forms-examples.html?example=test_form If you have many forms for CRUD (Create, Retrieve, Update and Delete) operations, you may want to also use this plug-in that automates the generation of tha types of forms so you can do it in a fraction of your time. http://www.meta-language.net/forms-examples.html?example=test_scaffolding_input -- Regards, Manuel Lemos Find and post PHP jobs http://www.phpclasses.org/jobs/ PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Form Validation filter - Regex Q
Haig Davis wrote: > alone work fine as does the foreach loop the only issue I have is the IF > statement comparing $key to expected varieable names. > > if($key != ("$customerServiceEmail") || ("$billingEmail") || multiple points here.. 1: is the key name held in a php variable called $customerServiceEmail? if you have then use: if you have then use: 2: if you need to compare multiples then you need to use either.. note in the above I've *ass*umed some mistyped logic, in that only proceed if not ('customerServiceEmail' || 'billingEmail' || 'website') - which is in correct because string || string || string *always* equals 1 - hence you need the 3 comparisons achieved by using and(&&) or in_array. 3: these two lines override each other, and variable variables aren't needed here $$key = $key; $$key = $value; here's a full version for you that should work as you expect: $valueTemp){ $key = mysqlclean($keyTemp); $value = mysqlclean($valueTemp); if( in_array( $key , array( 'customerServiceEmail' , 'billingEmail' ) ) ) { // only email validate if its an email field if( preg_match("/^([a-za-z0-9._%...@[a-za-z0-9.-]+\.[a-za-z]{2,4})*$/", $value) ) { $style = "yellow"; $formMsg = "Invalid Characters"; $bad = $key; } } else if( $key == 'website' ) { // placeholder incase you want URL validation } else { // only gets here if not and email field, and not a website address if(preg_match("/[^a-zA-Z0-9\s]/", $value)){ $style = "yellow"; $formMsg = "Invalid Characters"; $bad = $key; } } } } ?> regards; -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Form Validation filter - Regex Q
Haig Davis wrote: Morning All, I've been figthing with this little problem for two days now, so far no luck with google and am beginning to question my own sanity. I have a application that has over one hundred forms some quite lengthy so what I'm trying to achieve rather than writing a bunch of individual sanitize statements then form validation statemenst that I could run $_POST through a foreach loop and filter the values by form class i.e.is it an emaill addreess or simply a text block with letters and numbers. The regex's alone work fine as does the foreach loop the only issue I have is the IF statement comparing $key to expected varieable names. Heres the bit of code envolved. if(isset($_POST['submit'])){ foreach($_POST as $keyTemp => $valueTemp){ $key = mysqlclean($keyTemp); $value = mysqlclean($valueTemp); $$key = $key; $$key = $value; if($key != ("$customerServiceEmail") || ("$billingEmail") || ("$website")){ if(preg_match("/[^a-zA-Z0-9\s]/", $value)){ $style = "yellow"; $formMsg = "Invalid Characters"; $bad = $key; } } if($key = ("$customerServiceEmail") || ("$billingEmail")){ if(preg_match("/^([a-za-z0-9._%...@[a-za-z0-9.-]+\.[a-za-z]{2,4})*$/", $value)){ $style = "yellow"; $formMsg = "Invalid Characters"; $bad = $key; } } } } Thanks for taking a peek. Haig 1] Pear has several classes that will help you from reinventing the wheel. 2] I always, when possible, restrict what users are allowed to enter. Then, I simply delete or warn them about anything that is not permissible. e.g., they can enter any of the plain html tags. Any tags not in this list are removed. //region Usable XHTML elements for user admin prepared user instructions [Only these XHTML tags can be used] / $inlineHtmlTagsArray = array('a', 'b', 'img', 'em', 'object', 'option', 'select', 'span', 'strong',);//Note img is both empty and inline $blockHtmlTagsArray = array('div', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'p', 'pre',); $emptyHtmlTagsArray = array('br', 'hr', 'img',); $listHtmlTagsArray = array('li', 'ol', 'ul'); $tableHtmlTagsArray = array('col', 'table', 'tbody', 'td', 'th', 'thead', 'tr',); I also do syntax and reverse DNS tests for all links and email addresses. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php