jimfog

I am implementing string sanitization for a form input.... Is there a point using is_string also...for the same input of course?

I must make some clarification first...the request are made by backbone(which uses ajax of course for the requests). So...in a backbone collection I have assigned an URL property which points to a page in the server...like that: var Events = Backbone.Collection.extend({ model: BBEvent, url: 'events.php', }); I am assuming I am going to add ?ajax=1 above...in the url property...correct? Ok this is the way PHP understands that the request is made with JS. How it is going to understand though that the request is NOT made by js....I am confused regarding this. How am I going to ensure that the request is not made by JS.... You claim that this happens by the identification of the GET ajax parameter.... How am I going to ensure that this is absent from the URL so that this is recognized by PHP an non sent by JS request? There is something missing here...

since this question has to do with validation I want to make one last important question. The code of course in this topic relates to server-side. My question concerns the reply from the server...as I see it...it must be using both json_encode(in case js validation failed) AND print/echo statements in case js is disabled. Tell me if I am correct with the above?

I know that from before... The app I am building sends a JSON to the server...the keys are fixed each time..the values change of course. And of course I know which data type every key is.

I have an array with seven members and I want to test some of them if them if they are string and some if they are numeric. What would be the most efficient way to do this you think... In the PHP manual a reference is made to a foreach loop,nonetheless this is a good solution only if we are testing for is_numeric only for example. Since we are dealing here with two tests,what is the way to go you think?

It is an error message returned from the server...as part of validation...I have concluded in this message: I do not know what drawbacks arise from a message such as this..if any?

I am using is_numeric to check about some data that go to the server-for validity reason. Given the fact that this is a security issue....how I should handle the case in case is_numeric outputs FALSE? Should I just display an error message to the user...what if this user is a hacker and displaying the precise details and displays to him the cause of the error(in that error message) will reveal details why its attack failed?

I had no doubt I was going to use these 3 steps you mention...the only problem I had was accessing the array...but you also answered for it.

I am having trouble implementing a prepared statement within a for loop: for($j=0;$j < count($appdata);++$j) { $result1 = $connection->query('SELECT serviceID from services_list,appoint_servi_chosen WHERE services_list.serviceID=appoint_servi_chosen.service_ID and appoint_servi_chosen.app_ID= "'.$appdata[$j]['apID'].'"');} As you see above I have to access an array in the statement above...how am I going to implement this with a prepared statement?

And what do you suggest about it.

All these are helpful but they do not help solving the issue.

Ι just want to prevent a hacker from tampering with ID.... real_escape_string and sanitization I thought it would suffice. I see that this discussion goes nowhere....my search about validation had as a result to use the above two solutions... Apart from that I do not know what else can be done. As I already said the user fills no field in this situation... This a scenario I had not thought....and certainly we can find numerous others....but my search here is just for some basic security foremost and when in production I see what else I can do

Τhat is just a privilege issue....I am talking here about server-side code and what that might be.

Yes it worked...thanks a lot. I had tried my self some things....but I had not though this one.

and what is the solution.... from a developer's point of view. apart from the various available sanitize/validate functions...do I need to write some custom code here?

I do not understand what are you saying... First of all the user gives nothing...he does not fill anything When an appointments is created,enters the db and at that point the ID is created....which identifies uniquely every appointment. When the appointment is fetched to the client(to be displayed to the user) by the db(its ID is also fetched)-stored in a Backbone model. The user then might choose to delete the appointment at which point the ID corresponding to that appointment is sent to the database-where code resides for deletion. So...as you see this ID is not generated by the user.

I understand your logic but this string increases appointments increase....and there is no limit to it as you can understand. It increments by one every time a new appointment is booked.

Ok I got the picture... The next question is how I could possibly validate this? It is just a string,,,"5" for example. I do not use any framework. Sorry...I have forgotten some staff I new about validation Ok I used a sanitize filter....what else can I do for validation? And real_escape_string also... But I do not know if these 2 are sufficient if the attacker tries to change "5" into "10" for example.

I am trying to use the brackets in a regular expression...see this example below: /^[A-Z]+$/i The above finds all English alphabet letters. I want to add also greek letters but js does not recognize greek letters so I want to add to the above pattern this: /[αάβγδεέζηήθιίϊΐκλμνξοόπρσςτυύϋΰφχψωώ]/i These above are the letters or the greek alphabet along with tones. How am I going to add the above letters in the code/pattern you see above? In other words I want the pattern to accept English and Greek characters....as it is now only English characters are matched.

I am building an appointments app where each appointment is associated with an id....in the database. When an appointment is going to be deleted its ID, is sent to the server and then the PHP code handles the rest. This ID is created from the application....the question is if it is necessary to use validation rules in the PHP script in such a case? The ID is not provided by the user....

var object={name:"you have to put a name",staff:"you have to put some staff",service:"you have to put a service"}

How am I going to do the mapping...I have heard the term before...but I am not sure what to do.

Take a look at this code.... _.each(user.validationError, function (error) { $('.fillname').prepend(error + '<br />'); }); it uses _each,an underscore method to display error messages in a form(if the user has filled in the appropriate input fields.) user.validationError is an object which contains that error messages and the function just iterates over them and puts them in an element with the class you see. The problem with this code is that the error messages are NOT displayed under each form element as I want it. Given the fact that user.validationError is an object with 3 elements...or less if the user has filled correctly one or two input elements How I could iterate this object and assign its values to 3 different elements....each associated with a different input form? It must be a loop...but I need a little help.

As you know many apps in the web are accompanied by payment packages. I am trying to figure out how to store these in the db. One thought I made is to have an ENUM column in the table that business users are stored(along with other attributes related to them)...for example this column might have ENUM values of "solo" and "multi"-two names I am considering for the packages. What do you propose? Since it is something common in today's applications I believe the solution must be standardized more or less.

thanks...