kurt.santo Posted May 7, 2008 Share Posted May 7, 2008 Working on an upload page I want to make sure the uploaded data does not cause any problems. I have created regular expressions for the various fields and would appreciate if someone could look over two of them to see if that makes sense:I test- the url asif (eregi ('^((http|https)://)?([[:alnum:]\-\.])+(\.)([[:alnum:]]){2.4}([[:alnum:]/+=%&_\.~?\-]*)$', stripslashes(trim($_POST['url'])))) {- the telephone asif (eregi ('^[0-9\.\' \-]{2,20}$', stripslashes(trim($_POST['telephone'])))) {In addition, I have some fields, which insert blob or text data into db. Are there regular expressions for that? Could not find any examples. I know you have to specifiy the enctype in form tag and you also have a hidden field with MAX_FILE_SIZE. Cannot find any more recommendations than that. What do you do for those cases?Kurt Link to comment Share on other sites More sharing options...
boen_robot Posted May 7, 2008 Share Posted May 7, 2008 For validating a URL, I suggest you use the filter_validate_var() function, with its FILTER_VALIDATE_URL constant (you should see the other constants available too. The other most useful one is FILTER_VALIDATE_EMAIL), like for example: if(filter_var($_POST['url'], FILTER_VALIDATE_URL) { For the second regex, you should know that "\'" is actually resolved to a plain "'". That is, '^[0-9\.\' \-]{2,20}$' is resolved to the string ^[0-9\.' \-]{2,20}$I just thought I should say it in case you think it may cause problems (if you ask me, I have no idea why you need an apostrophe to begin with). If you want to be on the safe side, I'd suggest either removing the apostrophe as an allowable character, or escaping it (again, just to be sure), like:'^[0-9\.\\\' \-]{2,20}$' so that you get ^[0-9\.\' \-]{2,20}$(the first backslash escapes the second backslash, and the third backslash escapes the apostrophe)For the MAX_FILE_SIZE, as the PHP manual says it, UAs may not send it, so don't rely on it. Do a check anyway with something like$_FILES['userfile']['size'] < 10240 (the above checks if the size is no more than 10KBs)"blob" essentially means "any data" (well, not techincally, but in practice...). There's no way to validate this type of data. One more reason why not to use this datatype anyway. Anyhow, its still a kind of string (in its raw form), so if you just do mysqli_real_escape_string() on it as you do on anything you put into the DB, it should be OK. The same pretty much applies to text also. Link to comment Share on other sites More sharing options...
kurt.santo Posted May 7, 2008 Author Share Posted May 7, 2008 Thanks for your input.My test for telephone was actually not meant to validate "\", just "'". Realise now that I should and amended to:if (eregi ('^[0-9\.\\-]{2,20}$', stripslashes(trim($_POST['telephone'])))) {With regard to blob data: How do you store pictures in db then? I am working on a script were you can upload photos to be stored alongside other info...Kurt Link to comment Share on other sites More sharing options...
Wander Posted May 7, 2008 Share Posted May 7, 2008 i think you can just read the picture into a string and save that into a blob field? then save the name and content-type both in anoter field Link to comment Share on other sites More sharing options...
kurt.santo Posted May 7, 2008 Author Share Posted May 7, 2008 i think you can just read the picture into a string and save that into a blob field? then save the name and content-type both in anoter fieldWander, how would you do that? I am very new to the whole thing and would be grateful if you have a good online tutorial or similar...Kurt Link to comment Share on other sites More sharing options...
Wander Posted May 7, 2008 Share Posted May 7, 2008 well, do you know how to handle uploaded files?you can read about that here: http://w3schools.com/php/php_file_upload.aspthen you should also know how to work with a databasemysql for example, see here: http://w3schools.com/php/php_mysql_intro.aspto combine, you can do someting like mysql_connect($host,$user,$pass);$uploadedFile = $_FILES['file']['tmp_name'];$content = file_get_contents($uploadedFile);$content = mysql_real_escape_string($content);$name = mysql_real_escape_string($_FILES['file']['name']);$type = mysql_real_escape_string($_FILES['file']['type']);$query = "INSERT INTO `table`(`field_1`,`field_2`,`field_3`) VALUES('$name','$type','$content');";mysql_query($query); to do this of course, you first need to set up the database, tables, fields, etc.ps. i cant say im completely sure about it, cause i never used the BLOB-type, i never stored files in the database, but just on the webserver, and the location of the file in the database Link to comment Share on other sites More sharing options...
kurt.santo Posted May 7, 2008 Author Share Posted May 7, 2008 Thanks, Wanda,Will check the links and example code you gave me. Will have a proper read and see if that gives me the necessary answers...Cheers,Kurt Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.