Jump to content

Form Validation


smiley
 Share

Recommended Posts

Hey,I am trying to code a form validation but i get a problem with the function "input_check()" on w3 website especially with the trim command. It don't trim anything.$name = test_input($_POST["name"]);function test_input($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return $;}echo $name;I am thankful about any help.

Link to comment
Share on other sites

It trims more than spaces by default, it trims whitespace:

Without the second parameter, trim() will strip these characters:" " (ASCII 32 (0x20)), an ordinary space."t" (ASCII 9 (0x09)), a tab."n" (ASCII 10 (0x0A)), a new line (line feed)."r" (ASCII 13 (0x0D)), a carriage return."0" (ASCII 0 (0x00)), the NUL-byte."x0B" (ASCII 11 (0x0B)), a vertical tab.

Note that trim only trims whitespace from the beginning and end of a string. It will not remove characters from the middle (characters between any non-whitespace or non-trimmed character).
Link to comment
Share on other sites

If i use trim on a string it strip all characters you post … for example:

 

$name = nMax Mustermann;

echo trim($name);

 

output: Max Mustermann

 

but with $_POST it strips only whitespaces … for example:

 

<input type="text" name="name" /> // nMax Mustermann

 

$name = $_POST["name"];

echo trim($name);

 

output: nMax Mustermann

 

I am trying to avoid line breaks etc.

Edited by smiley
Link to comment
Share on other sites

Hang on! how can you enter a newline or return character within input type text? entering 'nMax Mustermann' its just treated as text, it will probably remove slash but rest will treated as text unless you are doing it dynamically, but there again it seems to work. example below.

<!DOCTYPE html><!--To change this license header, choose License Headers in Project Properties.To change this template file, choose Tools | Templatesand open the template in the editor.--><html>    <head>        <meta charset="UTF-8">        <title></title>    </head>    <body>        <?php        $name = $name2 = "";        $name = "n" . 'MasterPlan ' . "nrt";        //$name = 'MasterPlan';        $name2 = 'nMasterPlan ';        function test_input($data) {            //$data = trim($data, 'n'); //will remove textual character            $data = trim($data);            $data = stripslashes($data);            $data = htmlspecialchars($data);            return $data;        }        if (isset($_POST["name"]) && isset($_POST["name2"])) {            $name = test_input($_POST["name"]);            $name2 = test_input($_POST["name2"]);            echo 'xxx' . $name . 'xxx<br>';            echo 'xxx' . $name2 . 'xxx<br>';        }        ?>        <form action="#" method="post">            <input name="name" type="text" value="<?php echo $name; ?>">            <input name="name2" type="text" value="<?php echo $name2; ?>">            <input type="submit">        </form>    </body></html>
Link to comment
Share on other sites

I mean with "does not work":Normally i thought that trim strips "n". But if i enter in the input field name: "Maxn" the result is "Maxn". You can also test it. It strips not completely "n" only slash and that was irritating!

Edited by smiley
Link to comment
Share on other sites

Use a textarea instead of a regular single-line input if you want to actually type and submit real line breaks. Typing "n" does not submit a line break, it submits the text "n", which is not whitespace. In PHP you can use var_dump to print the variable to see what it is, which will show you the data type and also the length if it is a string, and it will quote the value so you can see exactly where it starts and ends.

Link to comment
Share on other sites

What happens with the information submitted in the form? If you're using submitted information in email headers like from or subject, then you need to validate any of that information to make sure that it doesn't include extra information to send to other people or insert a spam message. Checking for newlines in those values will help. If you're displaying the information on a web page then you need to sanitize it to remove HTML tags or check for malicious injection attempts, or maybe just escape everything. If it's going in a database then, like all other data from a user that you put into a database, you should use a prepared statement and add the data as parameters.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...