Do you have a question? Post it now! No Registration Necessary. Now with pictures!
May 29, 2008, 8:03 pm
rate this thread
i need to validate a field in a form where a user enters a reference
number this can be
letters, numbers and special characters also so i have not written any
special preg match as
the username is a combination. the only check i am doing is if there
are any white spaces
and if a user simple presses the space bar and does not enter value i
display a message to
enter the reference number and even if there are white spaces followed
by the reference
number i have used trim method. i have checked in the database even if
there are white
spaces followed by reference number due to trim() method the data in
the table is being
inserted whithout those white spaces.
following is the code i am presently using
$referencenumber = trim($_POST["referencenumber"]);
if(strlen($referencenumber) == 0)
$error.="<li>Reference number cannot be blank </li> <br />";
this code works perfectly fine and does what it is supposed to,
however i am using
techniques to avoid sql injection. following is the technique i have
$username = stripslashes($_POST["username"]);
$username = $_POST["username"];
due to this even if i use
$lodgementnumber = stripslashes($_POST["lodgementnumber"]);
$lodgementnumber = trim($_POST["lodgementnumber"]);
if(strlen($lodgementnumber) == 0)
$error.="reference number cannot be blank;
the validation is not doing what it does in the code i mentioned at
i need to use techniques to avoid sql injection and i also need the
validation to work.
how can i fix this.
Re: form validation
No, even with magic_quotes on, you should still trim() after the =
stipslahses(). They govern an entire different property of a string, and=
are not interchangable.
1) stripslashes only if magic_quotes are on.
2) trim if you need that (there are cases whitespace is important and =
should be maintained)
3) validate against other requirements (foreign keys, limited charset, =
minimum/maximum length as desired)
4) when working with databases, favor prepared statements, and failing =
that possibility, favor the escape function needed for that particular =