form validation

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

i need to validate a field in a form where a user enters a reference
number this can be

letters, numbers and special characters also so i have not written any
special preg match as

the username is a combination. the only check i am doing is if there
are any white spaces

and if a user simple presses the space bar and does not enter value i
display a message to

enter the reference number and even if there are white spaces followed
by the reference

number i have used trim method. i have checked in the database even if
there are white

spaces followed by reference number due to trim() method the data in
the table is being

inserted whithout those white spaces.

following is the code i am presently using

$referencenumber = trim($_POST["referencenumber"]);

if(strlen($referencenumber) == 0)
$error.="<li>Reference number cannot be blank </li> <br />";

this code works perfectly fine and does what it is supposed to,
however i am using

techniques to avoid sql injection. following is the technique i have

$username = stripslashes($_POST["username"]);

$username = $_POST["username"];

due to this even if i use

$lodgementnumber = stripslashes($_POST["lodgementnumber"]);

$lodgementnumber = trim($_POST["lodgementnumber"]);

if(strlen($lodgementnumber) == 0)
$error.="reference number cannot be blank;

the validation is not doing what it does in the code i mentioned at
the begining.

i need to use techniques to avoid sql injection and i also need the
validation to work.

how can i fix this.

please advice.


Re: form validation


Quoted text here. Click to load it

No, even with magic_quotes on, you should still trim() after the  =

stipslahses(). They govern an entire different property of a string, and=

are not interchangable.

Quoted text here. Click to load it

1) stripslashes only if magic_quotes are on.
2) trim if you need that (there are cases whitespace is important and  =

should be maintained)
3) validate against other requirements (foreign keys, limited charset,  =

minimum/maximum length as desired)
4) when working with databases, favor prepared statements, and failing  =

that possibility, favor the escape function needed for that particular  =

-- =

Rik Wasmus
...spamrun finished

Site Timeline