Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Quoted text here. Click to load it
malicious data to myself.

Can you write out how I would do validation in the code?

Thanks for all of the help so far.

Re: validation

Quoted text here. Click to load it
        Below is a function I wrote a while back to screen
all input data for scripts.  Part of it came out of a book
and part was home brewed. It assumes magic quotes are OFF
and register globals is OFF.
Frankly, I look at it now and I'm not sure all of it makes
sense -- although I must have had a reason at the time!

If you have a user form being submitted that contains a text
field called "NAME", the usage would be

$name = script_param("NAME");

        FEEDBACK is welcome.

// This function takes a parameter name and checks both GET
// and POST arrays to find the parameter value.
function script_param ($name) {


  unset ($val);
  if (isset ($_GET[$name])) {
    $val = $_GET[$name];
    $val = stripcslashes($val);

  } else if (isset ($_POST[$name])) {
    $val = $_POST[$name];

    if (is_string($val)) {
        $val = mysql_real_escape_string($val);

  } else if (isset ($HTTP_GET_VARS[$name])) {
    $val = $HTTP_GET_VARS[$name];
    $val = stripcslashes($val);

  } else if (isset ($HTTP_POST_VARS[$name])) {
    $val = $HTTP_POST_VARS[$name];

    if (is_string($val)) {
        $val = mysql_real_escape_string($val);


  $value = @trim($val);
  $value = htmlspecialchars($value);

  // return @$val rather than $val to prevent "undefined value"
  // messages in case $val is unset and warnings are enabled
  return (@$value);

John Murtari                              Software Workshop Inc.
jmurtari@following domain 315.635-1968(x-211)  "TheBook.Com" (TM)

Re: validation

you're not really into php, right?

for a basic validation you may use strip_tags and stripslashes and
htmlentities with all your datafields, f. e.

$name = strip_tags($_POST['name']);
$name = stripslashes($name);
$name = htmlentities($name, ENT_QUOTES);

that's usualy smart enough to prevent malicious code in the email
you'll get. if you wanna store the data in a database, a little more
work must be done. but as far as i remember, you're only looking for a


Site Timeline