Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

php function learning

Cabbit

Cabbit

macrumors 68020
Original poster
Jan 30, 2006
2,128
1
Scotland
hi guys i am starting to learn how to create php functions to expand my coding into the realm of real scalable and fast developing without doing so much line by line that i have been doing so far.

Below is my first function and it works nicely though incomplete i am still going though a lot of documentation and such to make sure it checks for as many possible injection attacks and errors as possible. Now what i am having problems with is i would like to just use.
PHP: 
	<?php $val1 = form_text_validate($_POST['username']);?>
Instead of the more cumbersome.
PHP: 
	<?php $val1 = form_text_validate($value = $_POST['username']);?>

Anyone got any hints of how to do that, my lecturer stepped me though it on visual basic but PHP is a little different and i have not been able to find much information on accomplishing it.


PHP: 
<?php
function form_text_validate($value)
{
	// First stage is to convert the string to html specialchars for php to stop injection. //
	$value_hsc = htmlspecialchars(addslashes($value));
	if ($value_hsc == "")
	{
		return "false";
	}
	else
	{
		if (is_numeric($value_hsc))
		{
			return "false";
		}
		else 
		{
			return "true ".stripslashes($value_hsc)."";
		}
	}
}
?>
 
The way you want to do it looks like it should work the way you have it. Is it giving you errors or something when you try it? I've never seen someone try the second way.
 
:eek: oh well it "just works". never mind me then i am just looking for it to be more complex than it needs to be.
 
Okies dokies how is this for validation of the text field then?

PHP: 
<?php
// Function for text field validation //
function form_text_validate($value)
{
	// First stage is to convert the string to html specialchars for php to stop injection. //
	$value_hsc = htmlspecialchars($value, ENT_QUOTES, "UTF-8");
	// Strip tags //
	$value_hsc = strip_tags($value_hsc);
	// First checking if the value 
	if ($value_hsc == "")
	{
		// Return a error for invalid imput. //
		return "null";
	}
	else
	{
		if (is_numeric($value_hsc))
		{
			// Return a error for invalid imput. //
			return "null";
		}
		else 
		{
			// The validated value is returned to the browser. //
			return($value_hsc);
		}
	}
}
?>
 
That's a good start. To see some additional more extensive techniques check these articles out:

http://phpsec.org/projects/guide/1.html
http://www.acunetix.com/websitesecurity/php-security-1.htm
http://www.ibm.com/developerworks/opensource/library/os-php-secure-apps/index.html

I personally employ a number of security-related checks (one day I'll write my article on it) on form data and validation. You have to decide what level of security you need though for each piece of data. Also checking against too many things can add up in processing time if it's something that runs a whole lot so you want your validation to be concise yet effective.
 
we question, how do you test if a value is empty or is just spaces instead of a word?
 
babyjenniferLB said:
we question, how do you test if a value is empty or is just spaces instead of a word?
Click to expand...

My preferred method is regular expressions:

PHP: 
if (preg_match('/[\w]{1,}/', $word)) {

}
This will return true if there's at least one word-character in a variable (here called $word). This means each of the following would be considered true:
Code: 
"name"
"n"
" name "
"      n      "
"      _"
Though a regular expression might be a touch of overkill here, but regular expressions can be very helpful for other validation of forms. The other popular method is to trim the variable.
PHP: 
if (trim($word) == "") {
  // if only spaces were found
}
Trim will cut off any extra spaces at the beginning and end of a string.
 
Thanks, now that i know how to build functions successfully i think i will be able to make my webapps a bit less code hungry and more scalable.
 
Couple of helpful tips...

PHP: 
function ($arg1="default", $arg2) {...code... return;}

In the above example, the first argument defaults to the word "default" if the argument value is blank. The second argument has no default value.

Using regular expressions is great and extremely powerful, but for simple stuff like the OP requested sometimes this works nicely, too:

PHP: 
$myvar = (isset($_POST['username']) && !empty(trim($_POST['username'])) ? trim($_POST['username']) : false;

Which means set $myvar value to the trimmed username if the post variable exists (important) and the trimmed value is not empty, otherwise set to bolean false. The trim command strips all whitespace, tabs, newlines, carriage returns, nuls and vertical tabs by default. Of course this is a HIGHLY simplified example, trim allows for custom chars to strip and you might need other tests in your conditional. This method is useful as you can test for multiple conditions and set the value based on the results of the test.

Even more useful when $_POST and $_GET globals are involved because often they can be missing on a submit based on the HTML that creates the form. This implies the isset() function is darned useful for forms processing, server side validation.

-jim
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back