php function learning

Discussion in 'Web Design and Development' started by Cabbit, Oct 30, 2008.

  1. Cabbit macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #1
    hi guys i am starting to learn how to create php functions to expand my coding into the realm of real scalable and fast developing without doing so much line by line that i have been doing so far.

    Below is my first function and it works nicely though incomplete i am still going though a lot of documentation and such to make sure it checks for as many possible injection attacks and errors as possible. Now what i am having problems with is i would like to just use.
    PHP:
        <?php $val1 form_text_validate($_POST['username']);?>
    Instead of the more cumbersome.
    PHP:
        <?php $val1 form_text_validate($value $_POST['username']);?>
    Anyone got any hints of how to do that, my lecturer stepped me though it on visual basic but PHP is a little different and i have not been able to find much information on accomplishing it.


    PHP:
    <?php
    function form_text_validate($value)
    {
        
    // First stage is to convert the string to html specialchars for php to stop injection. //
        
    $value_hsc htmlspecialchars(addslashes($value));
        if (
    $value_hsc == "")
        {
            return 
    "false";
        }
        else
        {
            if (
    is_numeric($value_hsc))
            {
                return 
    "false";
            }
            else 
            {
                return 
    "true ".stripslashes($value_hsc)."";
            }
        }
    }
    ?>
     
  2. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #2
    The way you want to do it looks like it should work the way you have it. Is it giving you errors or something when you try it? I've never seen someone try the second way.
     
  3. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #3
    :eek: oh well it "just works". never mind me then i am just looking for it to be more complex than it needs to be.
     
  4. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #4
    Okies dokies how is this for validation of the text field then?

    PHP:
    <?php
    // Function for text field validation //
    function form_text_validate($value)
    {
        
    // First stage is to convert the string to html specialchars for php to stop injection. //
        
    $value_hsc htmlspecialchars($valueENT_QUOTES"UTF-8");
        
    // Strip tags //
        
    $value_hsc strip_tags($value_hsc);
        
    // First checking if the value 
        
    if ($value_hsc == "")
        {
            
    // Return a error for invalid imput. //
            
    return "null";
        }
        else
        {
            if (
    is_numeric($value_hsc))
            {
                
    // Return a error for invalid imput. //
                
    return "null";
            }
            else 
            {
                
    // The validated value is returned to the browser. //
                
    return($value_hsc);
            }
        }
    }
    ?>
     
  5. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #5
    That's a good start. To see some additional more extensive techniques check these articles out:

    http://phpsec.org/projects/guide/1.html
    http://www.acunetix.com/websitesecurity/php-security-1.htm
    http://www.ibm.com/developerworks/opensource/library/os-php-secure-apps/index.html

    I personally employ a number of security-related checks (one day I'll write my article on it) on form data and validation. You have to decide what level of security you need though for each piece of data. Also checking against too many things can add up in processing time if it's something that runs a whole lot so you want your validation to be concise yet effective.
     
  6. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #6
    we question, how do you test if a value is empty or is just spaces instead of a word?
     
  7. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #7
    My preferred method is regular expressions:

    PHP:
    if (preg_match('/[\w]{1,}/'$word)) {

    }
    This will return true if there's at least one word-character in a variable (here called $word). This means each of the following would be considered true:
    Code:
    "name"
    "n"
    " name "
    "      n      "
    "      _"
    Though a regular expression might be a touch of overkill here, but regular expressions can be very helpful for other validation of forms. The other popular method is to trim the variable.
    PHP:
    if (trim($word) == "") {
      
    // if only spaces were found
    }
    Trim will cut off any extra spaces at the beginning and end of a string.
     
  8. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #8
    Thanks, now that i know how to build functions successfully i think i will be able to make my webapps a bit less code hungry and more scalable.
     
  9. SrWebDeveloper macrumors 68000

    SrWebDeveloper

    Joined:
    Dec 7, 2007
    Location:
    Alexandria, VA, USA
    #9
    Couple of helpful tips...

    PHP:
    function ($arg1="default"$arg2) {...code... return;}
    In the above example, the first argument defaults to the word "default" if the argument value is blank. The second argument has no default value.

    Using regular expressions is great and extremely powerful, but for simple stuff like the OP requested sometimes this works nicely, too:

    PHP:
    $myvar = (isset($_POST['username']) && !empty(trim($_POST['username'])) ? trim($_POST['username']) : false;
    Which means set $myvar value to the trimmed username if the post variable exists (important) and the trimmed value is not empty, otherwise set to bolean false. The trim command strips all whitespace, tabs, newlines, carriage returns, nuls and vertical tabs by default. Of course this is a HIGHLY simplified example, trim allows for custom chars to strip and you might need other tests in your conditional. This method is useful as you can test for multiple conditions and set the value based on the results of the test.

    Even more useful when $_POST and $_GET globals are involved because often they can be missing on a submit based on the HTML that creates the form. This implies the isset() function is darned useful for forms processing, server side validation.

    -jim
     

Share This Page