| Author |
Message |
scorpious
Worker
Joined: Dec 03, 2005
Posts: 153
|
 Posted:
Tue Mar 10, 2009 10:56 am |
|
Hi All
What would be the best way to validation a single text field.
Below is my code I have so far, it works no problem, the user inputs the members name then off it goes to pull out the information from the database and displays it.
I would like to make sure they don't submit a blank field or try to input any number's or other stuff they should not be putting in, also how safe is it has anyone who has registered to the site can view this module.
Code:// Open New table for the input and results
// input
OpenTable();
echo '<center><form action="modules.php?name='.$module_name.'" method="post"> '
.'Members Name: <input type="text" name="member" size="20" maxlength="20">'
.'<input type="hidden" name="op" value="find">'
.'<input type="submit" value="Submit"></form></center>';
// show results from the input
if($op != "") {
echo '<center><b>'.$member.'s Record</b></center><br><br>';
echo '<table width="100%" border="1" cellspacing="1"><tr>'."\n";
echo '<td align="center"><font color="'.$textcolor2.'"><b>'._memscore.'</b></td>';
echo '<td align="center"><font color="'.$textcolor2.'"><b>'._membash.'</b></td>';
echo '<td align="center"><font color="'.$textcolor2.'"><b>'._memsmg.'</b></td>';
echo '<td align="center"><font color="'.$textcolor2.'"><b>'._memp44.'</b></td>';
echo '<td align="center"><font color="'.$textcolor2.'"><b>'._memnads.'</b></td>';
echo '</tr>';
echo'<tr>';
|
The rest of code is that of the fetching of the info from the database and showing it.
I have looked around and found afew sites on php Validation, but i cant seam to get it to work.
Any Advise
cheers
scorp |
| |
|
|
|
fkelly
Former Moderator in Good Standing
Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY
|
| Posted:
Tue Mar 10, 2009 11:41 am |
|
Several validation steps are recommended.
First, see if the $_POST field is set. Something like:
if(isset($_POST['memmsg'])) will do.
If your field is supposed to be integer (like the score one?) the best way to validate is to say:
$memscore = intval($_POST['memscor'))
(assuming that the POST variable is set).
this keeps any non integer stuff out.
For your text fields you need to decide what the allowable values are. The check_html function in mainfile can keep html out if you say:
$memmsg = check_html($_POST['memmsg'),nohtml))
If you leave the nohtml parameter out it will run the string through kses which will fix up any noncompliant html and filter out some junk. Plus any POST strings also get run through NukeSentinel if you are in a RN context.
You can use the is_empty function to filter out blank entries. However, you might want to use Javascript on the input screen itself to filter these so the user can't even submit the form with an empty required field. |
| |
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Thu Mar 12, 2009 6:11 am |
|
| Quote: | | However, you might want to use Javascript on the input screen itself to filter these so the user can't even submit the form with an empty required field. |
However, scorpious, do NOT rely on browser end validation only. That is a security no-no. You MUST also validate within your PHP script every input field.
IMO, javascript on the browser side is only to be used to improve upon the user's experience on your site, and, yes, providing up-front helpful validation and hints and such avoids having to send the user back error messages from your PHP script. |
_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! |
|
|
|
|
scorpious
|
| Posted:
Sat Mar 14, 2009 5:13 pm |
|
Hi fkelly, montego
Sorry I never got back sooner, but have been a bit busy.
Cheers for the reply, here is what I have now.
This is my full code:
Code:<?php
/************************************************************************/
/* PHP-NUKE: Web Portal System */
/* =========================== */
/* */
/* Copyright (c) 2002 by Francisco Burzi */
/* http://phpnuke.org */
/* */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License. */
/************************************************************************/
if ( !defined('MODULE_FILE') ) {
die ('You can\'t access this file directly...');
}
define('INDEX_FILE');
require_once('mainfile.php');
$module_name = basename(dirname(__FILE__));
get_lang($module_name);
include_once('header.php');
global $sitename, $module_name, $prefix, $dbi;
$check = "yes";
OpenTable();
echo '<center><b>'._NETWELCOME." $sitename "._INDIVIDUALS.'.</b><br><br>';
echo ''._INFO.'';
CloseTable();
// Open New table for the input and results
// input
OpenTable();
echo '<center><form action="modules.php?name='.$module_name.'" method="post"> '
.'Members Name: <input type="text" name="member" size="20" maxlength="15">'
.'<input type="hidden" name="op" value="Submit">'
.'<input type="submit" name="Submit" value="Submit"></form></center>';
// check for input and empty submit
if (isset($_POST['Submit'])) {
if (empty($_POST['member'])) {
echo '<center>Sorry, You never entered anything<br>';
echo 'please try again.</center>';
$check = "no";
}
if ($check == "yes") {
//**************************************************
// check to see if member is in database if so display info
$query = ("SELECT * FROM ".$prefix."_stat WHERE name = '$member'");
$res = mysql_query($query);
if (mysql_num_rows($res) > 0) {
// yes, pull in the user details
echo '<center><b>'.$member.'s Stats</b></center><br><br>';
echo '<table width="100%" border="1" cellspacing="1"><tr>'."\n";
echo '<td align="center"><font color="'.$textcolor2.'"><b>'._memscore.'</b></td>';
echo '<td align="center"><font color="'.$textcolor2.'"><b>'._membash.'</b></td>';
echo '<td align="center"><font color="'.$textcolor2.'"><b>'._memsmg.'</b></td>';
echo '<td align="center"><font color="'.$textcolor2.'"><b>'._memp44.'</b></td>';
echo '<td align="center"><font color="'.$textcolor2.'"><b>'._memnads.'</b></td>';
echo '</tr>';
echo'<tr>';
$resultpersons=sql_query("SELECT memscore, membash, memsmg, memp44, memnads FROM ".$prefix."_stat WHERE name = '$member' ORDER by memscore DESC LIMIT 25",$dbi);
for($m=0;$m<sql_num_rows($resultpersons,$dbi);$m++){
list($memscore, $membash, $memsmg, $memp44, $memnads)=sql_fetch_row($resultpersons,$dbi);
echo '<td align="center">'.$memscore.'</td>';
echo '<td align="center">'.$$membash.'</td>';
echo '<td align="center">'.$memsmg.'</td>';
echo '<td align="center">'.$memp44.'</td>';
echo '<td align="center">'.$memnads.'</td>';
echo '</tr>';
}
echo"</table>";
} else
// member doesn't exist
echo "No record for " .$member. " could be found.";
// ************************************************
//
}
}
CloseTable();
include('footer.php');
?>
|
I have only 1 input field and thats for member name.
This is a module for RN
Cheers Scorp |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
