Matthew Steven Kelly » Blog Archive

PHP Input Validation

February4

Any time time a user inputs data to your site the input should be validated to ensure it cannot cause any harm to the system. The obvious characters that cause problems are double and single quotes which are used in injection attacks to trick the server into executing malicious code. However, there are many other special characters and situations that can cause problems. This is especially important with taking input data and storing it a database, or emailing it off, etc.

PHP has built in functions to handle these tasks including preg_replace and substr. I created some functions below that I use for field validation:

They can be called like this:

<?php

echo trimLength(“This is a long string that needs to be cut down to ten characters”,10);

echo “<br>”;

echo filterText(“This @is$ t%ex&t w*ith $bad character*()@’s that need filtered”);

echo “<br>”;

echo filterNumeric(“1234ABCD”);

echo “<br>”;

echo filterEmail(“fake’s_email@^liar.com”);

echo “<br>”;

substr is used to trim the length of text like below. This is especially useful when inputting data into a database fields such as varchar that have limited character lengths.

function trimLength($data,$len)
{
if(strlen($data)>$len)
{
$data = substr($data,0,$len);
}
return $data;
}

For the rest of my filtering, I always use regular expressions to filter out bad characters. I do this because regular expressions allow you to filter characters by specifying what characters you allow – not what characters you want to reject. This is an important distinction because there are so many different character sets and special characters that if you only filter by character replacement, instead of character exclusion, you open yourself up to faulty characters entering the system. If you are currently using str_replace to remove apostrophe’s and quote’s consider upgrading to regular expressions.

This text filtering allows for periods, comma’s and spaces to be used in the text:

function filterText($data)

{

return preg_replace(“/[^A-Za-z0-9.,\s\s+]/”,”",$data);

}

Only numbers are returned with this function:

function filterNumeric($data)

{

return preg_replace("/[^0-9]/","",$data);

}

When you need to filter a URL, different special characters such as ?, % and / are to be allowed

function filterURL($data)

{

return preg_replace("/[^A-Za-z0-9:_\%\-.\/\?,+]/","",$data);

}

This email filtering function doesn’t just filter the characters in email address it also validates it is in username@domain.domaintype format:

function filterEmail($data)

{

list($username, $domain) = explode("@", $data, 2);

$username = preg_replace("/[^a-z0-9._-]+/i", "", $username);

$domain = preg_replace("/[^a-z0-9._-]+/i", "", $domain);

if ( $username == "" || $domain == "" || !strpos($domain,"."))

{

return "";

}

else

{

return $username."@".$domain;

}

}

posted under The Knowledgebase

CSV Test
11:00 pm, February 4, 2012

Stop American Censorship
10:20 am, January 2, 2012

PROTECT IP Act Breaks the Internet
6:31 pm, October 25, 2011

The right to petition your government…
7:21 pm, October 7, 2011

Visible Vote
8:09 pm, May 23, 2011

Secure Facebook Browsing
9:06 pm, February 7, 2011

Picture Perfect Private Information
8:29 pm, December 18, 2010

Tired of credit card offers?
7:01 pm, November 10, 2010

Does your browser pass the acid test?
7:34 pm, October 12, 2010

NAVY Recommended Facebook Privacy Settings
10:06 pm, September 2, 2010

Wikipedia