Form Validation

jcb33

jcb33

jcb33

Soldato
Joined
11 Apr 2003
Posts
4,210
Location
Notts
Hi all, I have a guestbook, and the form submits posts to my database, I was just wondering if there is a way to validate my form, so that the user cannot enter javascript, or html tags?

The page is not a .php page, it is a .shtml page, and calls the php code from a file.

Thanks!
 
I haven't a clue about the calling of shtml?

As mentioned above, you can use javascript for some forms of validation, but the user could have javascript disabled so it is always best to have some server-side protection.

But if you wish to strip the tags use the strip_tags function in php.

and

For sql injection protection: mysql_real_escape_string
 
Thanks, I have written the following code:

Code: 
<?php
	$sel = mysql_connect("localhost","cpanelu_dci125","***");
	if (!$sel)
  	{
  		die('Could not connect: ' . mysql_error());
  	}
	mysql_select_db("cpanelu_dci125", $sel);

	$comment = mysql_query("SELECT * FROM guestbook ORDER BY commentID DESC");

	while($line = mysql_fetch_array($comment))
  	{
		echo "<b>Post Number: </b>";
		echo $line['commentID'];
		echo "<br />";
  		echo "<b>Name: </b>";
		$val = $line['name'];
		$val = chunk_split($val,40," ");
		echo htmlspecialchars($val);
  		echo "<br />";
  		echo "<b>Email: </b>";
		$val = $line['email'];
		echo htmlspecialchars($val);
  		echo "<br />";
  		echo "<b>Comment: </b>";
		$val = $line['comment'];
		$val = chunk_split($val,40," ");
		echo htmlspecialchars($val);
		echo "<br />";
 		echo "<br />";
 		echo "<hr />";
	}
	mysql_close($sel);
?>


Which displays it how I want, however it still writes the html etc to the database, and I cannot work out how to make it so it formats it then writes it... Any ideas :)?
 
Last edited:
Ok had a few plays around with this, but everything I have been trying has returned errors, so I cant work out how to make so that when you look in the database you dont have active links etc, but the validated stuff
 
well you said it displays ok? i guess using this...

Code: 
echo htmlspecialchars($val);

so you just need to do this? or am i missing something? :)

Code: 
$val = htmlspecialchars($val);
 
Well this code is called seperatly, this displays my guestbook on the page, and is in a file called display.php, my insert code is as follows:

Code: 
<?php
				$sel = mysql_connect("localhost","cpanelu_dci125","********");
				if (!$sel)
				{
 					die('Could not connect: ' . mysql_error());
 				}

				mysql_select_db("cpanelu_dci125", $sel);

				$dat="INSERT INTO guestbook (name, email, comment)		
								
				VALUES ('$_POST[name]','$_POST[email]','$_POST[comment]')";

				if ($_POST['name'] == NULL)
				{
					die('Please Do Not Leave Any Field Blank, You Will Now Return To The Guestbook!');
				}
				elseif ($_POST['email'] == NULL) {
					die('Please Do Not Leave Any Field Blank, You Will Now Return To The Guestbook!');
				}
				elseif ($_POST['comment'] == NULL) {
					die('Please Do Not Leave Any Field Blank, You Will Now Return To The Guestbook!');
				}
				if (!mysql_query($dat,$sel))
  				{
  					die('Error: ' . mysql_error());
  				}
				
				echo "Thank you for leaving a comment! You will return to the guestbook shortly";

				mysql_close($sel)
			?>
 
well i don't know any mysql at all but that looks like your inserting the values before validating them. also you'll need to work with the $_POST values using htmlspecialchars?? before you insert.... :confused: :confused: :p
 
You must log in or register to reply here.
Back
Top Bottom