1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 12:36 pm Apr 28, 2026

Forum Moderators: coopster

Message Too Old, No Replies

Verifying $ POST['c']

How to input that I can not define

         

Wayder

9:16 pm on Jul 14, 2010 (gmt 0)

10+ Year Member Top Contributors Of The Month



When I know what I need to test for, I normally use someing like this:

// $_POST['input'] = '2'
if(is_numeric($_POST['input']) and strlen($_POST['input']) == 1){
$clean['input'] = $_POST['input'];
}else{
$error = 1;
}

But I am not sure what the input that I need to verify is other that it is text inserted by the user. I want to verify, but I can not restrict what the user is entering. ie. they could enter "'// Fred" for all I know.

How would I go about this? I was thinking of just using mysql_real_escape_string to insert it into the mysql database, then using htmlentities to display it.

Any suggestions, explanations or discussion would be appreciated.

Readie

9:22 pm on Jul 14, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



There's several options, a personal favorite of mine is just to write a regular expression and check it with preg_match.

If you want to check to make sure that the user has entered a single number, then what you've mentioned above is fine.

With regards to just inserting it and displaying it with htmlentities()...
$sql = 'SELECT column FROM table WHERE column2 = "something" LIMIT 1';
$result = mysql_query($sql);
if($res = mysql_fetch_assoc($result)) {
  echo htmlentities(stripslashes($res['column']), ENT_QUOTES);
}
Is my preferred method of doing it: I've yet to find an instance where that doesn't display correctly.

Matthew1980

9:27 pm on Jul 14, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Hi there wayder,

[EDIT]:Readie is getting faster at typing than me ;-p

Are you just trying to validate the numerical input from the user? If so, you have it pretty much sussed I would say.

if(isset($_POST['c']) && is_numeric($_POST['c'])){
//the value of $_POST['c'] is numerical & contains no chars :)
}else{
//the value of $_POST['c'] contains chars and not ints :)
}

From that, you don't need to perform any more checks (other than the number of digits if you wish..) to use this in conjunction with sql, all mysql_real_escape_string() does is just escape certain chars with slashes to make them sql safe, and as there are no chars in that var, there is no real need to use that function IMO.

I hope I have understood you correctly :)

Cheers,
MRb

Readie

9:39 pm on Jul 14, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



*getting* faster Matt? :P

Oh well, condescending hole poking in your code time! Either that or you miss-spoke in your comments... Oh well :) smileys make it all better. 

if(isset($_POST['c']) && is_numeric($_POST['c'])){
//the value of $_POST['c'] is numerical & contains no chars
}else{
//the value of $_POST['c'] contains chars and not ints
}

Not really... is_numeric is quite leniant: it allows decimals, and a correctly formatted e equation. 

if(isset($_POST['c']) && preg_match('/^[\d]+$/', $_POST['c'])) {
// $_POST['c'] is set and is an integer
} else {
// $_POST is either not set, or contains characters other than numbers
}

Wayder

9:46 pm on Jul 14, 2010 (gmt 0)

10+ Year Member Top Contributors Of The Month



I cant use preg_match as I dont know what I am testing for. I dont have to manipulate the input but it could be as varied as:

/file.php?a=1&b=2#anchor
2/789 Fosworth Ave
2-789 Fosworth Ave.
Mary had a little lamb ....; à
459873/35465--354*3 deregated.

All I have to do is capture it and display it when required. I was just thinking of trying to protect the database from anything malicious.

I think I will just enter it with mysql_real_escape_string and display it as you mentioned.

Thanks.

Matthew1980

9:49 pm on Jul 14, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Hi all,

>>condescending hole poking

Isn't that *technically* the other half's job ;) Lol!

if(isset($_POST['c']) && is_int($_POST['c'])){
//the value of $_POST['c'] is numerical & contains no chars :)
}else{
//the value of $_POST['c'] contains chars and not ints :)
}

or

if(isset($_POST['c']) && (int)$_POST['c']){//admittedly loose but does *kinda work*
//the value of $_POST['c'] is numerical & contains no chars :)
}else{
//the value of $_POST['c'] contains chars and not ints :)
}


[EDIT]:(again):
I knew there was another one:)

if(isset($_POST['c']) && ctype_digit($_POST['c'])){
//the value of $_POST['c'] is numerical & contains no chars :)
}else{
//the value of $_POST['c'] contains chars and not ints :)
}


I think you get the point now though...

Another couple or three examples, but I agree with the regex angle, much more 'trustworthy'.

And yes, *getting* faster - or am I getting slower?

[EDIT]:
Well, if it's that varied, you just need to use strip_tags() & mysql_real_escape_string() in conjunction, then at least you are safer against injections - makes me wonder what the user is putting into the DB, links perhaps - I'm now intrigued :)

Cheers,
MRb

[edited by: Matthew1980 at 9:58 pm (utc) on Jul 14, 2010]

Wayder

9:52 pm on Jul 14, 2010 (gmt 0)

10+ Year Member Top Contributors Of The Month



Darn, your both too fast for me ;)

Readie

9:54 pm on Jul 14, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



>>condescending hole poking

Isn't that *technically* the other half's job ;) Lol!

Ahh brilliant, I seriously fell back laughing. High five sir! 

if(isset($_POST['c']) && is_int($_POST['c'])){

Unfortunatley will always fail - if you recall my post on the subject and dc's answer: $_POST data is always a string, is_int() checks the typecasting.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 12:36 pm Apr 28, 2026