5.9 Validating Web Data


In this day and age, one would have to be insane to blindly accept data from users on the Web and do any operations on it. Therefore, we need a function for making sure that hackers cannot harm our system.

Technique

To make sure that the users do not do anything when we open a pipe or use any program execution functions, we need to use the escapeshellcmd() function shown here:

 <?php exec (escapeshellcmd ($input), $output); ?> 

You also might want to test whether a user has actually filled out his name . For this, we use the empty() function:

 <?php if (!empty ($name)) {     die ("You have to supply your name"); } ?> 

Comments

The escapeshellcmd() functions escapes all shell meta- characters , rendering user input harmless to you and the security of your system. I recommend that you make it a habit to always run the escapeshellcmd() before putting user data into a program execution function ( system() , exec() , passthru () , or popen() ).

The empty() function tests whether the name field has been filled out, not whether the name field is valid. So, I could say that my name was "foo" and it wouldn't really matter to PHP as long as $name was filled out. That's about as precise as you can get with validating names . (Okay, you can check for alphabetical characters, but anybody with some intelligence can get around that.) More precision is available when checking things such as a user's email, but that will be addressed in later recipes.



PHP Developer's Cookbook
PHP Developers Cookbook (2nd Edition)
ISBN: 0672323257
EAN: 2147483647
Year: 2000
Pages: 351

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net