openmind — Wed, 26 Mar 2003 20:16:00 +0000

Quote: Originally posted by evvo
the form field validation is done server-side with coldfusion...

Are you usinf CFSCRIPT of CFORM or CFIF/CFELSE to validate the form?

Post the code and I'll take a look.

Suzanne — Wed, 26 Mar 2003 17:26:48 +0000

So, Evvo, is the server-side validation checking for whether the variables exist, or actually testing them for correct content?

evvo — Wed, 26 Mar 2003 14:18:56 +0000

the form field validation is done server-side with coldfusion...

Busy — Mon, 24 Mar 2003 08:42:31 +0000

if you want to really validate it you need to check for things like   as well, also make sure people aren't using html )or any language) tags in what they submit.

$search = array ("'&lt;script[^&gt;]*?>.*?&lt;/script&gt;'si",  // Strip out javascript
                 "'<[\/\!]*?[^<>]*?>'si",           // Strip out html tags
                 "'([\r\n])[\s]+'",                 // Strip out white space
                 "'&(quot|#34);'i",                 // Replace html entities
                 "'&(amp|#38);'i",
                 "'&(lt|#60);'i",
                 "'&(gt|#62);'i",
                 "'&(nbsp|#160);'i",
                 "'&(iexcl|#161);'i",
                 "'&(cent|#162);'i",
                 "'&(pound|#163);'i",
                 "'&(copy|#169);'i",
                 "'&#(\d+);'e");                    // evaluate as php

$replace = array ("",
                  ".",
                  "\\1",
                  "\"",
                  "&",
                  "",
                  "",
                  "",
                  chr(161),
                  chr(162),
                  chr(163),
                  chr(169),
                  "chr(\\1)");
                                    
$item = preg_replace ($search, $replace, $item);       

'Or something like that

Suzanne — Mon, 24 Mar 2003 06:14:02 +0000

I have been using simple regular expressions on my own sites for some limited applications, though I confess they still give me the heebie jeebies, but I'm getting there. I haven't done my own server-side form validation, having not needed any forms in the last couple of years that weren't part of larger applications.

This site (for me) that's an issue has been programmed by at least two other people, neither of which seeme to care about a) concise scripting, b) validation, c) commenting their work -- so I'm having a bit of trouble finding all the little problems, this was one of them.

I really appreciate the feedback on this, hopefully the original poster has had his problem revealed as well. It's really helping me get up to speed as well, as it seems like I'm going to have to get into form validation from the server-side on a number of projects for lack of willing wallets to pay for programmers. :-/

samsm — Mon, 24 Mar 2003 05:00:56 +0000

Users are totally unpredictable! Or (more accurately) you have to predict that they will do anything!

Validation strings for email are about the most common regular expressions you can find. Nearly every tutorial about regular expressions involves email validation.

Keeping in mind that far more complete expressions exist, consider this:

 if (!preg_match('/.+@.+\..+/', $source))
{
   // bad email!!
}

' All that says is: make sure the text entered contains characters followed by a @ folled by characters followed by a period followed by more characters.

A nice little bit of validation... not the most restrictive: a user could still enter illegal characters like backslashes and such, but it covers most situations without risking being so restrictive that new domains or foreign characters cause it to balk on false negatives.

zollet — Sun, 23 Mar 2003 21:31:50 +0000

Another way is to do a trim($var); first to remove any spaces in the begining and/or the end of a variable. This way, if the user has typed in " user name ", the result will be "user name" and if they have only typed in spaces, the result will be an empty var.

necrotic — Sun, 23 Mar 2003 21:20:21 +0000

'Cause they're idiots? I hate it when people use an email address that they NEVER check and then complain to me because they can't login at all.

Suzanne — Sun, 23 Mar 2003 21:10:12 +0000

Good call! I did have it just as !$name and !$email. Now the question is, why would people use spaces?

samsm — Sun, 23 Mar 2003 17:29:55 +0000

Regular expressions are good for this sort of thing. You can have one in place like this (just tests for the presence of a letter or number):

 if (!preg_match('/\w/', $source))
{
   // whoa! Not even one letter or number?
   // that can't be right!
} 

'
If you have structured data you can adjust the expression to ensure more accurate data. For email addresses and telephone numbers you can find such expressions already made and tested.