PHP Programs to Prevent MySQL Injection or HTML Form Abuse - Validating Text and Email Input (
Page 4 of 4 )
This will be used to validate form input such as a username, first name and last name of the person, as well as the email address.
<?php
//Validate text input
if (! preg_match('/^[-a-z.-@,'s]*$/i',$_POST['name']))
{
}
else
if ($empty==0)
{
}
else
{
}
?>
The good thing about this validation script is that it will not accept blank input. Some malicious users also manipulate database by entering a blank input. In the above script, it validates only one text variable, “$name.” This means that if you have three text variables, you can make three validating scripts for each of those variables, to make sure every variable is clean before it goes into the database.
Want stronger protection?
If you need stronger protection you can validate the user input using the above scripts and
mysql_real_escape_string
; this will offer secondary protection in case the above validation scripts fail due to some reason. Discussing this feature is beyond the scope of this article and you can read useful resources on:
http://www.php.net/mysql_real_escape_string
However, before you can use this feature, you must be connected to a MySQL database, or else it will return an error. Some really talented hackers can play around with
mysql_real_escape_string, which is why it is highly recommended to have a double filter in your scripts (validating scripts +
mysql_real_escape_string
) to make hacking much more difficult.
