Forums

The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Back End Empty Form Field Validation? Reply To: Empty Form Field Validation?

January 12, 2014 at 12:05 pm #160178
__
Participant
function validate_input($data)
{
     $data = trim($data);
     $data = stripslashes($data);
     $data = htmlspecialchars($data);
     return $data;
}

This, and functions like it, are not good. Your previous code was much better. Here’s the problem:

  • Doesn’t validate anything. Performs some sanitization; however:
  • Assumes magic_quotes_gpc are enabled. If they are, you should simply turn them off in your php.ini. If they are not, then doing this can actually cause more problems.
  • Assumes you’re printing the input back out to the user. If you aren’t (say you’re sending a JSON response, or saving to a database), then htmlspecialchars will just cause confusion down the road.

In short, you need to know what you are going to do with the data before you validate/sanitize it. What you need to do will depend on the sort of data it is (e.g., is it an email address? formatted text? a number?) and what you intend to do with it (e.g., are you printing it? saving in a database? using as input for a function?).

The problem now is I cannot get the insert statements to execute.

It is likely that the call to htmlspecialchars is generating semicolons (;) in your data (because that’s what it’s supposed to do), which are causing errors in your mysql statements (because a semicolon ends an SQL statement).

This gives a redirect loop error.

What do you mean by “redirect loop error”? The code you posted only redirects if the SQL query was successful, and you say that it is not.

You’re printing mysql_error. What does it say?

Also, I understand that you want to continue using the mysql_* functions for now, but note that some functions are not only deprecated, but outright broken. mysql_escape_string, for example, does not respect the DB connection character set and was never safe to use. At a bare minimum, you need to use mysql_real_escape_string. Likewise, the manual explicitly says “do not use” mysql_db_query. It was replaced with the functions mysql_select_db and mysql_query, in the year 2000, because it was broken.

I’m sorry to be stubborn about this, but this is the only advice I can offer: don’t use old, broken functions. There is no way to make them “work.”

I think we’re floundering, here: we’ve been talking about a lot of things, adding and removing stuff, but it’s not “coming together.” I wrote a new version of your script so you can see the “whole picture” of what I am trying to describe, kinda like a tutorial. If you’d like to use it, you are welcome to. If you have any questions please ask.

Sorry I couldn’t be more helpful.