I'm trying to create an system that can calculate all input given for invoice related calculating.
What I'm trying to achieve is when I have multiple text fields (Yes I want to use text fields otherwise I would have used the build in validator for the number field)
So when I click out of a text box it needs to validate live if the input is numeric. and when its not it should show some message above it that it isn't and make the field red like an error. BEFORE submitting the form
And yes I know this is easily done with jQuery/ajax/php setups but I want to only use PHP. So IS there some kind of way to do this pure PHP or not because I can't seem to find some way or tutorial that does this.
Sorry if this question is shit but I'm at wits end now searched for 2 hours straight and cant even come close to finding some way that uses only PHP.
I'm using an hidden div and going to use style tags that only show when input is wrong so the errors/red colors are already done now I just need some kind of validator
Thanks in advance and again I'm sorry if this is a shitty question
If you want the validation on server-side in PHP you need to use either a ajax request on each click and send the data, or do the following before you echo or output anything, for example if your model or controller...Iterate on your data and run this regex rule on each of your values:
if( preg_match('/^[1-9]\d*(\,\d+)?$/', $inputValue ) ) {
// It is numeric
}
else{
// It is not numeric
}
I assume you use . as your decimal operator? If no, the rule should be:
preg_match(^[1-9]\d*(\,\d+)?$)
This will tell you if it's numeric.
Note that the $inputValue is the variable you are testing.
Because you want to validate a text box live on the browser (which is the client side), you cannot use PHP which is server side language to accomplish this. Sorry but you cannot.
Related
I use php to manage html and now I have problem with input date in mysql.
All with my input in MySQL or update or delete in MySQL is ok but how I can make security for input data in mysql because if some one open to see my html source code with browser he can see my predefined inputs and he can change thats in html and after that enter wronk inputs in mysql.
This is my code:
Options Value: <select name="extend">
<option value="<?php $_end1;$newDate = date('Y-m-d', strtotime($_end. " + 1 month"));echo $newDate;?>">1 Month</option>
Now when if someone open browser and see my code he can replease 1 month with several month and that in MySQL.
How can I this secure and or hide that in HTML.
Thx
If you're wanting to have fields or input that can't be edited by the user, such as the current date that the form was submitted on or something along the lines of that, you need to do do all of that on the server side (not the client side). Any data that is submitted from the client side can (and you should treat it like it will) be changed.
Instead of having form fields with preset values, fields that are hidden, fields that are disabled, data that is rendered with JavaScript, or any other way you could think of storing data on the client side, do those things on the server side. You can use a PHP script to do this, seeing as you're already making use of PHP. When you submit the form it has to go to some sort of a server side script, do that logic there and submit that logic to a database.
filter all your received user input. This might be clear for free text inputs, but should be done as well for predefined values.
Easiest for extending might be to only accept a certain number. For example 1, 2 or 3.
$extend = filter_input(INPUT_POST, 'extend', FILTER_VALIDATE_INT); is the first step, but you should also check if $extend is not equal to an illegal number.
if(in_array($extend, range(1,3)){ }
input like numbers is a lot more simple to check than a range of dates.
But even when that would be needed: it is possible to make your own validation function.
It is not possible to limit the browser or the user to only send certain data in a form. Either they could use a tool in the browser to change the habits of a form element, or they could rebuild the form completely in their own htmlpage or other tool
There is very simple answer to your question - you can NOT secure html and you should not even try. Every browser is equipped with developer tools and even without browser anyone can send to your server whatever they want. This is how Internet works.
What you SHOULD do is to verify your input data on server side where user has no access. In your case you should have array of allowed inputs or function assessing if input from user is valid.
More, if you know what will be the algorithm eg. ($_end + 1month) than you do not need to get from user result but only value of $_end. You can calculate $newDate just before inserting data to database - this way user will have no way of changing it.
First of all, please be carefull with your writing, it is pretty hard to understand your problem.
Secondly, if you want to "hide" PHP code to the user, you could write your code in a different way :
You create a form in which users will be able to fill some informations, and for example a date, like in your example. If this date is an option, it can have some value, as the one you show.
Then when the user submit the file, you make a checking on the variables. If you want this form to show a price, to add some data to a database, or whatever, you do some checking to be sure that the values are correct. For example, if you want to calculate a price, you will check the date the user selected, and calculate the price from this date. With this method, even if user changed the code, they will not be able to change the checking (at least not easily).
And to conclude you show a page asking the user for confirmation. This way, he will check if the informations are correct, and you can ask to re-fill some fields if you detected some invalids values
That's hard to show some concrete code, since I don't really know what you want to do, but I hope this explanation was clear. Don't hesitate to ask some questions, I'll try to answer.
darling brother:
you have 3 method:
1: define a variables instead of 1 month
2: use encryption method for php enciding that provide encryption php cides to unformatted charachters (ionCube )
3: usin my sql encryption : MD5
I have a form (right now only one, but there will be more with similar parameters) and I validate it using jQuery Validation (it is too big word, I validate only one field using jQV), this form is send using AJAX. I have in this form 5 inputs:
text input: username, which is validated by separate PHP script remotely - it checks if this user exists in database of different site and if so, also checks if this user has some specified data, but this is not really important
2 times radio buttons (i mean 2x 2 radio buttons) which are validated in PHP (code later)
2 times PickAColor forms, which are also validated using PHP only with regexp for hexcolors
And I have a question. Is there any way to check this data in PHP in more, well, sophisticated way? Because, as I said, I validate them in similar way:
if($period != "3month" && $period != "7day") {
echo '<div class="alert">Wrong period!</div>';
exit;
}
Actually this form I am writing right now is rather short, but I also have some really big ones, and if's like this one above can take even 50 lines, and that pretty sucks. Most of them has similar expressions inside if, which means that I check if value sent by form is on the list of possible options provided by form (someone can change value parameters in Firebug and call himself hacker...). It's complicated and I don't know how to said that, but I think you understand me. So, once again - is there any sense to validate it in PHP and if so, is there any better way to validate it? Or maybe you have some other suggestions? Thanks a lot for your help.
Man you have to think your users can submit anything there, and to make the code clearer and more MVC oriented (and reusable) you need your validations in the app side, and generic functions in jQuery to just display errors to your users, so I would recommend you to do ajax post with the form sent to your php application, to an api controller that recives the form values, validates using the model and returns the object with the jew form values (if you need to clean up) and any error per field, then you just output in json :
{
errors: {
name: "Already used name",
field2: "Some bad text provided"
}
}
Then you just loop through the errors and set to the already existent placeholder of each error text like
<spam id="name-error" class="error"></spam>
<input type="text" name="name" value=""/>
Then you have a validation code that you can reuse when the form is submitted.
I wish to let certain users enter some fields, which will in turn populate a (new) php file. The (new) file will be a language file containing simple array values:
$lang['example'] = 'text for example';
Basicly I will just populate the file with each row and everything seems grand. However, I need to know how to filter the inputs so that ', " and similiar stuff won't break the string and open up space for potential injections.
Since php allows a lot of ways to style your code, I'm not sure a addslashes() would be enough for this matter.
How do I filter input so that it can be in strings in a php file?
I couldn't find any other question regarding this matter, just database filtering.
Extra information:
I don't want any html in these boxes. It should be able to handle ' and ", and the real question is can you do something like this:
$lang['example'] = 'hackkyyyyy
>>>
// do evil stuff
<<<
';
By that, I mean can you in an other way then ' or " break a string in php?
Usual I use var_export, just an exaple:
file_put_contents("temp.php",'<?php'. var_export($_POST,true));
when I need the array:
$a = include "temp.php";
It depends on what you want to protect against and how likely it is your code gets abused. There are quite a few ways off the top of my head:
addslashes() as you said in your question
str_replace() for each item you want to remove
filter_var() may be useful for you depending on a few variables
Hope this helps.
So you let users to fill out a form and the form values are echoed onto web page? I don't know why you couldn't simply use PHP filter functions to sanitize input and encode special characters if necessary.
http://php.net/manual/en/filter.filters.sanitize.php
I also don't know why input validation/sanitization for a database wouldn't apply here. Maybe someone knows and tells...
BTW. I'm quite happy with David Power's user input validation class used in the book PHP Object Oriented Solutions. Buy the book (or visit library) and you'll be able to use the code right away.
I have an HTML form where I want to add some validation logic.
In that form i have two input fields, one of them has to get always integer values, while the other one have to get always float values. (first one is items number and other one is total cost).
I want those input fields to change background color to light red if the input value is wrong (float value as item number, for example) and i want to care only for the logic of it, maybe i can guess jQuery can take care of everything else, but I can't find any help on internet on how to get this done without reinventing the wheel.
Does anyone have some hints on how to do that?
You seem to be talking about form validation
you can write your own code in javascript or jQuery.... or google about form validation you will get tons of result...
for a primer you can check this jQuery validate plugin
http://jquery.bassistance.de/validate/demo/
http://docs.jquery.com/Plugins/Validation
So, I'm pretty much a novice when it comes to programming and I would certainly appreciate a bit of help with an issue I'm having trouble getting my head around. Simply put, how do I get the selected variables from jquery.chained.remote.js back into my form for processing?
Here's the functioning, sort of, sample page.
http://www.noradaron.com/samplesearch/index.php
The dropdown list functions just fine but I just don't understand how to get the selected values back into my form. Yes, I will freely admit my knowledge is limited and I may not fully understand the answer once it is given. Regardless, I certainly appreciate any help I can get. Please let me know if there is anything else I could provide that would make my question more clear.
Attach submit event handler to your form like this:
$('form[name="search-vehicles"').submit(function() {
//code
});
Inside code grab the values like:
var value = $('#vType').val();
And update your text with the new values. However I recomment you to not write "textmore text" But to write your text inside *DIV*s or *SPAN*s with *ID*s so you can easily access them and change their values like:
<div id="selectedName"></div>
Then you can use:
$('#selectedName').html(value);
Beside putting id="vType" add name="vType" (and so on) so you can have your data sent back to server with either GET or POST .