- Review the permission of the user
All the users do not have permissions for all the forms, that is clear. It is necessary to establish if the user can send that form or no, or if only he can do it partly. - Validate all the data
It means that by each form, it is necessary to establish conditions. In general, the text fields must have a maximum length (normal it is to establish it according to the data base) or fixed (for example, the credit cards codes). Also it is necessary to review the format (usually for the email directions). There are data that only can be numerical, or dates that can not be valid.
Checkbox, radio buttons and dropdowns have a range of prefixed options and they are not possible to left it.
All these things it is necessary to have them in account, because an erroneous data can cause that information lost, but can be avoided if him force to the user to correct that error. - Save data
Depending the destiny on the entered data, it is necessary to save the data of the form that corresponds. In general, we are going to keep them in databases, reason why the functions *_escape_string provide a form easy to escape the data according to the type of database that we use.
In this point, it is necessary to have well-taken care of with the “magic quotes” (magic_quotes_gpc), that if they are enabled can cause the data doubly escaped. The best thing is to clear the quotes, if this config is in On.
So why don't we forget to escape data, if we have magic_quotes_gpc?
The idea of magic_quotes was not to have to escape data, and to facilitate the task to the programmer. The problem of this function, is that it escapes data in an arbitrate way and without considering in where they are used such.
Another possible error is to want to keep data that the user did not submit, but to have magic_quotes_gpc On we did not escape, incorrectly. - Save the results
The data are valid, and prepared… The only thing that is is to save it, and to make any other process that is necessary. - Show the results
Still our work did not finish. The information that we kept, probably we want it to show somebody. In this point it is very important to escape the data again. Previously we kept it as the user submitted it, but at the time of showing it in a page, it is necessary to avoid malisiosa information. In general, to escape HTML entities is enough for this, but it would be better to escape all the entities, “even more rare” to display the information correctly.
Sunday, September 30, 2007
Form processing
Always, the greater problem, is to process sent data. We are going to make a pursuit of which things are necessary to review for each form. As a previous notion, we must consider that all the data that client sends (POST, GET, COOKIE) is unreliable.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment