: Form validation - security and input specification So I'm working on a register form and I have four fields: name, username, email and password. I pick up the values of these fields in jQuery
So I'm working on a register form and I have four fields: name, username, email and password. I pick up the values of these fields in jQuery and depending on if all the fields are filled, I pass them onto a PHP script via ajax. Is that safe for form validations? I was worried about data getting manipulated by the user.
Further on in the PHP script, I check if all the posted values have data in them, only then will I proceed onto doing some validations. The validations are the parts where I'm worried that it's not the best and there are many flaws with it.
$name = $_POST['name'];
$username = $_POST['username'];
$email = $_POST['email'];
$password = $_POST['password'];
if (!preg_match("/^[A-Za-z '-]+$/i", $name)) {
$errors = "Please enter a valid name.";
} else if (!preg_match("/^[A-Za-z]+s[A-Za-z]+$/", $name)) {
$errors = "Please enter your first and last name.";
} else if (strlen($username) <= 3 || strlen($username) > 15) {
$errors = "Please pick a username between 4 - 15 characters. Be creative.";
} else if (!preg_match("/^[A-Za-z][A-Za-z0-9_.-]{4,15}$/", $username)) {
$errors = "Please pick an alphanumeric username between 4 - 15 characters.";
} else if (filter_var($email, FILTER_VALIDATE_EMAIL) === false) {
$errors = "Please enter a valid email.";
} else if (strlen($username )< 6 || strlen($username) > 32) {
$errors = "Your password must atleast be 6 characters.";
} else {
echo "valid";
}
Are these validation steps secure? Are there any loop holes that the user can manipulate the data?
The requirements for the fields are as follows - which I'm not so sure I hit on the head with my code:
The username should have alphanumeric characters with underscores (optional)
the name should have BOTH the first name and the last name
More posts by @Cugini213
2 Comments
Sorted by latest first Latest Oldest Best
Though you'll probably block out most attacks with the check provided above, you should not treat the data as safe afterwards. The actual issue here isn't so much the above validations, but what you do with the data after this.
If, for instance, you were to use this 'validated' data in a SQL statement and simply insert the $password var you'd be open for attacks unless you properly escape it before use.
Additionally you're being over-restrictive. If for insance, my name had three parts it would be invalid by your specification.
On a sidenote: you're validating $username instead of $password.
Use the POST method of AJAX. It is safe. It looks good enough for form validation to me.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.