Data Form Validation

  thegreypanther 12:46 13 Nov 2008

I am designing a website where the user enters data in a form, and this data is then used to access / retrieve records.
The data is simple, - forenames and surname.
I am trying to find a data validation routine (using Javascript) such that
a) the surname can't be blank
b) the surname must be alphabetic, - plus a wildcard symbol
and c) the surname must be more than 3 characters long.
Can anbody PLEASE recommend a routine that WORKS.
I have tried one in "Learning PHP & MySQL" by Davis and Phillips which DOESN'T work and trying to make it work is driving me nuts.

  Kemistri 18:33 13 Nov 2008

You should never validate form data by JavaScript. Depending upon how it is coded, around 10% of your visitors will find either a form that fails to function or a form that is not subject to any validation. If the latter is the case, it obviously presents a very easily utilised and serious security flaw to any malicious user, who simply needs to disable JS....

If you don't want to or cannot write your own PHP program that includes validation, that's understandable, but there 'net is full of resources for off-the-shelf PHP form processors. A few of which are actually very good. click here for one of them or search through Hot Scripts, etc. Even a basic array check that exits the program when bad words* are found is better than nothing. I have posted that before but I can do so again if you wish.

*Bad words, in PHP, does not refer just to foul language but to any content that you wish to block.

  thegreypanther 20:21 13 Nov 2008

Many thanks, Kemistri.
I'll give it a try, but I have a feeling that the suggested form (the Green Beast form) may be just a bit more exotic than I need.
All I am after is that the user enters a Surname (or part surname) with forename or an initial, and the input data is used to retrieve entries from a database.
I think that I'll think things out overnight, and see id there is a simple option somewhere.

  Kemistri 22:09 13 Nov 2008

It still needs to be secure no matter how simple the form fields may be. Otherwise, it's a bit of an open invite really. If you've ever seen a hacked site, you'll know what I mean. Security is partly down to good form data validation and partly down to tight programming that has no loopholes. As above, a bad words array is the absolute bare minimum fix, not perfect but better than nothing, so if you need that, let me know.

  Kemistri 22:11 13 Nov 2008

Oh, and I forgot to add that I think there are probably more digestible books than the O'Reilly title that you mentioned. Sitepoint has a good one that is more accessible, though I can't recall the title, and there are others that you can find on Amazon.

  thegreypanther 23:14 13 Nov 2008

You have me worried, Kemistri.
I've seen what can happen when a Guest Book gets attacked by spammers,and that was certainly incredibly unpleasant, - hundreds of entries, each crammed with links to Viagra / Cialis / gambling websites.
But is it possible to hack into a server simply by making an enquiry of a database by entering a surname / forename?
In my ignorance, I was simply hoping to prevent the user (making an enquiry)from getting a nil response, or too many records being returned.

  Kemistri 00:35 14 Nov 2008

"But is it possible to hack into a server simply by making an enquiry of a database by entering a surname / forename?"

Obviously not. But that's not exactly what hackers, or their bot programs, do. They enter code with the intention of testing for holes in the PHP program that runs the form and/or the PHP server itself. PHP has some powerful functions, which are necessary for one use or another, but can be used maliciously if left uncovered. Block that code at its source and it is pretty much secure, particularly if you set the program to exit when bad words are found. The fact is that anything that allows data to be written to or called from a server needs to be handled with a certain degree of care. The server can be made a tighter by configuring the php.ini file (or writing one if it doesn't exist).

The practice of inserting hundreds of unsavoury spam links, as you describe, is on the increase.

But it is not all that difficult to prevent it even if you have to use an off-the-peg script, just as long as whatever you choose is highly rated and you cross-check it against specialist PHP forums or security databases such as Secunia, which highlight flaws in many things, PHP scripts included.

I don't want to put you off -- just leave you forewarned.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

HP Envy x2 review: Hands-on

How Sketch and InVision have revolutionised our design workflow

The best tech gifts for Christmas 2017

Les meilleurs jeux de société (2017)