This also helps should a malicious user try to use there own form without a variable and so it will throw an error saying Undefined Index and will give the path of the filename. If all the variable have been set, then we can begin to check the sanity of of the variables using our sanity Check() function.
The first variable we have checked is the user Name variable.
That means they are within the confines of what we need. For our purposes here, we are going to use these variables to insert into a My SQL database.
This is due to you not checking if a variable is set. You should not use empty() to check if a variable is set because empty() will return FALSE if the variable is zero.
My personal preference is to check ALL variables with isset() and then check any variables I wish to be sure have a value with empty(). Here is a complete script using the information an examples from above.
This field is a required field in our form, so we check it with empty function to be sure that it has a value, i.e. If user Name is empty the script echoes and error message and exit()'s the script. We do the same, exept we do not need to use the empty function to check for non-required fields. Ok, now we come to something a little different, the next variable we must deal with is the user Zip. Whilst we still need to do our basic sanity check, we also need to check that the number is not greater than 5 digits and be sure a mailicious user does not try to put in something like minus ten or something silly. In our sanity Check function we set the type to numeric which will check that the value is a number using is_numeric.
You can use this function to check the numeric values. To achieve this we use need to validate it not only with our basic sanity checks but with a regular expression or 'regex'.
From the code we now have, we see that the user Zip must be numerical and must be 5 digits long. Many people try to avoid them, but for this sort of thing they are the right tool for the job.
If it is not, it is of no consequence as it is not a required field and can remain blank. Here is a function that uses a regex to validate an email address.
This article is by no means a complete security run down, simply and explanation of a single facet of securing your scripts.
At the absolute least, variables must be checked for type and length. The origin of all your input is usually the form on your page.
Just in case this is not entirely clear, lets go over it again.. Whether it be by user stupidity or an attack from a malicious user, every piece of information you get from userland should be treated as suspect.
Only by vigilantly adhering to this policy will your scripts and information be secure.
The form on the remote machine may not have simple checking and may submit strings of the wrong type or length to your machine.