|
|
|
|
|
|
|
|
Creating a PHP-Based Content Management System, Part 4
Peter Zeidman 10/8/2004 Go to page: 1 2
When Keats wrote "There is not a fiercer hell than the failure in a great object," he probably wasn't referring to the objects that make up the content management system we've been developing in this series. A testament to his forethought, if a component of our system fails then it won't be a good thing, which is why this month we'll be adding some rudementary code for validation and error handling. We'll then go on to creating the categorization system for articles stored on the system. Validation There are two main reasons for validating a user's input, the first being security. Let me give you a quick example of how things can go wrong. Let's say I have a query that searches the database for a value provided by the user. The query code would look something like: $thequery
= 'SELECT * FROM products WHERE name = "'.$HTTP_POST_VARS['uservalue'].'"'; The query is compiled from a string (SELECT...), and the user's input ($HTTP_POST_VARS...), before being executed. If the user searches for "waffles," then the query executed will be: SELECT * FROM products WHERE name = "waffles" And all is well in the world. However, if your system is accessed by someone a little less pleasant (such as a 13-year-old hacker on school vacation), malicious code could be inserted in place of the word "waffles." The best way to protect your system against this type of attack (called query injection) is to check that all input from the user is in the format you expect. It's difficult, if not impossible, to be 100 percent safe, but we can do our best. The second reason for validation is convenience and error handling. For instance, if you have a form asking for a telephone number, you don't want the user to be able to insert letters by mistake. Likewise, you may wish to check that dates have been entered correctly, or a ZIP/ postal code is valid. The Solution: a Validator Class The idea is to create a Validator class that we can call everytime we need to deal with user input. It'll check whether the given input is safe and correct, and if not it will display an error. To begin with, we'll create the framework for a 'Validator' class: <?php var $errors; // A variable to store a list
of error messages There are a few basic types of data we may need to validate:
We'll need to write a method for each of these. (A method is a chunk of code that performs a task, which we put inside the class.) I'll give an example of one here, the rest can be found in the source file at the end of the article. function validateNumber($theinput,$description = ''){
} This method is very simple. It takes the data from the user as input (storing it in $theinput), as well as a message to display if validation fails. It then tests $theinput, and if it's a number returns "true." This will tell our system to move along and not get concerned. If the value turns out not to be numeric, the error message is stored in the variable $errors, which we created in the previous code snippet, above. Once we've created methods for each of the data types required, only two more methods are needed. The first will allow us to check whether any errors have occurred, and the second returns a list of errors (if there were any). These are both quite straight-forward, and can be found in the source file at the end of the article. So how do we use our new class with a form? It's simple. Let's say we've created a form to add an e-mail address to a mailing list. There are two text boxes in the form — one for the user's e-mail address, the other for the maximum number of messages they wish to receive per week. Here's how it works: <?php // Create a validator object // Validate the forms // Check whether the validator found any problems
}else{
} ?> By checking that the user's input was valid, we've reduced a number of security risks, prevented incorrect entries in our database, and helped the user if they've forgotten to fill out any part of the form. We can now integrate this into all of our Intranet's forms, and move on to some more creative stuff...
Go to page: 1 2
|
Intranet Journal's Tutorials |
|
Managing Editor |