Validating Input in PHP
Foreword: An input to a script can be a number, a Boolean, an email, a URL, a string, etc. In this tutorial, I show you how to validate input in PHP.
By: Chrysanthus Date Published: 23 Jan 2019
Introduction
Effect of wrong Data Input or Wrong Code Input
If a good program (script) is expecting an email address, it should not receive a URL. If it accepts a URL, the use of the input will be wrong. A wrong code input is input that will affect the program interpretation just to cause trouble, or to gain some selfish benefit for the hacker (attacker). Wrong data or wrong code can come in as scalar input. The problem of wrong code or wrong data is minimized using validation.
Validation is to check if the input you are expecting is of the correct type. If you are expecting an email address, you should not have a URL. If you have a URL, do not use it; send a feedback message to the user (client) that the input is wrong, so that he can try again.
Validating a Number Input
If you are expecting a number, use the following code for validation:
<?php
$variab; # holds the supposed input number
$variab = preg_replace("/^\s+|\s+$/", '', $variab); # remove leading and trailing whitespaces
$ret = false;
function isNumber($variab)
{
if ($variab !== "")
{
if (preg_match("/\D/", $variab) === 1) $ret = false; # means $variab holds a string
if (preg_match("/^\d+\z/", $variab) === 1) $ret = true; # testing for whole number
if (preg_match("/^[+-]?\d+\z/", $variab) === 1) $ret = true; # testing for integer
if (preg_match("/^-?(?:\d+\.?|\.\d)\d*\z/", $variab) === 1) $ret = true; # testing for real number
if (preg_match("/^[+-]?(?=\.?\d)\d*\.?\d*(?:e[+-]?\d+)?\z/i", $variab) === 1) $ret = true; # testing for real number
}
else
$ret = false;
if ($ret === true)
return true;
else
return false;
}
$isItNumber = isNumber($variab); # true for number and false otherwise
?>
Validating a Boolean Input
If you are expecting a Boolean input, use the following code for validation:
<?php
$variab; # holds the supposed Boolean input
if ($variab === array()) $variab = 'array()';
$variab = preg_replace("/^\s+|\s+$/", '', $variab); # remove leading and trailing whitespaces
function istrue($variab)
{
if (($variab === false)||($variab === 0)||($variab === "0")||($variab === null)||($variab === 'array()')||($variab === ""))
{
return false;
}
elseif (($variab === true)||($variab === 1)||($variab === -1)||($variab === "1")||($variab === "-1"))
{
return true;
}
else
return false;
}
$isItTrue = istrue($variab);
?>
Validating Email Input
If you are expecting an email address, use the following code for validation:
<?php
$variab; # holds the supposed URL
$variab = preg_replace("/^\s+|\s+$/", '', $variab); # remove leading and trailing whitespaces
function isEmail($variab)
{
$temp = 0;
if (preg_match("/^[0-9a-zA-Z_\.-]{1,64}@[0-9a-zA-Z_-]{1,252}(\.[0-9a-zA-Z_\-]{2,4}){0,2}$/", $variab) === 1)
$temp = 1;
if ($temp == 1)
{
if (strlen($variab) <=254)
{
return true;
}
else
{
return false;
}
}
else
{
return false;
}
}
$isItEmail = isEmail($variab);
?>
Validating URL Input
If you are expecting a URL, use the following code for validation:
<?php
$variab; # holds the supposed URL
$variab = preg_replace("/^\s+|\s+$/", '', $variab); # remove leading and trailing whitespaces
function isURL($variab)
{
if (preg_match("/^http|https:\/\/([0-9a-zA-Z_\-]{1,64}\.)?[0-9a-zA-Z_\-]{1,64}(\.[0-9a-zA-Z_\-]{2,4}){0,2}(:[0-9]{1,5})?(\/[0-9a-zA-Z_\-]{1,64}){0,64}([0-9a-zA-Z_\-]{1,64}(\.[a-zA-Z]{1,4})?)?(#[0-9a-zA-Z_\-]{1,64})?/", $variab) === 1)
{
return true;
}
else
{
return false;
}
}
$isItURL = isURL($variab);
?>
If you are expecting an IP address, use the following code for validation:
<?php
$variab; # holds the supposed URL
$variab = preg_replace("/^\s+|\s+$/", '', $variab); # remove leading and trailing whitespaces
function isIP($variab)
{
if ((preg_match("/^[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}$/", $variab) === 1)||(preg_match("/^[\da-fA-F]{1,4}:[\da-fA-F]{1,4}:[\da-fA-F]{1,4}:[\da-fA-F]{1,4}:[\da-fA-F]{1,4}:[\da-fA-F]{1,4}:[\da-fA-F]{1,4}:[\da-fA-F]{1,4}$/", $variab) === 1))
{
return true;
}
else
{
return false;
}
}
$isItIP = isIP($variab);
?>
Validating Short Text Input
If you are expecting short text, such as the first name of a person or the name of an object or characteristic of an object, use the following code for validation. Such text should contain only word characters, and may contain hyphen, @, dot, apostrophe or space. The preg_match() function for this is,
preg_match("/^[-\@\w.' ]+$/", $variab)
The code is:
<?php
$variab; # holds the supposed URL
$variab = preg_replace("/^\s+|\s+$/", '', $variab); # remove leading and trailing whitespaces
function isGoodText($variab)
{
if (preg_match("/^[-\@\w.' ]+$/", $variab) === 1)
{
return true;
}
else
{
return false;
}
}
$isItGoodText = isGoodText($variab);
?>
Validating Input with Known Text Pattern
If you are expecting input of text with known pattern, you can use code similar to the following, with regex:
<?php
$variab = "cork"; # holds the supposed URL
$variab = preg_replace("/^\s+|\s+$/", '', $variab); # remove leading and trailing whitespaces
function isPattern($variab)
{
if (preg_match("/c.rk/", $variab) === 1)
{
return true;
}
else
{
return false;
}
}
$isItPattern = isPattern($variab);
?>
To test whether a variable holds a string , use:
<?php
$variab; # holds the supposed URL
$variab = preg_replace("/^\s+|\s+$/", '', $variab); # remove leading and trailing whitespaces
function isString($variab)
{
if (preg_match("/\D/", $variab) === 1)
{
return true;
}
else
{
return false;
}
}
$isItString = isString($variab);
?>
You will still need to test whether it is a URL, email, etc.
However, if the string is coming from a module, you should be careful. If the string in the module, is in single quotes, there will be no expansion or interpolation. If the string in the module is in double quotes, there will be expansion and interpolation. The expanded variable should be referring to data or code in the module.
Note: it is possible to integrate the namespace of a module with the namespace of the main program.
That is it for this part of the series.
Chrys
Related Links
Basics of PHP with Security ConsiderationsWhite Space in PHP
PHP Data Types with Security Considerations
PHP Variables with Security Considerations
PHP Operators with Security Considerations
PHP Control Structures with Security Considerations
PHP String with Security Considerations
PHP Arrays with Security Considerations
PHP Functions with Security Considerations
PHP Return Statement
Exception Handling in PHP
Variable Scope in PHP
Constant in PHP
PHP Classes and Objects
Reference in PHP
PHP Regular Expressions with Security Considerations
Date and Time in PHP with Security Considerations
Files and Directories with Security Considerations in PHP
Writing a PHP Command Line Tool
PHP Core Number Basics and Testing
Validating Input in PHP
PHP Eval Function and Security Risks
PHP Multi-Dimensional Array with Security Consideration
Mathematics Functions for Everybody in PHP
PHP Cheat Sheet and Prevention Explained
More Related Links