#1
  1. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2004
    Posts
    2,974
    Rep Power
    375

    Validating user input or cleaning it? getting mixed up


    I know that the answer is most likely NO but just to get it out of my system:

    When a user inputs data to a form, can we "clean" it up or just report the problem?

    e.g. Name = John Smith

    we could strip the spaces into one.

    e.g.2 Name = John1233Smith

    we could strip the numbers?

    But i guess if it was a fake one: 213134sdasd how would you "clean" it? So I guess we could just report the error i.e. Name must not contain numbers?
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Hi,

    I find it a terrible idea to unaskedly "clean" user input. When I make a mistake, I want you to tell me so that I can correct it. I do not want you to try to guess what I meant and change my input.

    I also think that "validating" input is grossly overrated. You can pass the data through 100 functions doing all kinds of formal verifications -- that still doesn't mean the data is actually true. I mean, how is "bill@microsoft.com" better than "asdfgh"?

    Sure, validations can sometimes be helpful to notify the user of a typo. And it can be used to enforce certain conventions. But it cannot ensure correct data (with a few exceptions)

    Comments on this post

    • paulh1983 agrees : thanks as always
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2004
    Posts
    2,974
    Rep Power
    375
    Thank you as always..
  6. #4
  7. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,867
    Rep Power
    6351
    There's nothing illegal about a name containing numbers. There's probably a kid with numbers in their name right now in the US. If they want their name to look like a myspace profile page title, just let them.

    Also note that you used only latin characters in your example. What about unicode? What about german or french names with accent marks? what about asian characters? What about people with oddly hyphenated, spaced, and capitalized names?

    Just leave the "name" field alone. It's a label for a human being, and the label can contain anything (aside from sql injection)
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  8. #5
  9. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    Some forms of cleanup are OK, but not the example you give. Examples of cleanup that are OK:
    - If you have a field asking for a dollar amount, it's convenient to allow the user to optionally enter the $ sign even though you would remove the dollar sign for storage purposes.
    - Similar logic for most percent fields
    - If the user is entering a floating point value, it's normally acceptable to round the value if they enter a greater precision than you can store
    - Most text fields you can trim(), particularly if your users are going to be copying the pasting the value from somewhere else
    - If the user is entering HTML (for example, using a WYSIWYG editor) it's normally OK to run it through something like Tidy
    - If the user enters a date in a format other than the one you asked for, but you're still able to parse the date unambiguously, it's normally OK to convert the date to the format you asked for automatically
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around

IMN logo majestic logo threadwatch logo seochat tools logo