Hi everyone! I really love this forum, it's by far the best coding forum I've been to. I have been attempting form validation and login security for about a month now, and I made the mistake of using all JavaScript for validation (though my site requires JavaScript...sooo I could always just disallow users who don't have it enabled if need be). I just need a simple "no special characters, x characters long, email must be valid, password and confirmed password must match" script for my validation (which I made), only when it finds an error it tells the user in a JavaScript alert (which, if JavaScript is disabled, poses a problem).

My main question though is security, security, security! What can I do and how can I assure security? I was looking at Zend Guard but the product description was vague.

THANKS!

Jeff

ok i am not a javascript expert, i also do not know why this is in the php forum, but ill give it ago ;).

If you are worried about having a pop-up message not working in some browsers; dont be. Pretty much every browser uses javascript. If there browser does not support it, then give them a direct link to download one that does. Or if you really want, just echo to the screen that there was an error and that they need to re-type there password or whatever. If you do this use css and build a red background box like an error, place the div at the top of the page, thus forcing the user to see this box and thus realising his or her error.

ok i am not a javascript expert, i also do not know why this is in the php forum, but ill give it ago ;).

I have grown to love the PHP section and its masterminds too much to betray them like such ;).

And ooooh that's a wonderful idea! Considering JavaScript is just absolutely necessary to run the site.

And now for the PHP: securing my PHP and preventing SQL injections. Now that it's decided I'm keeping my JavaScript protectors, are there any tricks I should know or be wary of to keep my life's work safe :)?

Thanks a ton!

For starters, Zend Guard is a product for encoding your php in opcode *I believe the term is opcode*, it has nothing to do with securing a form or validating logins.

Second, I'm going to make a big assumption here, and say that you're using javascript validation to verify that 95% of the form submissions *should* be valid prior to them getting to a PHP form processor which then AGAIN should verify the data that was submitted.

The reason this is key, is because i can just as easily create a form that mimics your form fields and posts the submission to your php script without ever passing through the javascript validation. This is the real problem with relying strictly on javascript.

Generally speaking these kinds of validations are best handled by regular expressions. Where when the user submits their username and it should be between 8 and 16 characters in length, and only contain upper and lower case letters and numbers, or whatever your specifications are.

You would use a php function like preg_match and then write a regular expression to match your requirements for example /([a-zA-Z0-9]{8,16})/ -- I didnt test this, but it should be valid.

Now onto the php

if (!preg_match( '/([a-zA-Z0-9]{8,16})/', $sUsername )) {
    echo 'Your username must contain only numbers and letters and be between 8 and 16 characters in length.';
}

Hopefully this gives your the basics of how this works.
There are a ton of different ways to validate email addresses, phone numbers etc, and there are plenty of great resources out there on how to write your own.

Thank you for the awesome response! Here is the code I am using:

if (!preg_match('/([a-zA-Z0-9]{0,35})/', $foo)) {
 echo 'The inputted variable foo
 must contain only numbers and letters and be between 0 and 35 characters in length.';}

Only it's not returning my little error message when I input special characters. Please help me fix that little bit ;) Thanks a ton!

Solved by adding a carat to the regex and an *$ to the end. Thanks!

This question has already been answered. Start a new discussion instead.