1

First of all, I don't want to use any framework but I am looking for a good way to use whitelist validation. I am going to apply it on all the user input I receive, I need validation for XSS protection and I also want to apply different formats for example:

Example 1 XSS.

<input type="text" name="test" value="<script>alert('test');</script" />

Example 2 Date.

<input type="text" name="test" value="31-05-2012" />

Example 3 Time.

<input type="text" name="test" value="15:00" />

Example 4 Max length.

<input type="text" name="test" value="short description" />

Example 5 Min length.

<input type="text" name="test" value="min description" />

Example 6 Alphabetic and default symbols only

<input type="text" name="test" value="hello world. This is à ö text input :P :) :S :$ =D !! ??" />

Example 7 Numeric only

<input type="text" name="test" value="1234567890" />

My idea is to build a clientside and server site validation, if the user gets passed through the clientside validation (jQuery) they will get marked as hacker, since it is impossible for default users to pass through the clientside validation.

My question is: What would be the best way to apply client+serverside validation to prevent XSS and apply regular expressions on fields. Are there any lightweight PHP libraries for validation?

I have looked at:

ctype_alpha
preg_match

But I am not quit sure what would be the best one to use, and ctype_alpha is not allowing default symbols etc.

Any advises? Examples? Thanks for your time and reading, and sorry for the hectic question.

Improve this question
6
  • What about users with no JavaScript support? Commented Feb 13, 2012 at 15:14
  • @gumbo They can't go on the webapp since it is heavily relied on Javascript. Commented Feb 13, 2012 at 15:16
  • 1
    it seems you are taking the term "whitelisting" wrong Commented Feb 13, 2012 at 15:17
  • @Col. Sharpnel blacklist = not allowing certant things, whitelist = allow everything that I tell you to? Commented Feb 13, 2012 at 15:18
  • whitelist = allowing certain things. You whiitelist them, by creating a list, much likie with blacklisting, but use it to allow values, not block them Commented Feb 13, 2012 at 15:22

3 Answers 3

Reset to default
1

It seems you just need some basic validation, not "whitelist" one.

the idea is quite simple.

  1. Create a server-side validation. with ctype_alpha, preg_match and such. (I hope that your question is not about teaching you these functions from scratch).
  2. Create cleint-side validation if you want, by making AJAX calls to the very same validation routines you've used for the (1).
  3. Of course, you have to use both anyway.
  4. Marking users as a hackers seems not the best idea. What you gonna do with marked users?
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Sharpnel What is whitelist validation if I got it wrong then? My whole application is relied on ajax, users that have no javascript will get a black screen I got that covered. The next question is, if every post, every data on my website is ajax based why bother using clientside validation if it will run through the server side validation anyway? I know it are some resources, but is the difference really that notable?
Client side validation means in-line validation. You can validate a user name right after user entered it, not waiting until whole form got submitted
Why bother using clientside validation if we are calling the serverside validation anyway?
Yes, you are right and I'm stupid not thinking about that. Thanks for help :)
1

I've had a similar problem and ended up writing my own "Input-Datatype" classes. This might be a bit excessive if you only use them for validating input though. But you could build validation functions that use a mix of PHP functions such as preg_match, is_numeric, strtotime etc...

An example for date validation would be:

public function validate(&$value) {

    $date = strtotime($value);

    if($date === false){
        //Error no valid date
    }else{

    if(isset($this->maxDate)){
        if($date>strtotime($this->maxDate)){ //maxDate being the maximal date allowed
            //Error max date exceeded
        }
    }

    if(isset($this->minDate)){
        if($date<strtotime($this->minDate)){ //minDate being the minimal date allowed
            //Error date too low
        }
    }

    $value = strftime($this->format,$date);  //format being the format in which the date should be saved
}

Another example for validating text could be:

public function validate(&$value) {

    if (isset($value) && $value != "") {
        if(isset($this->maxLength)&&$this->maxLength!= ""){ //maxLength being the maximal number of characters
            if (strlen($value) > $this->maxLength) {
                //Error max length exceeded
            }
        }
    } else {
        if (!$this->allowNull) { //allowNull being a boolean: true if text can be empty
            //Error value is empty
        }
    }

    if(isset($this->regex)&&$this->regex!= ""){ //regex can be any regular expression, e.g: /[A-Za-z]/ for letters only
        if(!preg_match($this->regex, $value)){
            //Error value does not match expression
        }
    }
}

As far as XSS goes, make sure you use prepared statements when interacting with a database and use htmlentities when displaying user inputted data.

Hope this helps.

Improve this answer

Comments

0

Some time ago, i've written a lightweight-validation class. Maybe you can use it.

For example:

$oValidator = new Validator();
$oValidator->setLanguage('en'); 
$oValidator->isValid('short description', 'max_length[4]');
echo $oValidator->getLastErrorMessage();
//The input can not exceed 4 characters in length.

$oValidator->isValid('min description', 'min_length[5]');
$oValidator->isValid('hello world. This is à ö text input :P :) :S :$ =D !! ??', 'min_length[5]');
$oValidator->isValid('1234567890', 'digits');

Rule definition:

/**
 * @ErrorMessage[lang=de] Die Eingabe muss mindestens %d Zeichen lang sein.
 * @ErrorMessage[lang=en] The input must be at least %d characters in length.
 */
public function check_min_length($mValue, $aParams)
{
    return (strlen($mValue) >= $aParams[0]);
}

Example: http://sklueh.de/2013/01/lightweight-php-validator-neue-version/

github: https://github.com/sklueh/Lightweight-PHP-Validator

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.