a) (10 points) Create a PHP page to read one name. Add input validation such tha
ID: 3775733 • Letter: A
Question
a) (10 points) Create a PHP page to read one name. Add input validation such that the name is required, and only contains letters and white space. You do not have to modify the input. You only have to alert the user of the inappropriate use of special characters, and give him or her another chance to enter the name.
<?
$nameErrMsg="";
$names="";
if($_SERVER ["REQUESTED METHOD"]=="POST")
{
if (empty ($_POST["NAME"]))
{
$nameErrMsg="Requiring a Name";
}
else
{
$names=test_input ($_POST ["NAME"]);
if(!preg_match("/^[a-zA-z ]*$/",$names))
{
$namesErrMsg="allowing letters and whitespaces only";
}
}
?>
c) explain how A) relates to SQL-injection
Explanation / Answer
Above mentioned code works perfect,
if($_SERVER ["REQUESTED METHOD"]=="POST") ==> This line is when users hits submit button means users posting something, here we're avoiding GET method
if (empty ($_POST["NAME"]))
{
$nameErrMsg="Requiring a Name";
}
Above lines will take care of validation of input, if input is empty it won't do anything
if(!preg_match("/^[a-zA-z ]*$/",$names)) => This line will take care of invalid names because here [a-zA-z] menas we're allowing only a to z and A to Z chars and /^ and *$ Mena anywhere in the string. means in complete string we're allowing only a to z and A to Z only, if it doesn't match if condition will throw false
To get rid of sql injections :
Sql injections mostly done by single quotes and double quotes, to avoid quotes add write
$name = mysql_real_escape_string($_POST ["NAME"]) instead of $name = $_POST ["NAME"];
this mysql_real_escape_string will escape all quotes
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.