PHP and MySQL Web Development 4th Ed-tqw-_darksiderg

370 Chapter 16 Web Application Security
There is a little bit more code involved here, but we can at least be sure we are getting
correct values, and this becomes a lot more important when we start handling data
values more financially sensitive than a user’s gender. As a rule, we cannot ever assume
that a value from a form will be within a set of expected values—we must check first.
Filtering Even Basic Values
HTML form elements have no types associated with them and most simply pass strings
(which may, in turn, represent things such as dates, times, or numbers) to the server.
Thus, if you have a numeric field, you cannot assume or trust that it was truly entered as
such. Even in environments where particularly powerful client-side code can try to make
sure that the value entered is of a particular type, there is no guarantee that the values
will not be sent to the server directly, as we saw in the previous section.
An easy way to make sure that a value is of the expected type is to cast or convert it
to that type and then use that value, as follows:
$number_of_nights = (int)$_POST['num_nights'];
if ($number_of_nights == 0)
{
echo "ERROR: Invalid number of nights for the room!";
exit;
}
If we have the user input a date in some localized format, such as mm/dd/yy for users
in the United States, we can then write some code to make sure it is a real date using
the PHP function called checkdate.This function takes a month, day, and year value (4-
digit years), and indicates whether they, combined, form a valid date:
// split is mbcs-safe via mbstring (see chapter 5)
$mmddyy = split($_POST['departure_date'], '/');
if (count($mmddyy) != 3)
{
echo "ERROR: Invalid Date specified!";
exit;
}
// handle years like 02 or 95
if ((int)$mmddyy[2] < 100)
{
if ((int)$mmddyy[2] > 50)
$mmddyy[2] = (int)$mmddyy[2] + 1900;
else if ((int)$mmddyy[2] >= 0)
$mmddyy[2] = (int)$mmddyy[2] + 2000;
}
// else it's < 0 and checkdate will catch it