PHP forms: special characters

Bananna man

Hey,

I have a account setup page on my website but i havent put in any safeguards to stop people putting in special characters. I have noticed on most other websites you will not be allowed to proceed with thses in special characters.

Is it important to have it set up this way and if so why?

Also, if i should be doing it can someone let me know how to set it up in my php script.

Thanks

daymobrew

I'm not 100% what problems permitting these characters will expose but wrt modifying your scripts you should only permit safe characters instead of excluding unsafe chars.
If you chose the exclusion route then you may miss unsafe characters.

Bananna man

How do i do that?

Seth Brundle

You could replace the characters with html versions of the same.
Where is your data going (email? database?)?

Bananna man

Into a database

Rollo Tamasi

use as many drop down boxes as possible to avoid users from having to type into the boxes and google php form validation tutorials

seamus

If it's going into a database, then make sure you escape every piece of input. Look for the mysql_escape_string() function on php.net.

In terms of not allowing certain characters, there are many reasons for that. For example, in an email address field, you may only want input in the form a.b@y.com. In a telephone field you might only want 011234567 or +35311234567. In a "Name" field, you wouldn't expect to see |, & % ^ $ ; ¬ etc.

Generally pattern matching is used to validate that people aren't putting weird things in their input. It also saves on administration - if the input is validated before being entered into the database, then you won't have to correct it later on, or try to figure out what they meant to enter. For info on pattern matching, google "regular expressions" (Check wikipedia.org, regular expressions is a *big* subject, you could be overwhelmed by google). For info on pattern matching in PHP, look for preg_match() for a start.