Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

Length validation

by dwiz (Pilgrim)
on Jun 07, 2001 at 18:39 UTC ( [id://86565]=perlquestion: print w/replies, xml ) Need Help??

dwiz has asked for the wisdom of the Perl Monks concerning the following question:

Hi Monks,
I have couple of questions about form validation. Specifically about the length of a field and amount of data that can be submitted to my form.

Don't worry I know about length.
My main questions are:

How do you handle it?

Obviously you don't want people submitting a couple of megs of data to your form.
I read up on how CGI.pm can handle DOS attacks of this sort and set the $CGI::POST_MAX variable accordingly. Well that solved my maximum amount of data problem. (I hope)

My second question is. How do you handle the length of your fields?

I have currently been doing something like this.
#$valids is an array reference returned by HTML::FormValidator
my @error;
foreach (@$valids) {

#%error_msg contains something like "first => "First name is too long 
+"
#%error_length contains something like "first => 45"

push @error, { message => $error_msg{$_} } if $_  >= $error_length{$_}
};

[download]
Have I covered all my bases on this issue?
Is there a better way to do it?

Thanks
dwiz

Replies are listed 'Best First'.
Re: Length validation
by japhy (Canon) on Jun 07, 2001 at 18:45 UTC
    Unless there's more to the hash references you're putting in @error, the hash reference itself is rather useless. That being said, you can do: 
    my @error =
  map $error_msg{$_},
  grep length(param($_)) >= $error_length{$_},
  @$valids;

    [download]
    You can't just use $_ >= $error_length{$_}, since $_ is a field name. You need to get the value of that field, and find its length. I've done so using the CGI module.

    japhy -- Perl and Regex Hacker
[reply]
[d/l]
Re: Length validation
by tachyon (Chancellor) on Jun 07, 2001 at 18:53 UTC

    The best point to validate length is at the time of input. Sure you can get around this, but specifying the MAXLENGTH attribute in your input tags will avoid casual submission of extra long data in text fields. Of course you always need to revalidate on the server side. Here is a snippet from the RFC on the input tag. 

    8.1.2.1. Text Field: INPUT TYPE=TEXT

The default value of the TYPE attribute is `TEXT', indicating a single
+ line text entry field. (Use the <TEXTAREA> element for multi- line t
+ext fields.) 

Required attributes are: 

NAME
name for the form field corresponding to this element. 
The optional attributes are: 

MAXLENGTH
constrains the number of characters that can be entered into a text in
+put field. If the value of MAXLENGTH is greater the the value of the 
+SIZE attribute, the field should scroll appropriately. The default nu
+mber of characters is unlimited. 

SIZE
specifies the amount of display space allocated to this input field ac
+cording to its type. The default depends on the user agent. 

VALUE
The initial value of the field.
 
For example: 

<p>Street Address: <input name=street><br>
Postal City code: <input name=city size=16 maxlength=16><br>
Zip Code: <input name=zip size=10 maxlength=10 value="99999-9999"><br>

    [download]

    Hope this helps

    tachyon

[reply]
[d/l]
Re: Length validation
by arturo (Vicar) on Jun 07, 2001 at 18:50 UTC

    A reminder: HTML textfields have an optional maxlength attribute that determine the longest string they'll take. Dunno offhand about textareas (OK,looked it up. No corresponding restrictor there). I don't believe that these will help with POST submissions that don't actually go through the HTML form ('cos the client's responsible for honoring the maxlength attribute). But doing length checks and/or using substr to cut malefactors down to size is probably the best approach overall. 

    perl -e 'print "How sweet does a rose smell? "; chomp ($n = <STDIN>); 
+$rose = "smells sweet to degree $n"; *other_name = *rose; print "$oth
+er_name\n"'

    [download]
[reply]
[d/l]
[select]
Re: Length validation
by earthboundmisfit (Chaplain) on Jun 07, 2001 at 19:10 UTC
    I know this isn't very Perl-ish, but I rely heavily on client side forms validation, not so much to prevent abuses (what self respecting hacker doesn't know how to get around JavaScript?) but to prevent honest mistakes as early as possible.

    So something like 

    <SCRIPT>
var Ok2submit=true
</SCRIPT>
<FORM method=post action="foo.pl" onsubmit="return Ok2submit">
<TEXTAREA name="foo" 
onchange="if(this.length>512){Ok2submit=false;alert('you are too verbo
+se, my child!')}"></TEXTAREA>
</FORM>

    [download]
    Of course, I also check for these things much in the way you mention on the server side -> trust in God, but lock your car doors.
[reply]
[d/l]
Re: Length validation
by Beatnik (Parson) on Jun 07, 2001 at 22:10 UTC
    If you're using GET as method, the data sent is (or should be) maximum 2K in size. Why choose GET over POST is left in the middle, but it's just a thought.

    Greetz
    Beatnik
    ... Quidquid perl dictum sit, altum viditur.
[reply]
      I always use POST when it makes a change and shouldn't be cached. I always use GET when it is just a data retrieval, makes no change on the server, and should be cacheable by the user. Sure, some misconfigured proxy can screw things up, but this is the main reason there are two different submission methods, isn't it?

      Chris
[reply]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://86565]
Approved by root
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others having an uproarious good time at the Monastery: (5)
As of 2024-04-24 05:08 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found