I'm doing some tests with learning purpose. I have a PHP script in which I used some functions to see how they work:
First I used isset to make sure a var exist
Then empty to make sure if a var has some value
Finally I used trim to remove whitespaces
After some testing I realized that trim function is not working properly. For example I can still write whitespaceCHARwhitespace, then I used strlen function and I get a 3 as a result. What's wrong with my script?
Btw I would like to know how acceptable is this form validation I would like to avoid some sqlinjection.
Thanks in advance.
<span><?php echo $msg;?></span>
<form method="POST">
<label for="name" class="white-headers">NAME</label>
<input type="text" name="name" id="name" class="form-control">
<label for="last_name" class="white-headers">LAST NAME</label>
<input type="text" name="last_name" id="last_name" class="form-control">
<input type="submit" class="btn btn-success" name="submit">
</form>
$msg="";
if(isset($_POST["submit"])){
$name = $_POST["name"];
$last_name = $_POST["last_name"];
if(!empty(trim($name)) && !empty(trim($last_name))){
$name_len=strlen($name);
$last_name_len=strlen($name);
$msg="<div class='alert alert-success'>
both fields are set and have some value name =".$name." with ".$name_len." chars and last_name =".$last_name."
with ".$last_name_len. "chars</div>";
}
else{
$msg="<div class='alert alert-danger'>
both fields are set but one or both are empty name =".$name." and last_name =".$last_name."</div>";
}
}
The only times you're using trim there are when you check whether or not there's anything left after you trim the variables:
if(!empty(trim($name)) && !empty(trim($last_name))) {
That doesn't affect $name and $last_name.
trim returns a string with the whitespace removed, but it doesn't change the value of the variable given as an argument. If you want those to be trimmed for later use in your code, you need to set them to their trimmed values, like $name = trim($name), etc.
In your case, you could probably trim them when you set them from $_POST initially.
$name = trim($_POST["name"]);
$last_name = trim($_POST["last_name"]);
Then you can check if there's anything left more simply:
if ($name && $last_name) {
empty isn't necessary because you know they're set, and zero-length strings evaluate to false.
As specified in the documentation, trim only removes whitespaces at the beginning or at the end of a string. Whitespaces in the middle are not affected (using _ to mark a whitespace):
__string will become stringstring__ will become strings_t_r_i_n_g will remain s_t_r_i_n_gPlus, as pointed in Don't Panic's answer, you are checking the strings after the trim, not its return value.
About the form validation: if you want to clean your inputs before using them in your application, simply trimming them isn't enough. There are many ways to sanitize inputs, every framework offers some options, but since you specifically spoke of sqlinjections, my suggestion is to start by reading PHP's mysqli.real_escape_string