form checking checkboxes

tanger has asked for the wisdom of the Perl Monks concerning the following question:

hey all!

I'm trying to make sure the data inputted from my form is okay. The form includes a 7 checkboxes, all the values can be 1, 2, 3, 4, 5, 6, 7 depending on what the user checks.

Basically I want to form check this incase any loser wants to alter the form and change the checkboxes values. I'm using CGI.pm and not quite sure on how I will check each and every value and untaint them.

heres my code:


our @io = $INPUT->param('io');
if (@io) { #this field is not a required field
foreach $io (@io) {
    if ($io =~ /^([0-9,]+)$/ && length($io) < 2) {
        $io = $1;
    }
    else {
        print "Do not alter this form. Objective field.  Your IP has b
+een logged and will be further investigated.";
        die;
         }
}
}
[download]

Is there a better way to formcheck an array of values or to untaint them?

Thanks!

Comment on form checking checkboxes Download Code

Replies are listed 'Best First'.
Re: form checking checkboxes by jeffa (Bishop) on May 31, 2005 at 19:56 UTC
Why not simply check if they are each one digit, and then if that one digit is within the valid range: `use strict; use warnings; for (qw(1 5 10 a 4)) { warn "$_ is not an int\n" unless $_ =~ /\d/; warn "$_ is out of range\n" unless $_ >= 1 && $_ <= 7; }` [download] I use warn instead of die just to demonstrate checking all the "test data," and to demonstrate why you want to make sure the data is indeed a number before you try to compare it with numerical operators. UPDATE: I left out discussion of untainting the values. Don't. If the data is invalid, then stop form processing. Make the user give you valid data. Naturally, you don't want to die in that case, but instead return the form with an error message (and hopefully the rest of their submitted, valid values intact). UPDATE^2: Thanks for the catch ikegami. Got any snake venom handy? jeffa L-LL-L--L-LL-L--L-LL-L-- -R--R-RR-R--R-RR-R--R-RR B--B--B--B--B--B--B--B-- H---H---H---H---H---H--- (the triplet paradiddle with high-hat)	[reply] [d/l]
Re^2: form checking checkboxes by thundergnat (Deacon) on May 31, 2005 at 20:18 UTC
Or even simpler... `#!/usr/local/bin/perl use warnings; use strict; for (qw(1 5 10 a 4 0 deadbeef 357 Albuquerque)) { warn "Bad input $_\n" and next unless /^([1-7])$/; print "Good input $1\n"; }` [download] Update: erp! Left out untainting bit. Minor edit to untaint data.	[reply] [d/l]
Re^2: form checking checkboxes by ikegami (Patriarch) on May 31, 2005 at 20:17 UTC
According to your code "l33t" in an int. According to your code "4c3" is not only an int, it's in range. `if $_ =~ /\D/` would be better than `unless $_ =~ /\d/`	[reply] [d/l] [select]
Re: form checking checkboxes by cees (Curate) on May 31, 2005 at 21:08 UTC
You can also do this with Data::FormValidator. It might seem a little heavy to do this for just a couple of checkbox fields, but it is really easy to use, and if your form gets any more complex you will appreciate something with the flexibility that this gives you. `use Data::FormValidator; use CGI; my $q = CGI->new; my %profile = ( required => [qw( io )], constraints => { io => 'RE_num_int' # use a Regexp::Common test }, untaint_all_constraints => 1, ); my $results = Data::FormValidator->check($q, \%profile); if ($results->has_invalid or $results->has_missing) { # do something with $results->invalid, $results->missing # or $results->msgs } else { # do something with $results->valid }` [download] This will make sure that all the checkboxes only contain integers, and that the results are untainted. If you need to do a more customized test, you can provide the constraint with an anonymous subroutine that performs the test (untainting will be up to you then).	[reply] [d/l]