An important thing to consider when accepting input from users is validation. When PHP is used, powerful functions can be performed. The problem is that it can also do powerful and bad things if a malicious user is entering data which isn’t validated.

Consider this: you accept input asking for a month or year. The problem is that a user decides to enter “”;rm -rf *” after the year, and in so doing could cause the deletion of your whole website. Obviously, this is not a good thing, so what to do? Data validation is the answer. As the name suggests, it validates or verifies data, ensuring that it complies to form.

In other words, when you validate data, you ensure that a user entered numbers for a year, and not a malicious command as shown above. Unfortunately, many webmasters have fallen victim to this, all because they didn’t tighten security on their server.

One solution would be to enter data in this manner:

$month = $_GET[‘month’];
$year = $_GET[‘year’];

if (!preg_match(“/^[0-9]{1,2}$/”, $month)) die(“Invalid entry. Please try again.”);
if (!preg_match(“/^[0-9]{4}$/”, $year)) die(“Invalid entry. Please try again.”);

exec(“cal $month $year”, $result);
print “

";
foreach ($result as $r) { print "$r
"; } print "

“;

What this code does is this: it allows your user to enter a month and a year, say for a credit card or date of birth, but it also double checks the data, ensuring that it is in fact numeric data that a user entered, and not code that could cause you hours of grief.

Of course, there is more extensive code you can write which will validate further, but this data pertains strictly to the security of your server. You can, of course, add code that will ensure that a year is between, say 1900 and 2020, and that a month is between 1 and 12.

As an administrator or webmaster, you need to consider all data that a user enters questionable. By using this mindset, you’ll be in a position to prevent yourself from being vulnerable to malicious injection attacks. Too often, a webmaster has chosen not to take security measures because he or she assumed that no one would try something so awful as to delete someone’s data. As we see every day, however, there are people who think nothing of ruining peoples’ hard work, data, and electronic property.