Good evening
I have worked on the following code to validate my forms and secure my SQL database.
However, when entering the city, location or artist name, I thought I had the validation code set to not accept anything but a-zA-Z.
As it is, I can type in anything such as in the city code "New York()&^%$/ and it will go straight into the database. This indicates to me that my PHP form is not secure to injection or hacking at all. Can someone give me sugestions as to where I have gone wrong?
[code]
<? if (!isset ($submit)){ $errors= array( $artist = preg_match('/^([a-zA-Z]){3,30}sb i $/', $_POST['artist']) ? $errors[] = 'Error: invalid entry artist' : mysql_escape_string(trim($_POST['artist'])), $where = preg_match('/^([a-zA-Z]){3,25}sb i $/', $_POST['where']) ? $errors[] = 'Error: invaid entry where' : mysql_escape_string(trim($_POST['where'])), $city = preg_match('/^([a-zA-Z]){3,25}s i$/', $_POST['city'])? $errors[] = 'Error: invalid entry city' : mysql_escape_string(trim($_POST['city'])), $length = preg_match('/^W{1}([0-9]){2,4}$/', $_POST['length'])? $errors[] = 'Error: invalid entry length' : mysql_escape_string(trim($_POST['length'])), $url = preg_match('#b(https?|ftp)://([-A-Z0-9.]+)(/[-A-Z0-9+&@#/%=~_|!:,.;]*)?(?[-A-Z0-9+&@#/%=~_|!:,.;]*)?#', $_POST['url'])? $errors[] = 'Error: invalid entry url' : mysql_escape_string(trim($_POST['url'])), $desc = preg_match('/^s([a-zA-Z]){3,200}s i$/', $_POST['desc'])? $errors[] = 'Error: invalid entry desc' : mysql_escape_string(trim($_POST['desc'])), $date = preg_match ('/^(d{1,2})-(d{1,2})-(d{4})/', $_POST['date']) ? $errors[] = 'Error: Invalid Entry date' : mysql_escape_string(trim($_POST['date'])), ); if (sizeof($errors) > 0) { echo "- ";
foreach ($errors as $e)
{
echo "
- $e "; } die(); echo "