• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 224
  • Last Modified:

Prevent a user from adding zzzzz, uiuuiii, etc to a web based form

I am going to develop some php based data entry forms where visitors will fill out a form with their name, address, etc
this data will be written to a MySQL database

Does anyone have any tips to prevent collecting bad data?

for example First and Last name fields will be required, but a user can type anything in there to pass the "required" validation



the above are valid first/last names

what if someone types




they will pass the "required" validation but of course it is junk data

any ideas regarding how someone handles this is appreciated

1 Solution
käµfm³d 👽Commented:
Without keeping a data store of valid names, how would you validate that a name is valid? There aren't really any rules which define names--at least not ones you can encapsulate logic  for. If you are worried about receiving bogus names, I would suggest building a database of valid names, and checking incoming input against that database.
The possibilities of what could be considered junk are endless and ways around it zero.
Here's the thing - there are two typical scenarios where you'll receive intentionally-bad data:

1. Someone doesn't want to fill out the form to get to the reward (e.g. a download link).

2. Someone is trying to programmatically fill out the form (to either try to hack your system or to spam you).

The only one you can really do anything about is #2 - you can insert sleep() statements into your form processing and load to slow down the attacker enough to make it tough to do a large quantity of attempts, but will still be usable by a valid user, since they're only registering once.

For the first scenario, let's say you succeed in blocking out a user named Charlie Smith from putting in "zzzzz" as his name, and you present an error to him. Now, Charlie has some personal motivation not to fill out the form correctly, and you did not take away that motivation, so he is still going to try to get around it. Charlie could easily put in "Mike Donovan" and you would end up with incorrect data that APPEARED correct and Charlie will have gotten past the form without giving you his information.

It's going to be next to impossible to enforce a valid name, but you CAN enforce other valid pieces of information. For example, if you collect address information, you can use address verification systems, or if you are giving them a download, then email the download link to them so that they have to provide a valid email address to receive the link.
Ray PaseurCommented:
Suggest you add a "gateway" step to the process.  As new information is entered into the data base, use the logic in this article to get confirmation.  If a client does not confirm within a few days, delete the record.

Oh, and you can tell them the prizes will be awarded with a check made out to the name they put in the form ;-)
Ray PaseurCommented:
What was wrong with this answer?  Please explain why you marked this down to a "B" -- we're experts but not mind-readers.  If you needed something else, you should always feel free to ask for it!

Please see the grading guidelines here:

Best regards, ~Ray

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now