Prevent a user from adding zzzzz, uiuuiii, etc to a web based form

Posted on 2012-08-13
Last Modified: 2012-08-19
I am going to develop some php based data entry forms where visitors will fill out a form with their name, address, etc
this data will be written to a MySQL database

Does anyone have any tips to prevent collecting bad data?

for example First and Last name fields will be required, but a user can type anything in there to pass the "required" validation



the above are valid first/last names

what if someone types




they will pass the "required" validation but of course it is junk data

any ideas regarding how someone handles this is appreciated

Question by:abinboston
    LVL 74

    Expert Comment

    by:käµfm³d 👽
    Without keeping a data store of valid names, how would you validate that a name is valid? There aren't really any rules which define names--at least not ones you can encapsulate logic  for. If you are worried about receiving bogus names, I would suggest building a database of valid names, and checking incoming input against that database.
    LVL 58

    Expert Comment

    The possibilities of what could be considered junk are endless and ways around it zero.
    LVL 34

    Expert Comment

    Here's the thing - there are two typical scenarios where you'll receive intentionally-bad data:

    1. Someone doesn't want to fill out the form to get to the reward (e.g. a download link).

    2. Someone is trying to programmatically fill out the form (to either try to hack your system or to spam you).

    The only one you can really do anything about is #2 - you can insert sleep() statements into your form processing and load to slow down the attacker enough to make it tough to do a large quantity of attempts, but will still be usable by a valid user, since they're only registering once.

    For the first scenario, let's say you succeed in blocking out a user named Charlie Smith from putting in "zzzzz" as his name, and you present an error to him. Now, Charlie has some personal motivation not to fill out the form correctly, and you did not take away that motivation, so he is still going to try to get around it. Charlie could easily put in "Mike Donovan" and you would end up with incorrect data that APPEARED correct and Charlie will have gotten past the form without giving you his information.

    It's going to be next to impossible to enforce a valid name, but you CAN enforce other valid pieces of information. For example, if you collect address information, you can use address verification systems, or if you are giving them a download, then email the download link to them so that they have to provide a valid email address to receive the link.
    LVL 107

    Accepted Solution

    Suggest you add a "gateway" step to the process.  As new information is entered into the data base, use the logic in this article to get confirmation.  If a client does not confirm within a few days, delete the record.

    Oh, and you can tell them the prizes will be awarded with a check made out to the name they put in the form ;-)
    LVL 107

    Expert Comment

    by:Ray Paseur
    What was wrong with this answer?  Please explain why you marked this down to a "B" -- we're experts but not mind-readers.  If you needed something else, you should always feel free to ask for it!

    Please see the grading guidelines here:

    Best regards, ~Ray

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Introduction HTML checkboxes provide the perfect way for a web developer to receive client input when the client's options might be none, one or many.  But the PHP code for processing the checkboxes can be confusing at first.  What if a checkbox is…
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
    Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now