Are there marks in the marking rubric for using specifically PHP to limit the input length of say, the username field???.
I am asking because using the html maxlength attribute on the input box works so much better.
Also because I am using the POST method the user can't inject SQL in the browser URL.
Ok I will use PHP for some input validation and HTML for other Also, I would like to say that it's fantastic to be able to be in contact with the lecturer like we can here with mac.. I wish my other lecturers were so readily available to help. Thanks mac
NEVER NEVER NEVER NEVER NEVER do your validation on client side only.
Your opening yourself up for major issues. Client side validation should serve the sole purpose of enhancing user experience (Avoiding the postback before errors are displayed). You should never rely on validation that the user can disable. As Mac has pointed out, you can inject both post and get requests. I've seen injections in all sorts of places, cookies, user agent, referrer, pretty much anything that's sent in the header. Querystring and post data are not even the only places you should be validating.
Rule of thumb, assume all input is hostile.
Security should be part of the actual core design, the main problem most enterprise applications face are exactly that, security was added as an afterthought which leaves the applications with huge exposure. This isn't even touching validation for things like cross site scripting, file inclusion vulnerabilities or even sensitive information disclosure that could lead to exploitation.