UNIT-3

What is the primary purpose of form validation?

A) To make the form visually appealing
B) To ensure the data entered meets required criteria
C) To increase the loading speed of the form
D) To store data in a database
Ans: B
Which aspect of form validation involves verifying that the length or size of the
input data falls within acceptable limits?
A) Data Type Validation
B) Required Field Validation
C) Length and Size Validation
D) Format Validation
Ans:B
What is the purpose of the htmlspecialchars() function in PHP?
A) To execute JavaScript code
B) To convert special characters to HTML entities
C) To prevent CSRF attacks
D) To validate form input
Ans:B
Which PHP superglobal variable returns the filename of the currently executing
script?
A) $_REQUEST
B) $_GET
C) $_SERVER["PHP_SELF"]
D) $GLOBALS
Ans:C
What does the preg_match() function do in PHP?
A) Converts HTML characters to special characters
B) Searches for a pattern in a string and returns true if found
C) Validates email addresses
D) Handles cross-site scripting attacks
Ans:B
1. Which two predefined variables are used to retrieve information from forms?
a) $GET & $SET
b) $_GET & $_SET
c) $__GET & $__SET
d) GET & SET
Answer: b
Explanation: The global variables $_GET is used to collect form data after submitting an
HTML form with the method=”get”. The variable $_SET is also used to retrieve
information from forms.

2. The attack which involves the insertion of malicious code into a page frequented by
other users is known as _______________
a) basic sql injection
b) advanced sql injection
c) cross-site scripting
d) scripting

Answer: c
Explanation: The cross-site scripting attack is among one of the top five security attacks
carried out across the Internet. It is also known as XSS, this attack is a type of code
injection attack which is made possible by incorrectly validating user data, which
usually gets inserted into the page through a web form or using an altered hyperlink.

3. When you use the $_GET variable to collect data, the data is visible to ___________
a) none
b) only you
c) everyone
d) selected few

Answer: c
Explanation: The information sent from a form with the method GET is visible to
everyone i.e. all variable names and values are displayed in the URL.

4. When you use the $_POST variable to collect data, the data is visible to ___________
a) none
b) only you
c) everyone
d) selected few

Answer: b
Explanation: The information sent from a form with the method POST is invisible to
others i.e. all names/values are embedded within the body of the HTTP request.

5. Which variable is used to collect form data sent with both the GET and POST
methods?
a) $BOTH
b) $_BOTH
c) $REQUEST
d) $_REQUEST

Answer: d
Explanation: In PHP the global variable $_REQUEST is used to collect data after
submitting an HTML form.

6. Which one of the following should not be used while sending passwords or other
sensitive information?
a) GET
b) POST
c) REQUEST
d) NEXT
Answer: a
Explanation: The information sent from a form with the method GET is visible to
everyone i.e. all variable names and values are displayed in the URL. So, it should not
be used while sending passwords or other sensitive information.

7. Which function is used to remove all HTML tags from a string passed to a form?
a) remove_tags()
b) strip_tags()
c) tags_strip()
d) tags_remove()
Answer: b
Explanation: The function strip_tags() is used to strip a string from HTML, XML, and PHP
tags.

8. What will be the value of the variable $input in the following PHP code?

1. <?php
2. $input = "Swapna<td>Lawrence</td>you are really<i>pretty</i>!";
3. $input = strip_tags($input,"<i></i>");
4. echo $input;
5. ?>

a) Swapna Lawrence you are really pretty!

b) Swapna <td>Lawrence</td> you are really<i>pretty</i>!
c) Swapna <td>Lawrence</td> you are really pretty!
d) Swapna Lawrence you are really<i>pretty</i>!
Answer: d
Explanation: Italic tags <i></i> might be allowable, but table tags <td></td> could
potentially wreak havoc on a page.

9. To validate an email address, which flag is to be passed to the function filter_var()?

a) FILTER_VALIDATE_EMAIL
b) FILTER_VALIDATE_MAIL
c) VALIDATE_EMAIL
d) VALIDATE_MAIL
Answer: a
Explanation: The FILTER_VALIDATE_EMAIL is used to validates an e-mail address.

10. How many validation filters like FILTER_VALIDATE_EMAIL are currently available?
a) 5
b) 6
c) 7
d) 8
Answer: c
Explanation: There are seven validation filters. They are FILTER_VALIDATE_EMAIL,
FILTER_VALIDATE_BOOLEAN, FILTER_VALIDATE_FLOAT, FILTER_VALIDATE_INT,
FILTER_VALIDATE_IP, FILTER_VALIDATE_REGEXP, FILTER_VALIDATE_URL

1. How many predefined variables does PHP use to authenticate a user?

a) 1
b) 2
c) 3
d) 4

Answer: b
Explanation: The variables PHP use to authenticate a user are
$_SERVER[‘PHP_AUTH_USER’] and $_SERVER[‘PHP_AUTH_PW’].

2. Which of the following variables does PHP use to authenticate a user?

i) $_SERVER['PHP_AUTH_USER'].
ii) $_SERVER['PHP_AUTH_USERS'].
iii) $_SERVER['PHP_AUTH_PU'].
iv) $_SERVER['PHP_AUTH_PW'].

a) i) and ii)
b) ii) and iv)
c) i) and iv)
d) ii) and iii)

Answer: c
Explanation: $_SERVER[‘PHP_AUTH_USER’] and $_SERVER[‘PHP_AUTH_PW’] store the
username and password values, respectively.

3. Which of the following PHP function is commonly used when handling authentication
via PHP?

i) header()

ii) footer()

iii) inset()

iv) isset()

a) i) and iv)
b) ii) and iv)
c) ii) and iii)
d) i) and iii)

Answer: a
Explanation: The function isset () is used to check whether a variable is set or not and
the function header() sends a raw HTTP header to a client.
4. Which function is used to verify whether a variable contains a value?
a) header()
b) footer()
c) inset()
d) isset()

Answer: d
Explanation: The isset() function determines whether a variable has been assigned a
value. Its prototype follows: boolean isset(mixed var [,mixed var [,…]]).

5. Which of the following are types of PHP authentication implementation

methodologies?

i) Hard-coding a login pair directly into the script

ii) File-based authentication

iii) Data-based authentication

iv) PEAR'S HTTP authentication

a) ii) and iii)

b) i) and iv)
c) i), ii), iii) and iv)
d) Only iv)

Answer: c

6. In which authentication method does changing the username or password can be

done only by entering the code and making the manual adjustment.
a) Hard-coding a login pair directly into the script
b) File-based authentication
c) Data-based authentication
d) PEAR’S HTTP authentication
Answer: a
Explanation: The simplest way to restrict resource access is by hard-coding the
username and password directly into the script. In this authentication method,
changing the username or password can be done only by entering the code and
making the manual adjustment. This is one of the drawbacks of hard-coding a login
pair directly into the script.
7. The authenticationFile.txt, the file which stores username and password should be
stored ___ the server document root.
a) Inside
b) Outside
c) Within
d) None of the mentioned
Answer: b
Explanation: If it is not stored outside, the attacker could discover the file through brute
force guessing.

8. Which function is used to split a string into a series of substrings, with each string
boundary is determined by a specific separator?
a) break()
b) divide()
c) explode()
d) md5()
Answer: c
Explanation: Although they are a similar function, you should use explode() instead of
split(). In fact split() function has been deprecated altogether.

9. In which of the following situations does file-based authentication become

inconvenient.

i) small list

ii) large number of user

iii) users are being regularly added

iv) static authentication

a) i) and iv)
b) i) and iii)
c) ii) and iii)
d) ii) and iv)
Answer: c
Explanation: Such requirements are better satisfied by implementing a database based
solution.

10. Which is the most powerful authentication method among the four?
a) Hard-coding a login pair directly into the script
b) File-based authentication
c) Data-based authentication
d) PEAR’S HTTP authentication
Answer: c
Explanation: It not only enhances administrative convenience and scalability but also
can be integrated into a larger database infrastructure.

Which of the following is used to collect form data submitted using the GET method?

(a) $_GET

(b) $_POST

(c) $REQUEST

(d) $_REQUEST

Answer: (a) $_GET

Explanation: The $_GET superglobal variable is used to collect form data submitted
using the GET method.

MCQ 2:

Which of the following is used to collect form data submitted using the POST method?

(a) $_GET

(b) $_POST

(c) $REQUEST

(d) $_REQUEST

Answer: (b) $_POST

Explanation: The $_POST superglobal variable is used to collect form data submitted
using the POST method.

MCQ 3:

Which of the following is used to collect form data submitted using both the GET and
POST methods?

(a) $_GET

(b) $_POST

(c) $REQUEST

(d) $_REQUEST

Answer: (c) $REQUEST

Explanation: The $REQUEST superglobal variable is used to collect form data submitted
using both the GET and POST methods.

MCQ 4:

Which of the following is used to validate form data?

(a) filter_var()

(b) validate_var()

(c) strip_tags()

(d) all of the above

Answer: (d) all of the above

Explanation: The filter_var() function is used to validate various types of data, including
email addresses, URLs, and IP addresses. The validate_var() function is used to validate
email addresses. The strip_tags() function is used to remove HTML tags from a string.

MCQ 5:

Which of the following is used to protect against cross-site scripting (XSS) attacks?

(a) filter_var()

(b) validate_var()

(c) htmlspecialchars()

(d) all of the above

Answer: (c) htmlspecialchars()

Explanation: The htmlspecialchars() function is used to convert special characters into

their HTML entities, which can help to prevent XSS attacks.

//////////////////////////////////////////////////////////////////////////////////////////////////////////////
////////////

<!DOCTYPE html>

<html>

<head>

<title>Subjective Question Form</title>

</head>

<body>

<?php
$errors = array();

if ($_SERVER["REQUEST_METHOD"] == "POST") {

// Validating and sanitizing user inputs

$userCodeAnswer = $_POST['code_answer'] ?? '';

if (empty($userCodeAnswer)) {

$errors[] = "Code answer is required!";

} else {

// Perform additional validation if needed

// For example, syntax check, security checks, etc.

// This is a placeholder for validation; adapt as per your requirements

// Example validation:

// if (some_validation_condition) {

// $errors[] = "Invalid code answer!";

// }

if (empty($errors)) {

// No errors, process the code answer

// In this example, simply displaying the submitted code

echo "<h2>Submitted Code Answer</h2>";

echo "<pre>" . htmlspecialchars($userCodeAnswer) . "</pre>";

exit;

?>
<?php if (!empty($errors)) : ?>

<div style="color: red;">

<ul>

<?php foreach ($errors as $error) : ?>

<li><?php echo $error; ?></li>

<?php endforeach; ?>

</ul>

</div>

<?php endif; ?>

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);

?>">

<h3>Subjective Question: Write your code answer below</h3>

<label>

<textarea name="code_answer" rows="10" cols="50"><?php echo

isset($_POST['code_answer']) ? htmlspecialchars($_POST['code_answer']) : '';
?></textarea>

</label><br>

<br>

<input type="submit" value="Submit">

</form>

</body>

</html>

Ques: Make a Form which takes Name, Email, Age and Users website as input from the
user and perform validation and sanitization on the data in another file.
<!DOCTYPE html>
<html>
<head>
<title>Form Validation and Sanitization</title>
</head>
<body>
<form action="validation.php" method="post">
<input type="text" name="name"
placeholder="Your name">
<input type="email" name="email"
placeholder="Your email">
<input type="number" name="age"
placeholder="Your age">
<input type="url" name="website"
placeholder="Your website">
<input type="submit" value="Submit">
</form>
</body>
</html>
Now in a new file validation.php, let’s
handle the data posted by form.
<?php
// Get the form data

$name = $_POST['name'];

$email = $_POST['email'];

$age = $_POST['age'];

$website = $_POST['website'];

// Validate the name

if (empty($name)) {

echo "Please enter your name.";

} else {

$name = filter_var($name, FILTER_SANITIZE_STRING);

// Validate the email

if (empty($email)) {
echo "Please enter your email address.";
} else {
$email = filter_var($email, FILTER_SANITIZE_EMAIL);
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
echo "Invalid email address.";
}
}

// Validate the age

if (empty($age)) {
echo "Please enter your age.";
} else {
$age = filter_var($age, FILTER_SANITIZE_NUMBER_INT);
if ($age < 18 || $age > 100) {
echo "Age must be between 18 and 100.";
}
}
// Validate the website
if (empty($website)) {
echo "Please enter your website address.";
} else {
$website = filter_var($website, FILTER_SANITIZE_URL);
}

// If the data is valid, echo it back to the user

if ($name && $email && $age && $website) {
echo "Your name is $name. Your email address is $email. You
are $age years old. Your website is $website.";
}

?>