Validation puzzle

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Addos
Forum Contributor
Posts: 305
Joined: Mon Jan 17, 2005 4:13 pm

Validation puzzle

Post by Addos »

I wonder if anybody can help me understand why a form I have produced some unusual validation results?
Basically I have a Form where error messages are shown if the following 2 (of 5) fields are not filled out:

Name:
Message:

I recently though received an entry which gave me the following result:
Name: NULL
(Location: FFUzmL7VlinZ7iN)
Message: NULL
(IP: NULL)

I can’t understand how the null values were accepted and while I also can capture an IP address this too was null.
I have tested this from over and over and I can’t see how this happened so I wonder if anybody can see how this was spoofed. I even thought that the word ‘null’ might have been typed in place of where a ‘Name’ and ‘Message’ would normally be, but in the database the null values are usually italicised if they are entered by default and as the entries in the database are italicised makes me feel that they were not typed in but somehow spoofed.
The code below is what I’m using to validate the Form and hopefully somebody can help me understand this result. I’m not too worried as to the content that was placed in the form as it was nothing un savoury but as I’m trying to learn PHP to the highest level and I just can’t rest till I know what’s happened here.
Thanks
Brian

Code: Select all

// Test whether the POST array has been set and makes certain 
// variables are initialzed with no content.
$pattern = '/^\w[-.\w]*@([-a-z0-9]+\.)+[a-z]{2,4}$/i';
if ($_POST && array_key_exists('sendCom',$_POST)) {
  $nomessage='';
  $error=array();
  $error_email=array();
  $message='';
  $GuestEmail= $_POST['GuestEmail'];
  $trimedGuestDetails = $_POST['GuestDetails'];
  $trimedGuestName = $_POST['GuestName'];
// check to see if space bar has been used and if so send an error
if (!trim($trimedGuestDetails) && !empty($_POST['GuestDetails'])) {
    $nomessage = 'Message Required!';}
// Trim out white space and strip out unwanted HTML
if (isset($_POST['GuestDetails']) && !empty($_POST['GuestDetails'])) {
$trimedGuestDetails=trim(strip_tags($_POST['GuestDetails']));
}else{
   $nomessage = 'Message Required';
  }
// check to see if space bar has been used and if so send an error
if (!trim($trimedGuestName) && !empty($_POST['GuestName'])) {
    $error['GuestName'] = 'Name Required!';	}
	  if (isset($_POST['GuestName']) && !empty($_POST['GuestName'])) {
$trimedGuestName=trim(strip_tags($_POST['GuestName']));
}else {
  $error['GuestName'] = 'Name Required';
  }
   // Removes HTTP:// or http:// and strips white space
	 $url = trim($_POST['GuestWebsite']);
	 if (strpos(strtolower($url), 'http://') ===0) {
	 $url = substr($url, 7);	}
 if (empty($_POST['GuestEmail'])) {// validation of email if inserted otherwise ignore
	 } else {
	 if (!preg_match($pattern,$GuestEmail)) $error_email['invalid'] = 'ERROR! Your email address seems to be invalid. <br> It should be similar to the following: info@me.com';
     } }
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
if (!$nomessage && !$error)  {
if (!$nomessage && !$error_email)  {
// If no errors, send email and redirect to acknowledgment page
 // User has entered an email address  						
	
	mail($to,$subject,$message,$headers);
FORM

Code: Select all

<form method="post" name="form1" action="<?php echo $editFormAction; ?>">
<?php if (isset($error)) { // Display error messages. Otherwise skip table row.
	   // Loop through error messages and display
		foreach ($error as $key => $value) {
		  echo $value.'<br />';
		  }
		  }
		?>	
 <?php if (isset($_POST['GuestName'])) echo $_POST['GuestName'];?>" >
          Location: <input type="text" name="GuestLocation" value="" size="32">
         Message: <?php if (isset($nomessage) && !empty($nomessage)) {
		  echo $nomessage; } else {  } ?>
          <textarea name="GuestDetails" cols="40" rows="5" id="GuestDetails"><?php if (isset($_POST['GuestDetails'])) echo $_POST['GuestDetails'];?></textarea>
Website Address:<input type="text" name="GuestWebsite" value="<?php if (isset($_POST['GuestWebsite'])) echo $_POST['GuestWebsite'];?>" id ="GuestWebsite" size="32">
          Email Address:<input type="text" name="GuestEmail" id="GuestEmail" value="<?php if (isset($_POST['GuestEmail'])) echo $_POST['GuestEmail'];?>" size="32">
          * Required Field <input name="sendCom" type="submit" id="sendCom" value="Post Message" />
	   <input name="Reset" type="reset" value="Reset">
<input type="hidden" name="ip" 
		value="<?PHP
if (!empty ($_SERVER['REMOTE_HOST'] )){
			   print $_SERVER['REMOTE_HOST'];
} else if    (!empty($_SERVER['REMOTE_ADDR'])){
 print gethostbyaddr($_SERVER['REMOTE_ADDR']);
} ?>">
        <input type="hidden" name="MM_insert" value="form1">
      </form>
Syranide
Forum Contributor
Posts: 281
Joined: Fri May 20, 2005 3:16 pm
Location: Sweden

Post by Syranide »

print_r( $_POST );
is all I can say, what you see is what you get, what you don't see you don't get.

EDIT: and why are you hiding the IP in the form? it will stay the same, just use when you want to, don't allow the user to fake his IP.
Addos
Forum Contributor
Posts: 305
Joined: Mon Jan 17, 2005 4:13 pm

Post by Addos »

Thanks very much for your reply. I don’t fully understand when you say “and why are you hiding the IP in the form? it will stay the same, just use when you want to, don't allow the user to fake his IP”. I was trying to capture an IP of a few spamers that have been recently sent to my database and in the database is where I have stored the captured IP. I then use .htaccess to block them which has been reasonable successful.
Can you elaborate as to what I should be doing i.e. should I display the IP on the form rather than hide it?
Thanks again much appreciate your help.
B
:wink:
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

I had a few minutes to spare, your script had a few problems with it.
Take a look at this cleaner version, hopefully it will give you some ideas.

Code: Select all

<?php
	function cleanvar($var) {
		return trim(strip_tags($var));
	}

	if (array_key_exists('sendCom',$_POST) && !empty($_POST)) {
		$_POST = array_map('cleanvar', $_POST);
		$nomessage='';
		$error=array();
		$message='';

		/* 	Contains list of required variables
			With specific Error Name
		*/				
		$validate = array('GuestDetails' => 'Details',
						  'GuestName' => 'Name',
						  'GuestWebsite' => 'Website',
						  'MM_insert' => 'MM_insert');
						  
		/* 	Check if required vars are not empty
			Assign to error array is missing
		*/						
		foreach ($validate as $check => $value) {
			if (empty($_POST[$check])) {
				$error[$check] = $value.' Required!';
			}
		}

		/* 	Assign URL without http://
			If does not exist leave blank
		*/	
		$url = (strpos(strtolower($_POST['GuestWebsite']), 'http://' ) === 0 ? substr($_POST['GuestWebsite'],7) : '');
		
		/* 	Check MM_insert for specific value
		*/					    
		if (!empty($_POST['GuestEmail']) && !preg_match('/^\w[-.\w]*@([-a-z0-9]+\.)+[a-z]{2,4}$/i',$_POST['GuestEmail'])) {
			$error['GuestEmail'] = 'Your email address seems to be invalid. <br /> It should be similar to the following: info@me.com';
		}
		
		/* 	Check MM_insert for specific value
		*/				
		if ($_POST["MM_insert"] != "form1") {
			$error['MM_insert'] = 'MM_insert Required';
		}
		
		/* 	If error count is 0
			Send mail
			Redirect to achnoledge.php
		*/		
		if (count($error) == 0) {
			/* 	Build $message one way or another?
			*/				 
			 mail($to,$subject,$message,$headers);
			 header('Location: achnoledge.php');
		} 
		/* 	Display Errors
		*/				
		else {
			foreach ($error as $new_error) {
				echo $new_error .'<br />';
			}
		}
	}
	
	//OUTPUT YOUR FORM HERE WITHOUT YOUR ERROR OUTPUT

Edit | Fixed Parse errors ;)
Post Reply