Validation puzzle
Posted: Tue Jun 07, 2005 2:35 am
I wonder if anybody can help me understand why a form I have produced some unusual validation results?
Basically I have a Form where error messages are shown if the following 2 (of 5) fields are not filled out:
Name:
Message:
I recently though received an entry which gave me the following result:
Name: NULL
(Location: FFUzmL7VlinZ7iN)
Message: NULL
(IP: NULL)
I can’t understand how the null values were accepted and while I also can capture an IP address this too was null.
I have tested this from over and over and I can’t see how this happened so I wonder if anybody can see how this was spoofed. I even thought that the word ‘null’ might have been typed in place of where a ‘Name’ and ‘Message’ would normally be, but in the database the null values are usually italicised if they are entered by default and as the entries in the database are italicised makes me feel that they were not typed in but somehow spoofed.
The code below is what I’m using to validate the Form and hopefully somebody can help me understand this result. I’m not too worried as to the content that was placed in the form as it was nothing un savoury but as I’m trying to learn PHP to the highest level and I just can’t rest till I know what’s happened here.
Thanks
Brian
FORM
Basically I have a Form where error messages are shown if the following 2 (of 5) fields are not filled out:
Name:
Message:
I recently though received an entry which gave me the following result:
Name: NULL
(Location: FFUzmL7VlinZ7iN)
Message: NULL
(IP: NULL)
I can’t understand how the null values were accepted and while I also can capture an IP address this too was null.
I have tested this from over and over and I can’t see how this happened so I wonder if anybody can see how this was spoofed. I even thought that the word ‘null’ might have been typed in place of where a ‘Name’ and ‘Message’ would normally be, but in the database the null values are usually italicised if they are entered by default and as the entries in the database are italicised makes me feel that they were not typed in but somehow spoofed.
The code below is what I’m using to validate the Form and hopefully somebody can help me understand this result. I’m not too worried as to the content that was placed in the form as it was nothing un savoury but as I’m trying to learn PHP to the highest level and I just can’t rest till I know what’s happened here.
Thanks
Brian
Code: Select all
// Test whether the POST array has been set and makes certain
// variables are initialzed with no content.
$pattern = '/^\w[-.\w]*@([-a-z0-9]+\.)+[a-z]{2,4}$/i';
if ($_POST && array_key_exists('sendCom',$_POST)) {
$nomessage='';
$error=array();
$error_email=array();
$message='';
$GuestEmail= $_POST['GuestEmail'];
$trimedGuestDetails = $_POST['GuestDetails'];
$trimedGuestName = $_POST['GuestName'];
// check to see if space bar has been used and if so send an error
if (!trim($trimedGuestDetails) && !empty($_POST['GuestDetails'])) {
$nomessage = 'Message Required!';}
// Trim out white space and strip out unwanted HTML
if (isset($_POST['GuestDetails']) && !empty($_POST['GuestDetails'])) {
$trimedGuestDetails=trim(strip_tags($_POST['GuestDetails']));
}else{
$nomessage = 'Message Required';
}
// check to see if space bar has been used and if so send an error
if (!trim($trimedGuestName) && !empty($_POST['GuestName'])) {
$error['GuestName'] = 'Name Required!'; }
if (isset($_POST['GuestName']) && !empty($_POST['GuestName'])) {
$trimedGuestName=trim(strip_tags($_POST['GuestName']));
}else {
$error['GuestName'] = 'Name Required';
}
// Removes HTTP:// or http:// and strips white space
$url = trim($_POST['GuestWebsite']);
if (strpos(strtolower($url), 'http://') ===0) {
$url = substr($url, 7); }
if (empty($_POST['GuestEmail'])) {// validation of email if inserted otherwise ignore
} else {
if (!preg_match($pattern,$GuestEmail)) $error_email['invalid'] = 'ERROR! Your email address seems to be invalid. <br> It should be similar to the following: info@me.com';
} }
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
if (!$nomessage && !$error) {
if (!$nomessage && !$error_email) {
// If no errors, send email and redirect to acknowledgment page
// User has entered an email address
mail($to,$subject,$message,$headers);Code: Select all
<form method="post" name="form1" action="<?php echo $editFormAction; ?>">
<?php if (isset($error)) { // Display error messages. Otherwise skip table row.
// Loop through error messages and display
foreach ($error as $key => $value) {
echo $value.'<br />';
}
}
?>
<?php if (isset($_POST['GuestName'])) echo $_POST['GuestName'];?>" >
Location: <input type="text" name="GuestLocation" value="" size="32">
Message: <?php if (isset($nomessage) && !empty($nomessage)) {
echo $nomessage; } else { } ?>
<textarea name="GuestDetails" cols="40" rows="5" id="GuestDetails"><?php if (isset($_POST['GuestDetails'])) echo $_POST['GuestDetails'];?></textarea>
Website Address:<input type="text" name="GuestWebsite" value="<?php if (isset($_POST['GuestWebsite'])) echo $_POST['GuestWebsite'];?>" id ="GuestWebsite" size="32">
Email Address:<input type="text" name="GuestEmail" id="GuestEmail" value="<?php if (isset($_POST['GuestEmail'])) echo $_POST['GuestEmail'];?>" size="32">
* Required Field <input name="sendCom" type="submit" id="sendCom" value="Post Message" />
<input name="Reset" type="reset" value="Reset">
<input type="hidden" name="ip"
value="<?PHP
if (!empty ($_SERVER['REMOTE_HOST'] )){
print $_SERVER['REMOTE_HOST'];
} else if (!empty($_SERVER['REMOTE_ADDR'])){
print gethostbyaddr($_SERVER['REMOTE_ADDR']);
} ?>">
<input type="hidden" name="MM_insert" value="form1">
</form>