Page 1 of 1
make sure post data is valid phone number
Posted: Wed Feb 22, 2006 9:24 pm
by MinDFreeZ
I've been trying to figure out how to make sure posted "number" is a phone number... not sure entirely on specifics of phone numbers, but I'd like to basically make sure it is 10 characters.. but if it is 11 and it starts with the number 1 to remove that, and make that $phNumber. it also must be numeric which i guess strlen and is_numeric() could be used for these.... but the rest I'm not sure of.. anyone know of a good way to validate this?
(also I could use maxlength on the input, so i know it wont be more than 11..)
Code: Select all
$num = $_POST['number'];
if($num) {
if(is_numeric($num) == TRUE) {
$phNumber = $num;
}
}
elseif($num) {
if(is_numeric($num) == FALSE) {
die("You did not enter a valid phone number");
}
}
my code doesn't even work... but you can basically see what I'm trying to do here... if it is numeric and has at least 10 numbers or if it has 11 it must start with a 1, then remove that 1..... if it is 11 and does not start with a 1 also echo a message saying invalid phone number.. $phNumber is going to be further used in the script.. otherwise, echo an error...
I'm also having 1 other problem... but its more about the mail function... and a checkbox.. if someone wants me to post the full script so they can help with that, I'm more than willing to

thanks
Posted: Wed Feb 22, 2006 9:50 pm
by feyd
since there are so many forms and formats for numbers, I'd strip all non-numeric characters out of the string. Then do your length checks.
Posted: Wed Feb 22, 2006 9:59 pm
by MinDFreeZ
sounds good, but I have no idea how to do that.... that's why I was looking for something to check if it is only composed of numbers.. thats when I found is_numeric ...
im having all kinds of problems with the script, and the order I'm putting things in..
let me just post the whole thing.... the mail problem was that im using like 7 mail functions at once, and it doesnt work......
Code: Select all
<?php
echo "
<style type='text/css'>
div.row {
clear: both;
padding-top: 5px;
}
div.row span.label {
float: left;
width: 120px;
text-align: right;
}
div.row span.formw {
float: right;
width: 235px;
text-align: left;
}
</style>
";
if (!$submit) {
echo "
<div style='width: 380px; padding: 5px; margin: 0px auto;'>
<form method='post' action=''>
<div class='row'>
<span class='label'>Name:</span><span
class='formw'><input type='text' name='name' size='25' /></span>
</div>
<div class='row'>
<span class='label'>Phone Number:</span><span
class='formw'><input type='text' name='number' size='25' /></span>
</div>
<div class='row'>
<span class='label'>Provider:</span><span
class='formw'>
<select name='chProvider'>
<option value=''>::Providers::</option>
<option value='at'>:Alltel:</option>
<option value='nx'>:Nextel:</option>
<option value='sp'>:Sprint:</option>
<option value='vz'>:Verizon:</option>
<option value='ci'>:Cingular:</option>
<option value='tm'>:T-Mobile:</option>
<option value='vm'>:Virgin Mobile:</option>
</select>
</span>
</div>
<div class='row'>
<span class='label'>Provider Unknown:</span><span
class='formw'><input type='checkbox' value='nsp' name='provider' /></span>
</div>
<div class='row'>
<span class='label'>Message:</span><span
class='formw'>
<textarea name='message' cols='25' rows='8'>
Go ahead - write something...
</textarea>
</span>
</div>
<div class='row'>
<span class='formw'><input type='submit' name='submit' value='Send Message' /></span>
</div>
<div class='spacer'>
</div>
</form>
</div>
";
}
$phNumber = $_POST['number'];
/* This is all commented out because it does not work..
$num = $_POST['number'];
if($num) {
if(is_numeric($num) == TRUE) {
$phNumber = $num;
}
}
elseif($num) {
if(is_numeric($num) == FALSE) {
die("You did not enter a valid phone number");
}
}
*/
$pv = $_POST['chProvider'];
$upv = $_POST['provider'];
$subject = $_POST['subject'];
// If you put anything in "quotes" it will not show up \"quotes\"
$message = stripslashes($_POST['message']);
$headers = "From: {$_POST['name']}";
// Provider list
$alltel = "@messaging.alltel.com";
$nextel = "@messaging.nextel.com";
$sprint = "@messaging.sprintpcs.com";
$verizon = "@vtext.com";
$cingular = "@cingularme.com";
$tmobile = "@tmomail.net";
$virginmobile = "@vmobl.com";
if($submit) {
if($pv == "at") { $chMail = $phNumber . $alltel; }
elseif($pv == "nx") { $chMail = $phNumber . $nextel; }
elseif($pv == "sp") { $chMail = $phNumber . $sprint; }
elseif($pv == "vz") { $chMail = $phNumber . $verizon; }
elseif($pv == "ci") { $chMail = $phNumber . $cingular; }
elseif($pv == "tm") { $chMail = $phNumber . $tmobile; }
elseif($pv == "vm") { $chMail = $phNumber . $verginmobile; }
elseif($upv == "nsp") { $chMail = NULL; $pv = NULL; }
elseif($pv !== "sp" or $pv !== "vz" or $pv !== "ci" or $pv !== "tm" or $pv !== "vm" or $pv == "") {
$chMail = NULL;
echo "Please choose one of the provided networks.<br/>";
}
else {
$chMail = NULL;
echo "Please choose one of the provided networks.<br />";
}
if($pv == "nsp") {
mail($phNumber . $alltel, $subject, $message, $headers);
mail($phNumber . $nextel, $subject, $message, $headers);
mail($phNumber . $sprint, $subject, $message, $headers);
mail($phNumber . $verizon, $subject, $message, $headers);
mail($phNumber . $cingular, $subject, $message, $headers);
mail($phNumber . $tmobile, $subject, $message, $headers);
mail($phNumber . $verginmobile, $subject, $message, $headers);
}
else {
$to = $chMail;
mail($to, $subject, $message, $headers);
}
if ($message == "") { echo "You must enter a message!"; }
else echo "<h1>Text message sent!</h1>";
}
?>
Posted: Wed Feb 22, 2006 10:06 pm
by pennythetuff
You could use regular expressions (regex) to make sure the phone number is in a valid format. These forums have a couple awesome regex guides.
viewforum.php?f=38
If you wanted your phone number in format 555-555-5555 a regex would look something like this.
Code: Select all
if(!preg_match("/^\d{3}-\d{3}-\d{4}/s", $phone_number)) {
echo "This is not a valid phone number.";
}
Posted: Wed Feb 22, 2006 10:12 pm
by MinDFreeZ
sweet, I will use exactly that and make 3 input fields...
Code: Select all
echo "
<input type='text' name='num1' size='3' maxlength='3' /> <input type='text' name='num2' size='3' maxlength='3' /> <input type='text' name='num3' size='4' maxlength='4' />
";
//(then put those together with PHP I guess...)
$phone_number = $_POST['num1'] . "-" . $_POST['num2'] . "-" . $_POST['num3'];
if(!preg_match("/^\d{3}-\d{3}-\d{4}/s", $phone_number)) {
echo "This is not a valid phone number.";
}
that
should work....
thanks
Posted: Thu Feb 23, 2006 12:13 am
by MinDFreeZ
alright, thanks.. problem solved... I finished what I was doing... it was a text-messager.. here's the source and link to it if anyone cares
thanks for the help.
http://enhancedworks.com/sendText2.phps
http://enhancedworks.com/sendText2.php
Posted: Thu Feb 23, 2006 12:48 am
by matthijs
Code: Select all
$headers = "From: {$_POST['name']}";
Your (now public) form is vulnerable to email injection. See
http://securephp.damonkohler.com/index. ... _Injection and the threads on this forum about it. You should make sure to filter the input that ends in the header of the mail() function.
Posted: Thu Feb 23, 2006 3:35 am
by MinDFreeZ
Thanks, is it better to just remove header info all together?
Code: Select all
$realMessage = stripslashes($_POST['message']);
$message = "From:" . $name . " | " . $realMessage;
I don't mind using something like that.. because for this, it's a text message.. there shouldn't be a reply email anyway.
Unless you can tell me how to secure my current code... so I use headers to test with the phones.... I read the link at the bottom of the page.. I don't get the eregi solution.. I dont know what that code says.. I'm new!

Posted: Thu Feb 23, 2006 5:41 am
by matthijs
Yes, your idea of just placing the from field in the message itself is a simple and safe solution (as far as I know and as far as email injection is concerned).
You can read some more threads about email injection
here and
here.
If you do want to use the header of the mail function, you'll have to make sure to filter the input (something you should always do in fact, just to be sure).
In case of $_POST['name'] you probably want to make sure the name only contains alphabetic characters. That's possible with the ctype_alpha function (returns TRUE if all characters found in string are letters, either uppercase or lowercase)
Code: Select all
<?php
$name = '';
if (ctype_alpha($_POST['name'])) {
$name = $_POST['name'];
}
?>
After that, you can do an extra check for any newlines and carriage returns with
Code: Select all
<?php
$cleanname = '';
if (ctype_print($name) )
{
$cleanname = $name;
}
?>
(see the threads for some more discussion about this.
Posted: Thu Feb 23, 2006 9:39 am
by MinDFreeZ
thank you
