I have been fortunate enough to learn a personal experience with regards to the abuse of an html form because I did not take into consideration sufficient security measure; one of these being input validation!!! A total PHP newbie, I have learnt my lesson and attempted to rectify the problem.
After some research, and although I am aware holy wars have been fought over this topic, I have chosen to do my validation using php FILTER function. For me, this approach is more simplified for my level of php. I understand that there is an injection risk with SANITIZE_EMAIL, and have performed both SANITIZE_EMAIL and VALIDATE_EMAIL functions to prevent this happening.
Before getting started, one question; what versions of PHP support FILTER function?
Ok, the aim of my form is to collect the following information:
1) First name: required
2) Last name: required
3) Email: not required
4) Message: required
5) Check box
6) Captcha code
My ultimate question is whether or not my attempt at validation / sanitisation is correct or if there are any glaringly obvious errors that stick out!
Thanks in advance,
Graham
Here we go:
Code: Select all
<?php session_start();
// Setup code
$where_form_is="http://".$_SERVER['SERVER_NAME'].strrev(strstr(strrev($_SERVER['PHP_SELF']),"/"));
// Checkbox handling
$field_5_opts = $_POST['field_5'][0];
//From email for mail function
$femail = "xyz@gmail.com";
// Sanitize AND validate email
if (!empty($_POST['field'_3])) {
$email = filter_var(filter_var($_POST['field'_3], FILTER_SANITIZE_EMAIL), FILTER_VALIDATE_EMAIL);
}
else {
$email = "";
}
// Sanitize input
$sanitize = array(
$_POST['field'_1] => array('filter'=>FILTER_SANITIZE_STRING,
'flags' =>
FILTER_FLAG_STRIP_LOW),
$_POST['field'_2] => array('filter'=>FILTER_SANITIZE_STRING,
'flags' =>
FILTER_FLAG_STRIP_LOW),
$_POST['field'_4] => array('filter'=>FILTER_SANITIZE_STRING,
'flags' =>
FILTER_FLAG_ENCODE_HIGH|FILTER_FLAG_ENCODE_LOW),
$email
);
$input = filter_input_array(INPUT_POST, $sanitize);
$name = $input[$_POST['field_1']] . " " . $input[$_POST['field_2']];
// Message body
$message = $name . " says xyz!"
"Email address: " . $input[$email]
"This is what " . $input[$_POST['field_1']] . " has to say:"
$input[$_POST['field_4']];
if ( (!empty($input[$_POST['field_1']])) && (!empty($input[$_POST['field_2']])) && (!empty($input[$_POST['field_4']])) ) {
if ( ($_SESSION['security_code']==$_POST['security_code']) && (!empty($_POST['security_code'])) && ($field_5_opts=="Yes") ) {
//Mail function if check box is equal to Yes
mail("vwx@gmail.com,wxy@gmail.com",$name . " says xyz",$message,"From: $femail");
include("confirm.html");
}
//Validation and handling if check box is not equal to Yes
elseif ( ($_SESSION['security_code']==$_POST['security_code']) && (!empty($_POST['security_code'])) && ($field_5_opts!="Yes") ) {
// Mail function
mail("vwx@gmail.com",$name . " says xyz",$message,"From: $femail");
include("confirm.html");
}
else {
echo "Invalid Captcha String.";
}
}
else {
echo "Form is incomplete. Please fill in required fields";
}
?>