PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sat Oct 19, 2019 11:47 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 14 posts ] 
Author Message
PostPosted: Sat Nov 19, 2011 10:57 am 
Offline
Forum Contributor

Joined: Sat Nov 19, 2011 10:32 am
Posts: 194
Am stuck with php side form validation. My requirement are as follows:

An HTML form (say: form.php) sends the following fields:

Syntax: [ Download ] [ Hide ]
$rname=$_POST['rname'];
$rmobile=$_POST['rmobile'];
$rarea=$_POST['rarea'];
$remail=$_POST['remail'];
 


I have no issues this far.
Before I insert these fields into the sql database, here's what i want to do:
[list=]
1) Check if all 5 fields are filled
2) Check if rmobile is a ten digit number
3) Check if email is in the proper format
[/list]

If these do not validate, i want to resend the user to form.php along with msg "Please correct the errors in the form and submit again"

If they validate, the php code should trim and sanitize the data before inserting into the SQL database.

Please help me with the php code for the validation/ trimming and sanitization part.

I have been pulling my hair on this one
PLs Pls Pls get me out of this :(


Top
 Profile  
 
PostPosted: Sat Nov 19, 2011 11:45 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6425
Location: Montreal, Canada
Quick and dirty:
Syntax: [ Download ] [ Hide ]
$errors = array();
$required = array('rname', 'rmobile', 'rarea', 'remail');

if (!empty($_POST))
{
    foreach ($required as $req)
    {
        if (!array_key_exists($req, $_POST))
        {
            $errors[] = "{$req} must be completed.";
        }
    }

    $_POST['rmobile'] = str_replace("-", "", $_POST['rmobile']);
    $_POST['rmobile'] = str_replace(".", "", $_POST['rmobile']);

    if (!ctype_digit($_POST['rmobile']))
    {
        $errors[] = "Mobile number must contain only digits.";
    }

    if (!filter_var($_POST['remail'], FILTER_VALIDATE_EMAIL))
    {
        $errors[] = "Email address does not appear to be valid.";
    }

    foreach ($_POST as $k => $v)
    {
        $_POST[$k] = mysql_real_escape_string($v);
    }
}

if (!empty($_POST) && empty($errors))
{
    // Process form
}

_________________


Top
 Profile  
 
PostPosted: Sun Nov 20, 2011 12:21 am 
Offline
Forum Contributor

Joined: Sat Nov 19, 2011 10:32 am
Posts: 194
thanks a lot. Got it.

There is one small issue though.

If the fields are empty or there are errors, i am able to send then back to form.php using header (Location:form.php) but I am not being able to display the message
"Please correct the errors in the form and submit again"

Is there a way of achieving this without using session ?

rgds


Top
 Profile  
 
PostPosted: Sun Nov 20, 2011 12:33 am 
Offline
Forum Regular
User avatar

Joined: Tue Sep 28, 2010 11:41 am
Posts: 984
Location: Columbus, Ohio


Top
 Profile  
 
PostPosted: Sun Nov 20, 2011 7:25 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Sun Nov 20, 2011 1:27 pm 
Offline
Forum Contributor

Joined: Sat Nov 19, 2011 10:32 am
Posts: 194
thanks @ social experiment for pointing me in the right direction. I could achieve what i wanted.

I need one more help. I now need to sanitize the data before it makes it way to the sql table.
So far i have used trim(), stripslashes() htmlspecialchars() and mysql_real_escape_string() functions.

Is there a similar function to prevent php code injection through the form.

For e.g,

in the rname field, if i enter a <?php ?>, it still making its way to the database after passing through all these filters.

I tried somethings on this line, but it wont prevent the code from getting into database

Syntax: [ Download ] [ Hide ]

                                         filter_var("$rname", FILTER_SANITIZE_STRIPPED);
                                        filter_var("$remail", FILTER_VALIDATE_EMAIL);  
                                        filter_var("$rmn", FILTER_SANITIZE_NUMBER_INT);  
                                        filter_var("$rarea", FILTER_SANITIZE_STRIPPED);
                                        // Insert into DB after sanitization
                                        mysql_query("INSERT INTO table1 VALUES ('$rname', '$rbg', '$rmn','$rarea', '$remail')");


 


Top
 Profile  
 
PostPosted: Sun Nov 20, 2011 1:34 pm 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6425
Location: Montreal, Canada

_________________


Top
 Profile  
 
PostPosted: Sun Nov 20, 2011 2:40 pm 
Offline
Forum Contributor

Joined: Sat Nov 19, 2011 10:32 am
Posts: 194
i haven't used strip_tags.
I have used stripslashes

So u suggesting, I should use strip_tags ??
I will give it a try.

Thanks


Top
 Profile  
 
PostPosted: Sun Nov 20, 2011 2:52 pm 
Offline
Forum Contributor

Joined: Sat Nov 19, 2011 10:32 am
Posts: 194
@Celauran

even strip_tags does not prevent the <?php Hell ?> from getting into the database.Here's how I am trying it

Syntax: [ Download ] [ Hide ]

function check_input($data) //custom function to trim, stripslash and remove html chars
                                {
                                 $data = trim($data);return $data;
                                  $data = strip_tags($data); return $data; // added this after your last post - still allowing <? ?> to get through
                                   $data = stripslashes($data); return $data;
                                    $data = htmlspecialchars($data);return $data;
                                   mysql_real_escape_string($data); return $data;
                                    }

                                $rname= check_input($_POST['rname']);
                                $rbg= check_input($_POST['rbg']);
                                $rmn= check_input($_POST['rmn']);
                                $rzip= check_input($_POST['rzip']);
                                $remail= check_input($_POST['remail']);

mysql_query("INSERT INTO table1 VALUES ('$rname', '$rbg', '$rmn','$rzip', '$remail')");
 


Any pointers ?


Top
 Profile  
 
PostPosted: Sun Nov 20, 2011 9:53 pm 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6425
Location: Montreal, Canada

_________________


Top
 Profile  
 
PostPosted: Mon Nov 21, 2011 12:21 am 
Offline
Forum Regular
User avatar

Joined: Tue Sep 28, 2010 11:41 am
Posts: 984
Location: Columbus, Ohio
The problem is that in your function, the very first line you are calling:
Syntax: [ Download ] [ Hide ]
return $data;

This exits the function and never does any further processing. You need to only have this at the END of your function.
Additionally, the last line you currently have which calls mysql_real_escape_string() does not assign that back to $data, need to add $data = to the beginning of that line.

-Greg

PS. Missed that Celauran had posted the first part as a comment inside the code sniplet he posted ;-)


Top
 Profile  
 
PostPosted: Mon Nov 21, 2011 2:46 am 
Offline
Forum Contributor

Joined: Sat Nov 19, 2011 10:32 am
Posts: 194
@Celauran - thanks.. think i am too old to writing codes :roll:

@twinedev - thanks a lot for pointing out the second issue.
If only PHP understood what was supposed.

Here's my last question before this thread gets too wild.
So far, In my attempt at sanitization, i have used:

[list=]
preg_match () // for each individual field in the form
trim()
strip_tags()
stripslashes()
htmlspecialchars()
mysql_real_escape_string()[/list]


My question:

Are these enough ?
Any other thing that could be possible added to keep hooligans away ?


Top
 Profile  
 
PostPosted: Mon Nov 21, 2011 3:05 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Mon Nov 21, 2011 6:31 am 
Offline
Forum Contributor

Joined: Sat Nov 19, 2011 10:32 am
Posts: 194
@social experiment: thanks very helpful information and URL resource :o


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group