PHP Developers Network
http://forums.devnetwork.net/

PHP side form validation and sanitization
http://forums.devnetwork.net/viewtopic.php?f=34&t=132922
Page 1 of 1

Author:  Live24x7 [ Sat Nov 19, 2011 10:57 am ]
Post subject:  PHP side form validation and sanitization

Am stuck with php side form validation. My requirement are as follows:

An HTML form (say: form.php) sends the following fields:

Syntax: [ Download ] [ Hide ]
$rname=$_POST['rname'];
$rmobile=$_POST['rmobile'];
$rarea=$_POST['rarea'];
$remail=$_POST['remail'];
 


I have no issues this far.
Before I insert these fields into the sql database, here's what i want to do:
[list=]
1) Check if all 5 fields are filled
2) Check if rmobile is a ten digit number
3) Check if email is in the proper format
[/list]

If these do not validate, i want to resend the user to form.php along with msg "Please correct the errors in the form and submit again"

If they validate, the php code should trim and sanitize the data before inserting into the SQL database.

Please help me with the php code for the validation/ trimming and sanitization part.

I have been pulling my hair on this one
PLs Pls Pls get me out of this :(

Author:  Celauran [ Sat Nov 19, 2011 11:45 am ]
Post subject:  Re: PHP side form validation and sanitization

Quick and dirty:
Syntax: [ Download ] [ Hide ]
$errors = array();
$required = array('rname', 'rmobile', 'rarea', 'remail');

if (!empty($_POST))
{
    foreach ($required as $req)
    {
        if (!array_key_exists($req, $_POST))
        {
            $errors[] = "{$req} must be completed.";
        }
    }

    $_POST['rmobile'] = str_replace("-", "", $_POST['rmobile']);
    $_POST['rmobile'] = str_replace(".", "", $_POST['rmobile']);

    if (!ctype_digit($_POST['rmobile']))
    {
        $errors[] = "Mobile number must contain only digits.";
    }

    if (!filter_var($_POST['remail'], FILTER_VALIDATE_EMAIL))
    {
        $errors[] = "Email address does not appear to be valid.";
    }

    foreach ($_POST as $k => $v)
    {
        $_POST[$k] = mysql_real_escape_string($v);
    }
}

if (!empty($_POST) && empty($errors))
{
    // Process form
}

Author:  Live24x7 [ Sun Nov 20, 2011 12:21 am ]
Post subject:  Re: PHP side form validation and sanitization

thanks a lot. Got it.

There is one small issue though.

If the fields are empty or there are errors, i am able to send then back to form.php using header (Location:form.php) but I am not being able to display the message
"Please correct the errors in the form and submit again"

Is there a way of achieving this without using session ?

rgds

Author:  twinedev [ Sun Nov 20, 2011 12:33 am ]
Post subject:  Re: PHP side form validation and sanitization


Author:  social_experiment [ Sun Nov 20, 2011 7:25 am ]
Post subject:  Re: PHP side form validation and sanitization


Author:  Live24x7 [ Sun Nov 20, 2011 1:27 pm ]
Post subject:  Re: PHP side form validation and sanitization

thanks @ social experiment for pointing me in the right direction. I could achieve what i wanted.

I need one more help. I now need to sanitize the data before it makes it way to the sql table.
So far i have used trim(), stripslashes() htmlspecialchars() and mysql_real_escape_string() functions.

Is there a similar function to prevent php code injection through the form.

For e.g,

in the rname field, if i enter a <?php ?>, it still making its way to the database after passing through all these filters.

I tried somethings on this line, but it wont prevent the code from getting into database

Syntax: [ Download ] [ Hide ]

                                         filter_var("$rname", FILTER_SANITIZE_STRIPPED);
                                        filter_var("$remail", FILTER_VALIDATE_EMAIL);  
                                        filter_var("$rmn", FILTER_SANITIZE_NUMBER_INT);  
                                        filter_var("$rarea", FILTER_SANITIZE_STRIPPED);
                                        // Insert into DB after sanitization
                                        mysql_query("INSERT INTO table1 VALUES ('$rname', '$rbg', '$rmn','$rarea', '$remail')");


 

Author:  Celauran [ Sun Nov 20, 2011 1:34 pm ]
Post subject:  Re: PHP side form validation and sanitization


Author:  Live24x7 [ Sun Nov 20, 2011 2:40 pm ]
Post subject:  Re: PHP side form validation and sanitization

i haven't used strip_tags.
I have used stripslashes

So u suggesting, I should use strip_tags ??
I will give it a try.

Thanks

Author:  Live24x7 [ Sun Nov 20, 2011 2:52 pm ]
Post subject:  Re: PHP side form validation and sanitization

@Celauran

even strip_tags does not prevent the <?php Hell ?> from getting into the database.Here's how I am trying it

Syntax: [ Download ] [ Hide ]

function check_input($data) //custom function to trim, stripslash and remove html chars
                                {
                                 $data = trim($data);return $data;
                                  $data = strip_tags($data); return $data; // added this after your last post - still allowing <? ?> to get through
                                   $data = stripslashes($data); return $data;
                                    $data = htmlspecialchars($data);return $data;
                                   mysql_real_escape_string($data); return $data;
                                    }

                                $rname= check_input($_POST['rname']);
                                $rbg= check_input($_POST['rbg']);
                                $rmn= check_input($_POST['rmn']);
                                $rzip= check_input($_POST['rzip']);
                                $remail= check_input($_POST['remail']);

mysql_query("INSERT INTO table1 VALUES ('$rname', '$rbg', '$rmn','$rzip', '$remail')");
 


Any pointers ?

Author:  Celauran [ Sun Nov 20, 2011 9:53 pm ]
Post subject:  Re: PHP side form validation and sanitization


Author:  twinedev [ Mon Nov 21, 2011 12:21 am ]
Post subject:  Re: PHP side form validation and sanitization

The problem is that in your function, the very first line you are calling:
Syntax: [ Download ] [ Hide ]
return $data;

This exits the function and never does any further processing. You need to only have this at the END of your function.
Additionally, the last line you currently have which calls mysql_real_escape_string() does not assign that back to $data, need to add $data = to the beginning of that line.

-Greg

PS. Missed that Celauran had posted the first part as a comment inside the code sniplet he posted ;-)

Author:  Live24x7 [ Mon Nov 21, 2011 2:46 am ]
Post subject:  Re: PHP side form validation and sanitization

@Celauran - thanks.. think i am too old to writing codes :roll:

@twinedev - thanks a lot for pointing out the second issue.
If only PHP understood what was supposed.

Here's my last question before this thread gets too wild.
So far, In my attempt at sanitization, i have used:

[list=]
preg_match () // for each individual field in the form
trim()
strip_tags()
stripslashes()
htmlspecialchars()
mysql_real_escape_string()[/list]


My question:

Are these enough ?
Any other thing that could be possible added to keep hooligans away ?

Author:  social_experiment [ Mon Nov 21, 2011 3:05 am ]
Post subject:  Re: PHP side form validation and sanitization


Author:  Live24x7 [ Mon Nov 21, 2011 6:31 am ]
Post subject:  Re: PHP side form validation and sanitization

@social experiment: thanks very helpful information and URL resource :o

Page 1 of 1 All times are UTC - 5 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/