Jump to content

codernoob

New Members
 View Profile  See their activity

  • Posts

    7

  • Joined

  • Last visited

 Content Type 

Posts posted by codernoob

    PHP form sanitization help

    in PHP Coding Help

    Posted

    Ok , i did some looking around and made some modifications,

     

    Can you check and let me know if my sanitization is good enough for the back end php?

     

    

<?php

$title = $_POST['title'];
$name = $_POST['name'];
$email = $_POST['email'];
$phone = $_POST['phone'];
$message = $_POST['message'];
$recipient = "queries@xyz.com";
$subject = "contact";


$dodgy_strings = array(
               "content-type:"
               ,"mime-version:"
               ,"multipart/mixed"
               ,"bcc:"
);


function is_valid_email($email) {
 return preg_match('#^[a-z0-9.!\#$%&\'*+-/=?^_`{|}~]+@([0-9.]+|([^\s]+\.+[a-z]{2,6}))$#si', $email);
}


function contains_bad_str($str_to_test) {
 $bad_strings = array(
               "content-type:"
               ,"mime-version:"
               ,"multipart/mixed"
 ,"Content-Transfer-Encoding:"
               ,"bcc:"
 ,"cc:"
 ,"to:"
 );

 foreach($bad_strings as $bad_string) {
   if(eregi($bad_string, strtolower($str_to_test))) {
     echo "$bad_string found. Suspected injection attempt - mail not being sent.";
     exit;
   }
 }
}


function contains_newlines($str_to_test) {
  if(preg_match("/(%0A|%0D|\\n+|\\r+)/i", $str_to_test) != 0) {
    echo "newline found in $str_to_test. Suspected injection attempt - mail not being sent.";
    exit;
  }
} 


if($_SERVER['REQUEST_METHOD'] != "POST"){
  echo("Unauthorized attempt to access page.");
  exit;
}


if (!is_valid_email($email)) {
 echo 'Invalid email submitted - mail not being sent.';
 exit;
}


contains_bad_str($email);
contains_bad_str($name);
contains_bad_str($phone);
contains_bad_str($message);


contains_newlines($email);
contains_newlines($subject);


$formcontent=" From: \n $title $name \n Email: $email \n Phone: $phone \n Message: $message";
$mailheader = "From: $email \r\n";
mail($recipient, $subject, $formcontent, $mailheader);


if (isset($_POST['email'])) 
{
header("Location: thanks.html");}
?>;

    PHP form sanitization help

    in PHP Coding Help

    Posted

    Forms require two parts to function:

    1) The front end HTML

    2) The back end process

     

    All web forms are built in HTML (part 1). But this HTML alone is will not do anything without a back-end script to process the form submission. This back-end can be done using any server scripting language, but since this is a PHP forum, of course we will talk about PHP here. So while you may be unsure about using PHP, you will need to use some sort of backend process on your form, or else your form will not do anything.

     

     

     

    Thanks again.

     

    Actually I have both 1 and 2.

     

    The front end html is fine and I have added JS validation to it - which I know is not fool proof. But thats fine if i have part two right.

     

    The part 2 - is where am having the problem. The PHP code i posted is my back-end processor. But I havent been able to set it up right to sanitize my data.

     

    Do you think, adding this will work? - filter_var($value, FILTER_SANITIZE_NUMBER_INT); to all my inputs on my PHP form?

     

    Sorry, may be am doing it all wrong and getting your inputs wrong!

    PHP form sanitization help

    in PHP Coding Help

    Posted

     

    What do you mean by "without throwing an error to the page"? You would probably want to tell the user what went wrong instead of doing nothing, even though 99%+ of the users do have Javascript enabled. That is up to you, though. It is quite easy, so I would recommend it. I do not know if your HTML form is in the same file as your PHP code, but I will assume this for simplicity.

     

    $errors = array();

$title = $_POST['title'];

if (empty($title)) {
$errors[] = 'You must enter a title';
}

// Validate other fields here

if (empty($errors)) {
// No errors; send e-mail here and redirect
}

// Show errors
else {
echo '<ul class="errors">';

foreach ($errors as $error) {
echo '<li>' . $error . '</li>';
}

echo '</ul>';
}

     

     

    Thanks Andy, I actually have the PHP form processor in a separate file which is called by form action.

     

    there is a separate JS script that does the check and throws errors (hopefully 99% of users have js enabled). Honestly am a tad unsure about using php form within an html page (one reason I am using js to do the client side validation) - you can check it working here : http://quadimensionevents.com/contacts.html

     

    So using your logic, is it fair to say that, the below edited form would work?

     

    <?php


$name = htmlentities (isset($_POST['name']));
$email = htmlentities (isset($_POST['email']));
$phone = htmlentities (isset($_POST['phone']));
$message = htmlentities (isset($_POST['message']));
$formcontent=" From: $name \n Email: $email \n Phone: $phone \n Message: $message";
$recipient = "queries@xxxx.com";
$subject = "Contact Form";
$mailheader = "From: $email \r\n";
mail($recipient, $subject, $formcontent, $mailheader) or die("Error!");
if (isset($_POST['email'])) {
header("Location: thanks.html");
}


?>

     

    Apologies if this is way too stupid, I checked around on the web but couldnt really get a tut that really explains the basics..

     

    thanks again for all the help

    PHP form sanitization help

    in PHP Coding Help

    Posted

    Javascript is not validation. Validation must be done server-side to be effective.

     

    Now, what makes you think you're getting XSS attacks? What is happening/not happening that should not/should happen?

     

    Thanks for the response..

     

    I get mails with empty fields in the mail set for the form + there are certain mails which have <script><xssv...></script>. Although that could be sitelock's way of telling me about the issue.

     

    But is it possible to have the validation done on this form (the code above) without throwing an error to the page? I was hoping to keep the webpage HTML/CSS form separate from my backend PHP form processor.

     

     

     

     

    Javascript validation is OK as long as you back it up with server side validation as well. Otherwise it's easy to simply turn of Javascript in the browser. To avoid XSS attacks, use the htmlentities function whenever you are printing user supplied data on your pages.

     

    Thanks. Does it mean that I need to use function on the backend PHP form?

    PHP form sanitization help

    in PHP Coding Help

    Posted · Edited by codernoob

    Hi,

     

    I am completely new to PHP.. and have been trying to build a webform for a website.

     

    I have set the form using HTML/CSS right and have added a JS script to validate it on the client side (it basically throws an error if the input isnt correct) on the website.

     

    But the issue is my PHP back-end form processor aint working right .. I think am getting XSS attacks .. and would like some help to edit my current PHP form.

     

    Can someone help me with it? The pHp code is below:

     

    <?php
$title = $_POST['title'];
$name = $_POST['name'];
$email = $_POST['email'];
$phone = $_POST['phone'];
$designation = $_POST ['jobt'];
$company = $_POST['cname'];
$event = $_POST['event'];
$purpose = $_POST['purpose'];
$message = $_POST['message'];
$TandC = $_POST['TandC'];
$formcontent=" From: \n Name: $title $name \n Email: $email \n Phone: $phone \n Designation: $designation \n Company: $company \n event: $event  \n Interested in being a: $purpose \n Message: $message";
$recipient = "brochure@xyz.com";
$subject = "Brochure Request";
$mailheader = "From: $email \r\n";
mail($recipient, $subject, $formcontent, $mailheader) or die("Error!");
if (isset($_POST['email'])) {
header("Location:thanks.html");
}
?>

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.