lhcpr Posted July 30, 2008 Share Posted July 30, 2008 Hello all, I have been fortunate enough to learn a personal experience with regards to the abuse of an html form because I did not take into consideration sufficient security measure; one of these being input validation!!! A total PHP newbie, I have learnt my lesson and attempted to rectify the problem. After some research, and although I am aware holy wars have been fought over this topic, I have chosen to do my validation using php FILTER function. For me, this approach is more simplified for my level of php. I understand that there is an injection risk with SANITIZE_EMAIL, and have performed both SANITIZE_EMAIL and VALIDATE_EMAIL functions to prevent this happening. Before getting started, one question; what versions of PHP support FILTER function? Ok, the aim of my form is to collect the following information: 1) First name: required 2) Last name: required 3) Email: not required 4) Message: required 5) Check box 6) Captcha code My ultimate question is whether or not my attempt at validation / sanitisation is correct or if there are any glaringly obvious errors that stick out! Thanks in advance, Graham Here we go: <?php session_start(); // Setup code $where_form_is="http://".$_SERVER['SERVER_NAME'].strrev(strstr(strrev($_SERVER['PHP_SELF']),"/")); // Checkbox handling $field_5_opts = $_POST['field_5'][0]; //From email for mail function $femail = "[email protected]"; // Sanitize AND validate email if (!empty($_POST['field'_3])) { $email = filter_var(filter_var($_POST['field'_3], FILTER_SANITIZE_EMAIL), FILTER_VALIDATE_EMAIL); } else { $email = ""; } // Sanitize input $sanitize = array( $_POST['field'_1] => array('filter'=>FILTER_SANITIZE_STRING, 'flags' => FILTER_FLAG_STRIP_LOW), $_POST['field'_2] => array('filter'=>FILTER_SANITIZE_STRING, 'flags' => FILTER_FLAG_STRIP_LOW), $_POST['field'_4] => array('filter'=>FILTER_SANITIZE_STRING, 'flags' => FILTER_FLAG_ENCODE_HIGH|FILTER_FLAG_ENCODE_LOW), $email ); $input = filter_input_array(INPUT_POST, $sanitize); $name = $input[$_POST['field_1']] . " " . $input[$_POST['field_2']]; // Message body $message = $name . " says xyz!" "Email address: " . $input[$email] "This is what " . $input[$_POST['field_1']] . " has to say:" $input[$_POST['field_4']]; if ( (!empty($input[$_POST['field_1']])) && (!empty($input[$_POST['field_2']])) && (!empty($input[$_POST['field_4']])) ) { if ( ($_SESSION['security_code']==$_POST['security_code']) && (!empty($_POST['security_code'])) && ($field_5_opts=="Yes") ) { //Mail function if check box is equal to Yes mail("[email protected],[email protected]",$name . " says xyz",$message,"From: $femail"); include("confirm.html"); } //Validation and handling if check box is not equal to Yes elseif ( ($_SESSION['security_code']==$_POST['security_code']) && (!empty($_POST['security_code'])) && ($field_5_opts!="Yes") ) { // Mail function mail("[email protected]",$name . " says xyz",$message,"From: $femail"); include("confirm.html"); } else { echo "Invalid Captcha String."; } } else { echo "Form is incomplete. Please fill in required fields"; } ?> Link to comment https://forums.phpfreaks.com/topic/117265-validation-and-sanitisation-of-input-data-from-form/ Share on other sites More sharing options...
unkwntech Posted July 30, 2008 Share Posted July 30, 2008 To see what versions of PHP support a function check the manual pages for that function http://php.net/filter Link to comment https://forums.phpfreaks.com/topic/117265-validation-and-sanitisation-of-input-data-from-form/#findComment-603517 Share on other sites More sharing options...
lhcpr Posted July 30, 2008 Author Share Posted July 30, 2008 Thanks, Filter supported by PHP version 5. Can anyone comment on the code + questions? Thanks in advance, Graham Link to comment https://forums.phpfreaks.com/topic/117265-validation-and-sanitisation-of-input-data-from-form/#findComment-604052 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.