PHP contact form validation

[wiggst3r]

Hi

 

I've got a basic contact form, that users can enter their details into. At the moment there is some validation, but onl if the fields are blank etc.

The form allows users to enter, not only names, but also URLs. What I want to do is, prevent this from happening and not allowing any URLs into the form, maybe by removing :// away from anything in the input.

 

So far I have this:

 

<?php
function CheckForm()
{
	$strReturn = "";

	if(str_replace(" ","",$_POST["txtName"]) == "")
	{
		$strReturn .= "Please enter a name<br/>";
	}
	elseif(str_replace(" ","",$_POST["txtEmail"]) == "")
	{
		$strReturn .= "Please enter an email address<br/>";
	}
	elseif(str_replace(" ","",$_POST["txtCompany"]) == "")
	{
		$strReturn .= "Please enter a company name<br/>";
	}
	elseif(str_replace(" ","",$_POST["txtContact"]) == "")
	{
		$strReturn .= "Please enter a contact number<br/>";
	}
	elseif(str_replace(" ","",$_POST["txtEnquiry"]) == "")
	{
		$strReturn .= "Please enter an enquiry<br/>";
	}
	elseif(!isset($_POST["txtPrivacy"]))
	{
		$strReturn .= "Please confirm you agree with the privacy statement<br/>";
	}

	return $strReturn;
}

//$strMessage = "Register with this form to be kept up to date on <span class='strongred'>new offers</span> and <span class='strongred'>free samples</span>";
$strMessage = " ";
$blComplete = false;

$strName = "";
$strEmail = "";
$strCompany = "";
$strContact = "";
$strEnquiry = "";
$strPrivacy = "";
$strDate=date('Y-m-d');

//Try to register if required
if(isset($_POST["btnSubmit"]))
{
	$strMessage = CheckForm();

	if($strMessage == "")
	{
		//Input okay, so record in database
		mysql_connect("localhost","root","") or die("Unable to connect to database server");
		mysql_select_db("gfc") or die( "Unable to open database");

		mysql_query("SET SESSION max_join_size = 4294967295");

		$strSQL = "INSERT INTO Registration (registrationName, registrationCompany, registrationEnquiry, registrationEmail, registrationContact, registrationDate) ";
		$strSQL .= "VALUES ('".$_POST["txtName"]."','".$_POST["txtCompany"]."','".$_POST["txtEnquiry"]."','".$_POST["txtEmail"]."','".$_POST["txtContact"]."','".$_POST["txtDate"]."') ";
		mysql_query($strSQL);

		mysql_close();
		$blComplete = true;
		//$strMessage = "You have been registered.  Thank you for your interest";
		$strMessage = " ";
	}
	else
	{
		//Error in input, so repopulate form and show it

		$strName = $_POST["txtName"];
		$strEmail = $_POST["txtEmail"];
		$strCompany = $_POST["txtCompany"];
		$strContact = $_POST["txtContact"];
		$strEnquiry = $_POST["txtEnquiry"];
		$strDate=date('Y-m-d');
	}
}
?>

<?

include 'includes/header.php' ;
?>

<form id="frmRegister" action="registration.php" method="post">
<input type="hidden" name="txtDate" size="21" value="<? echo $strDate; ?>">
<?
if($blComplete == false)
{
?>
	<div id="content_image_contact">
	<h3>Get in touch with gfcyork...</h3>

	<div id="content_image_contact_left">
	<p>Name</p>
	<p>Email</p>
	<p>Company</p>
	<p>Contact No.</p>
	<p>Enquiry</p>
	</div>

	<div id="content_image_contact_right">
	<p><input type="text" name="txtName" class="form" tabindex="1" value="<? echo $strName; ?>"></p>
	<p><input type="text" name="txtEmail" class="form" tabindex="1" value="<? echo $strEmail; ?>"></p>
	<p><input type="text" name="txtCompany" class="form" tabindex="1" value="<? echo $strCompany; ?>"></p>
	<p><input type="text" name="txtContact" class="form" tabindex="1" value="<? echo $strContact; ?>"></p>
	<p><textarea rows="4" name="txtEnquiry" class="form" tabindex="1" cols="10"><? echo $strEnquiry; ?></textarea></p>
	<p><input type="checkbox" name="txtPrivacy" style="padding:0px; margin:0px;" value="<? echo $strPrivacy; ?>"><A HREF="javascript:void(0)" onclick="window.open('privacystatement.php', 'welcome','width=400,height=400,scrollbars=yes,menubar=no,status=no,toolbar=no,left=100,top=100')" title="Privacy Statement">privacy statement</a></p>
	<p><input type="submit" class="formbutton" name="btnSubmit" value=" Send " tabindex="6">  <input type="button" value=" Reset " class="formbutton" onclick="location.href='<? echo $_SERVER['PHP_SELF']?>'"></p>
	</div>

	</div>

	<div id="content_header_text_contact">

	<div id="content_header_text_error">
	<? echo $strMessage; ?>
	</div>

  	<?
}
else
{
?>
	<div id="content_image_contact">
	<h3>Get in touch...</h3>

	<div id="content_image_contact_left">
	<p>Name</p>
	<p>Email</p>
	<p>Company</p>
	<p>Contact No.</p>
	<p>Enquiry</p>
	</div>

	<div id="content_image_contact_right">
	<p><input type="text" name="txtName" class="form" tabindex="1" value="<? echo $strName; ?>"></p>
	<p><input type="text" name="txtEmail" class="form" tabindex="1" value="<? echo $strEmail; ?>"></p>
	<p><input type="text" name="txtCompany" class="form" tabindex="1" value="<? echo $strCompany; ?>"></p>
	<p><input type="text" name="txtContact" class="form" tabindex="1" value="<? echo $strContact; ?>"></p>
	<p><textarea rows="4" name="txtEnquiry" class="form" tabindex="1" cols="10"><? echo $strEnquiry; ?></textarea></p>
	<p><input type="checkbox" name="txtPrivacy" style="padding:0px; margin:0px;" value="<? echo $strPrivacy; ?>"><A HREF="javascript:void(0)" onclick="window.open('privacystatement.php', 'welcome','width=400,height=400,scrollbars=yes,menubar=no,status=no,toolbar=no,left=100,top=100')" title="Privacy Statement">privacy statement</a></p>
	<p><input type="submit" class="formbutton" name="btnSubmit" value=" Send " tabindex="6">  <input type="button" value=" Reset " class="formbutton" onclick="location.href='<? echo $_SERVER['PHP_SELF']?>'"></p>
	</div>

	</div>




<?
}
?>

<?
include 'includes/footer.php' ;
?>

</form>
</body>
</html>

[premiso]

If you want to check contents you can use stristr or eregi

 

If you want to check length you can use strlen

 

You can also let the user know that certain characters are not allowed, and disallow the use of the /  : and .  in the username using the same functions above.

 

Hope that will help you to get started. I am sure there are a ton of tutorials of form validation online for php that are already created so you can use that as an example and take out the parts you want/need. I know on the eregi page they have zipcode validation procedures etc in the comments.

[wiggst3r]

Could I use stripslashes too to remove any //?

 

I put a meta redirect a a test, without any stripslashes and it inserted. When viewing the posted item, the redirect was ran and redirected the page which I'm using to view all the posts.

[premiso]

You could but I do not think it would help the situation. You want to test if the user inputted a url or a name. If it was a URL (tested by finding either www.  or http://  using stristr or eregi).

 

If it is you check it differently, if it does not contain those then verify the username according to your standards. I know there are more elaborate URL checkers online or even in the PHP.net comments portion on either eregi or ereg which can test if it is a URL with any type of form it can be passed in.

 

I do not think stripslashes will be useful with what you are trying to do honestly.

[wiggst3r]

It isn't just URLs. I'm trying to prevent any data such as <met refresh ..> and also any SQL injection attempts.

I want to strip anything that relates to a URL or anything that an sql injection could include.

[premiso]

SQL injection is easy, just use mysql_real_escape_string

 

As for the refresh/xss if you do not want html to be executed strip_tags would work, but using the functions above you should be able to test if there is such code in the input box and if there is reject it.