Jump to content

Recommended Posts

Hi

 

I've got a basic contact form, that users can enter their details into. At the moment there is some validation, but onl if the fields are blank etc.

The form allows users to enter, not only names, but also URLs. What I want to do is, prevent this from happening and not allowing any URLs into the form, maybe by removing :// away from anything in the input.

 

So far I have this:

 

<?php
function CheckForm()
{
	$strReturn = "";

	if(str_replace(" ","",$_POST["txtName"]) == "")
	{
		$strReturn .= "Please enter a name<br/>";
	}
	elseif(str_replace(" ","",$_POST["txtEmail"]) == "")
	{
		$strReturn .= "Please enter an email address<br/>";
	}
	elseif(str_replace(" ","",$_POST["txtCompany"]) == "")
	{
		$strReturn .= "Please enter a company name<br/>";
	}
	elseif(str_replace(" ","",$_POST["txtContact"]) == "")
	{
		$strReturn .= "Please enter a contact number<br/>";
	}
	elseif(str_replace(" ","",$_POST["txtEnquiry"]) == "")
	{
		$strReturn .= "Please enter an enquiry<br/>";
	}
	elseif(!isset($_POST["txtPrivacy"]))
	{
		$strReturn .= "Please confirm you agree with the privacy statement<br/>";
	}

	return $strReturn;
}

//$strMessage = "Register with this form to be kept up to date on <span class='strongred'>new offers</span> and <span class='strongred'>free samples</span>";
$strMessage = " ";
$blComplete = false;

$strName = "";
$strEmail = "";
$strCompany = "";
$strContact = "";
$strEnquiry = "";
$strPrivacy = "";
$strDate=date('Y-m-d');

//Try to register if required
if(isset($_POST["btnSubmit"]))
{
	$strMessage = CheckForm();

	if($strMessage == "")
	{
		//Input okay, so record in database
		mysql_connect("localhost","root","") or die("Unable to connect to database server");
		mysql_select_db("gfc") or die( "Unable to open database");

		mysql_query("SET SESSION max_join_size = 4294967295");

		$strSQL = "INSERT INTO Registration (registrationName, registrationCompany, registrationEnquiry, registrationEmail, registrationContact, registrationDate) ";
		$strSQL .= "VALUES ('".$_POST["txtName"]."','".$_POST["txtCompany"]."','".$_POST["txtEnquiry"]."','".$_POST["txtEmail"]."','".$_POST["txtContact"]."','".$_POST["txtDate"]."') ";
		mysql_query($strSQL);

		mysql_close();
		$blComplete = true;
		//$strMessage = "You have been registered.  Thank you for your interest";
		$strMessage = " ";
	}
	else
	{
		//Error in input, so repopulate form and show it

		$strName = $_POST["txtName"];
		$strEmail = $_POST["txtEmail"];
		$strCompany = $_POST["txtCompany"];
		$strContact = $_POST["txtContact"];
		$strEnquiry = $_POST["txtEnquiry"];
		$strDate=date('Y-m-d');
	}
}
?>

<?

include 'includes/header.php' ;
?>

<form id="frmRegister" action="registration.php" method="post">
<input type="hidden" name="txtDate" size="21" value="<? echo $strDate; ?>">
<?
if($blComplete == false)
{
?>
	<div id="content_image_contact">
	<h3>Get in touch with gfcyork...</h3>

	<div id="content_image_contact_left">
	<p>Name</p>
	<p>Email</p>
	<p>Company</p>
	<p>Contact No.</p>
	<p>Enquiry</p>
	</div>

	<div id="content_image_contact_right">
	<p><input type="text" name="txtName" class="form" tabindex="1" value="<? echo $strName; ?>"></p>
	<p><input type="text" name="txtEmail" class="form" tabindex="1" value="<? echo $strEmail; ?>"></p>
	<p><input type="text" name="txtCompany" class="form" tabindex="1" value="<? echo $strCompany; ?>"></p>
	<p><input type="text" name="txtContact" class="form" tabindex="1" value="<? echo $strContact; ?>"></p>
	<p><textarea rows="4" name="txtEnquiry" class="form" tabindex="1" cols="10"><? echo $strEnquiry; ?></textarea></p>
	<p><input type="checkbox" name="txtPrivacy" style="padding:0px; margin:0px;" value="<? echo $strPrivacy; ?>"><A HREF="javascript:void(0)" onclick="window.open('privacystatement.php', 'welcome','width=400,height=400,scrollbars=yes,menubar=no,status=no,toolbar=no,left=100,top=100')" title="Privacy Statement">privacy statement</a></p>
	<p><input type="submit" class="formbutton" name="btnSubmit" value=" Send " tabindex="6">  <input type="button" value=" Reset " class="formbutton" onclick="location.href='<? echo $_SERVER['PHP_SELF']?>'"></p>
	</div>

	</div>

	<div id="content_header_text_contact">

	<div id="content_header_text_error">
	<? echo $strMessage; ?>
	</div>

  	<?
}
else
{
?>
	<div id="content_image_contact">
	<h3>Get in touch...</h3>

	<div id="content_image_contact_left">
	<p>Name</p>
	<p>Email</p>
	<p>Company</p>
	<p>Contact No.</p>
	<p>Enquiry</p>
	</div>

	<div id="content_image_contact_right">
	<p><input type="text" name="txtName" class="form" tabindex="1" value="<? echo $strName; ?>"></p>
	<p><input type="text" name="txtEmail" class="form" tabindex="1" value="<? echo $strEmail; ?>"></p>
	<p><input type="text" name="txtCompany" class="form" tabindex="1" value="<? echo $strCompany; ?>"></p>
	<p><input type="text" name="txtContact" class="form" tabindex="1" value="<? echo $strContact; ?>"></p>
	<p><textarea rows="4" name="txtEnquiry" class="form" tabindex="1" cols="10"><? echo $strEnquiry; ?></textarea></p>
	<p><input type="checkbox" name="txtPrivacy" style="padding:0px; margin:0px;" value="<? echo $strPrivacy; ?>"><A HREF="javascript:void(0)" onclick="window.open('privacystatement.php', 'welcome','width=400,height=400,scrollbars=yes,menubar=no,status=no,toolbar=no,left=100,top=100')" title="Privacy Statement">privacy statement</a></p>
	<p><input type="submit" class="formbutton" name="btnSubmit" value=" Send " tabindex="6">  <input type="button" value=" Reset " class="formbutton" onclick="location.href='<? echo $_SERVER['PHP_SELF']?>'"></p>
	</div>

	</div>




<?
}
?>

<?
include 'includes/footer.php' ;
?>

</form>
</body>
</html>

Link to comment
https://forums.phpfreaks.com/topic/133199-php-contact-form-validation/
Share on other sites

If you want to check contents you can use stristr or eregi

 

If you want to check length you can use strlen

 

You can also let the user know that certain characters are not allowed, and disallow the use of the /  : and .  in the username using the same functions above.

 

Hope that will help you to get started. I am sure there are a ton of tutorials of form validation online for php that are already created so you can use that as an example and take out the parts you want/need. I know on the eregi page they have zipcode validation procedures etc in the comments.

You could but I do not think it would help the situation. You want to test if the user inputted a url or a name. If it was a URL (tested by finding either www.  or http://  using stristr or eregi).

 

If it is you check it differently, if it does not contain those then verify the username according to your standards. I know there are more elaborate URL checkers online or even in the PHP.net comments portion on either eregi or ereg which can test if it is a URL with any type of form it can be passed in.

 

I do not think stripslashes will be useful with what you are trying to do honestly.

SQL injection is easy, just use mysql_real_escape_string

 

As for the refresh/xss if you do not want html to be executed strip_tags would work, but using the functions above you should be able to test if there is such code in the input box and if there is reject it.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.