Don the dragon Posted January 26, 2009 Share Posted January 26, 2009 Hi I have a form that has php validation. when I receive responses from the form, it seems that hackers are able to by-pass the validation and send blank responses. How can I prevent this from happening? Thanks Don Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted January 26, 2009 Share Posted January 26, 2009 Do you seriously expect us to be able to diagnose your problem without seeing any of your code? Please post up the relevant parts using tags. Quote Link to comment Share on other sites More sharing options...
RichardRotterdam Posted January 26, 2009 Share Posted January 26, 2009 Could be anything like you only depend on javascript validation or you might have the validation on a seperate page. just show the form code Quote Link to comment Share on other sites More sharing options...
Don the dragon Posted January 27, 2009 Author Share Posted January 27, 2009 Ha ha.. sorry about that. The code is shown below : ------------------------------------------- <?php session_start(); $_SESSION['sess'] = session_id(); require_once ('includes/recaptchalib.php'); $publickey = "**** **** ***"; // you got this from the signup page require_once ('includes/recaptchalib.php'); $privatekey = "**** ***** *****"; // you got this from the signup page // boolean (TRUE or FALSE) $is_confirmation = false; // set default CSS class $class = 'default'; // set default form action $form_action = $_SERVER['PHP_SELF']; // inputs read only? $read_only = null; // check posted data if (array_key_exists('submit', $_POST)) { // validate the input, beginning with name $name = trim($_POST['name']); if (empty($name)) { $error['name'] = 'error'; } $email = $_POST['emailaddress']; // check for valid email address $pattern = '/^[^@]+@[^\s\r\n\'";,@%]+$/'; if (!preg_match($pattern, trim($email))) { $error['emailaddress'] = 'error'; } $contact = trim($_POST['contact']); if (empty($contact)) { $error['contact'] = 'error'; } $fax = trim($_POST['fax']); // check the content of the text area $comments = trim($_POST['comments']); if (empty($comments)) { $error['comments'] = 'error'; } // check captcha $resp = recaptcha_check_answer($privatekey, $_SERVER["REMOTE_ADDR"], $_POST["recaptcha_challenge_field"], $_POST["recaptcha_response_field"]); if (!$resp->is_valid) $error['captcha'] = 'Invalid captcha input. Please try again.'; if (!$error) { // no errors - now change variables to set up confirmation page // change CSS class for confirmation $class = 'confirm'; // change form action $form_action = 'orders/contact_sendmail.php'; // set inputs as readonly $read_only = 'readonly="readonly"'; // set is_confirmation to true $is_confirmation = true; } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Contact us</title> <link rel="stylesheet" type="text/css" href="stylesheets/new_index.css" /> <link rel="stylesheet" type="text/css" href="stylesheets/contact_us.css" /> <link rel="stylesheet" type="text/css" href="stylesheets/forms.css" /> </head> <body> <div id="wrapper"> <div id="header_border"> </div> <div id="header"> <span id="top_border"> </span> <h1>S´s Tiles<span></span></h1> <object width="615" height="344" type="application/x-shockwave-flash" data="multimedia/fading_square.swf"> <param value="multimedia/fading_square.swf" name="movie" /> <img src="images_1/flash_img1.jpg" width="615" height="344" alt="Beautiful bathroom" id="no_flash" /> </object> <ul> <li><a href="index.php" title="Link to the home page">Home</a></li> <li><a href="about_us.html" title="Link to the about us page">About Us</a></li> <li><a href="services.html" title="Link to the services page">Services</a></li> <li><a href="tiling_tips.html" title="Link to the tiling tips page">Tiling tips</a></li> <li><a href="contact_us.html" title="Link to the contact us page">Contact Us</a></li> <li><a href="find_us.html" title="Link to the find us page">Find Us</a></li> </ul> </div> <div id="contain"> <div id="welcome"> <?php if (!$is_confirmation) : ?> <h2 title="Contact Us">Contact Us<span></span></h2> <?php elseif ($is_confirmation) : ?> <h2 title="Confirm information" id="confirm">Confirm Information<span></span></h2> <?php endif; ?> <div id="info_form"> <form action="<?php echo $form_action; ?>" method="post" id="booking" name="booking"> <p><?php if ($is_confirmation) { echo 'Below are the details that will be placed. <br/>If you want to change any of the items, please click the "back" button of your web browser and change the needed items and then re-submit the order.<br/> If everything is correct on this form, please click the "submit" button below.'; } ?></p> <fieldset> <legend>Contact Details :</legend> <label for="name">Full name <span class="require">*</span></label> <input name="name" type="text" id="name" value="<?php echo $name; ?>" class="<?php echo $error['name']; ?> <?php echo $class; ?>" <?php echo $read_only; ?> /> <?php if (isset($error['name'])) { ?> <p class="warning">Please add your name</p> <?php } ?> <label for="emailaddress">E-mail address <span class="require">*</span></label> <input name="emailaddress" type="text" id="emailaddress" value="<?php echo $email; ?>" class="<?php echo $error['emailaddress']; ?> <?php echo $class; ?>" <?php echo $read_only;?> /><br /> <?php if (isset($error['emailaddress'])) { ?> <p class="warning">Please add your email address</p> <?php } ?> <label for="contact">Contact number <span class="require">*</span></label> <input name="contact" type="text" id="contact" value="<?php echo $contact; ?>" class="<?php echo $error['contact']; ?> <?php echo $class; ?>" <?php echo $read_only;?> /><br /> <?php if (isset($error['contact'])) { ?> <p class="warning">Please add your contact number</p> <?php } ?> <label for="fax">Fax number<span class="require"> </span></label> <input name="fax" type="text" id="fax" value="<?php echo $fax; ?>" class="<?php echo $class; ?>" <?php echo $read_only;?> /><br /> <label for="comments">Comments <span class="require">*</span></label> <textarea name="comments" cols="30" rows="5" id="comments" class="<?php echo $error['comments']; ?> <?php echo $class; ?>" <?php echo $read_only;?>><?php echo $comments; ?></textarea> <?php if (isset($error['comments'])) { ?> <p class="warning">Please add your comments</p> <?php } ?> <?php if (!$is_confirmation) : ?> <?php /* this is only displayed if not on the confirmation page */ ?> <div id="capcha_block"><?php echo recaptcha_get_html($publickey); ?></div> <?php endif; ?> <?php if (isset($error['captcha'])) { ?> <p class="warning"><?php echo $error['captcha']; ?></p> <?php } ?> <br /> <br /> <input type="submit" name="submit" value="submit" class="button" /> <input type="reset" name="reset" value="start over" class="button" /> </fieldset> </form> </div> </div> </div> <div id="footer"> </div> </div> </body> </html> ----------------------------------------------- Donovan Quote Link to comment Share on other sites More sharing options...
Don the dragon Posted February 4, 2009 Author Share Posted February 4, 2009 Is anyone going to get back to me on this issue? ??? Quote Link to comment Share on other sites More sharing options...
gevans Posted February 4, 2009 Share Posted February 4, 2009 If you use [ code] [ /code] tags and get rid of the nasty red font color Quote Link to comment Share on other sites More sharing options...
Don the dragon Posted February 5, 2009 Author Share Posted February 5, 2009 Ok. Got it. <?php session_start(); $_SESSION['sess'] = session_id(); require_once ('includes/recaptchalib.php'); $publickey = "**** **** ***"; // you got this from the signup page require_once ('includes/recaptchalib.php'); $privatekey = "**** ***** *****"; // you got this from the signup page // boolean (TRUE or FALSE) $is_confirmation = false; // set default CSS class $class = 'default'; // set default form action $form_action = $_SERVER['PHP_SELF']; // inputs read only? $read_only = null; // check posted data if (array_key_exists('submit', $_POST)) { // validate the input, beginning with name $name = trim($_POST['name']); if (empty($name)) { $error['name'] = 'error'; } $email = $_POST['emailaddress']; // check for valid email address $pattern = '/^[^@]+@[^\s\r\n\'";,@%]+$/'; if (!preg_match($pattern, trim($email))) { $error['emailaddress'] = 'error'; } $contact = trim($_POST['contact']); if (empty($contact)) { $error['contact'] = 'error'; } $fax = trim($_POST['fax']); // check the content of the text area $comments = trim($_POST['comments']); if (empty($comments)) { $error['comments'] = 'error'; } // check captcha $resp = recaptcha_check_answer($privatekey, $_SERVER["REMOTE_ADDR"], $_POST["recaptcha_challenge_field"], $_POST["recaptcha_response_field"]); if (!$resp->is_valid) $error['captcha'] = 'Invalid captcha input. Please try again.'; if (!$error) { // no errors - now change variables to set up confirmation page // change CSS class for confirmation $class = 'confirm'; // change form action $form_action = 'orders/contact_sendmail.php'; // set inputs as readonly $read_only = 'readonly="readonly"'; // set is_confirmation to true $is_confirmation = true; } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Contact us</title> <link rel="stylesheet" type="text/css" href="stylesheets/new_index.css" /> <link rel="stylesheet" type="text/css" href="stylesheets/contact_us.css" /> <link rel="stylesheet" type="text/css" href="stylesheets/forms.css" /> </head> <body> <div id="wrapper"> <div id="header_border"> </div> <div id="header"> <span id="top_border"> </span> <h1>S´s Tiles<span></span></h1> <object width="615" height="344" type="application/x-shockwave-flash" data="multimedia/fading_square.swf"> <param value="multimedia/fading_square.swf" name="movie" /> <img src="images_1/flash_img1.jpg" width="615" height="344" alt="Beautiful bathroom" id="no_flash" /> </object> <ul> <li><a href="index.php" title="Link to the home page">Home</a></li> <li><a href="about_us.html" title="Link to the about us page">About Us</a></li> <li><a href="services.html" title="Link to the services page">Services</a></li> <li><a href="tiling_tips.html" title="Link to the tiling tips page">Tiling tips</a></li> <li><a href="contact_us.html" title="Link to the contact us page">Contact Us</a></li> <li><a href="find_us.html" title="Link to the find us page">Find Us</a></li> </ul> </div> <div id="contain"> <div id="welcome"> <?php if (!$is_confirmation) : ?> <h2 title="Contact Us">Contact Us<span></span></h2> <?php elseif ($is_confirmation) : ?> <h2 title="Confirm information" id="confirm">Confirm Information<span></span></h2> <?php endif; ?> <div id="info_form"> <form action="<?php echo $form_action; ?>" method="post" id="booking" name="booking"> <p><?php if ($is_confirmation) { echo 'Below are the details that will be placed. <br/>If you want to change any of the items, please click the "back" button of your web browser and change the needed items and then re-submit the order.<br/> If everything is correct on this form, please click the "submit" button below.'; } ?></p> <fieldset> <legend>Contact Details :</legend> <label for="name">Full name <span class="require">*</span></label> <input name="name" type="text" id="name" value="<?php echo $name; ?>" class="<?php echo $error['name']; ?> <?php echo $class; ?>" <?php echo $read_only; ?> /> <?php if (isset($error['name'])) { ?> <p class="warning">Please add your name</p> <?php } ?> <label for="emailaddress">E-mail address <span class="require">*</span></label> <input name="emailaddress" type="text" id="emailaddress" value="<?php echo $email; ?>" class="<?php echo $error['emailaddress']; ?> <?php echo $class; ?>" <?php echo $read_only;?> /><br /> <?php if (isset($error['emailaddress'])) { ?> <p class="warning">Please add your email address</p> <?php } ?> <label for="contact">Contact number <span class="require">*</span></label> <input name="contact" type="text" id="contact" value="<?php echo $contact; ?>" class="<?php echo $error['contact']; ?> <?php echo $class; ?>" <?php echo $read_only;?> /><br /> <?php if (isset($error['contact'])) { ?> <p class="warning">Please add your contact number</p> <?php } ?> <label for="fax">Fax number<span class="require"> </span></label> <input name="fax" type="text" id="fax" value="<?php echo $fax; ?>" class="<?php echo $class; ?>" <?php echo $read_only;?> /><br /> <label for="comments">Comments <span class="require">*</span></label> <textarea name="comments" cols="30" rows="5" id="comments" class="<?php echo $error['comments']; ?> <?php echo $class; ?>" <?php echo $read_only;?>><?php echo $comments; ?></textarea> <?php if (isset($error['comments'])) { ?> <p class="warning">Please add your comments</p> <?php } ?> <?php if (!$is_confirmation) : ?> <?php /* this is only displayed if not on the confirmation page */ ?> <div id="capcha_block"><?php echo recaptcha_get_html($publickey); ?></div> <?php endif; ?> <?php if (isset($error['captcha'])) { ?> <p class="warning"><?php echo $error['captcha']; ?></p> <?php } ?> <br /> <br /> <input type="submit" name="submit" value="submit" class="button" /> <input type="reset" name="reset" value="start over" class="button" /> </fieldset> </form> </div> </div> </div> <div id="footer"> </div> </div> </body> </html> Quote Link to comment Share on other sites More sharing options...
TheLoveableMonty Posted February 5, 2009 Share Posted February 5, 2009 Are you looking at having the form not send if someone attempts to send it fully blank? Quote Link to comment Share on other sites More sharing options...
sKunKbad Posted February 5, 2009 Share Posted February 5, 2009 you could specifically check like this: if(isset($_POST['name']) && $_POST['name'] != ''){ ... or if(empty($name) || $name == ''){ ... Quote Link to comment Share on other sites More sharing options...
Don the dragon Posted February 5, 2009 Author Share Posted February 5, 2009 Oh ok. Ill give it a go. Thanks Donovan Quote Link to comment Share on other sites More sharing options...
Don the dragon Posted February 6, 2009 Author Share Posted February 6, 2009 Are you looking at having the form not send if someone attempts to send it fully blank? Thats exactly right. It seems that someone is messing around with my form and only submits a random name. The rest of the form is blank. Quote Link to comment Share on other sites More sharing options...
Don the dragon Posted February 6, 2009 Author Share Posted February 6, 2009 you could specifically check like this: if(isset($_POST['name']) && $_POST['name'] != ''){ ... or if(empty($name) || $name == ''){ ... I just tried the above techniques and it doesnt seem to have any effect Quote Link to comment Share on other sites More sharing options...
uniflare Posted February 6, 2009 Share Posted February 6, 2009 <?php $name = trim($_POST['name']); if (empty($name)) { $error['name'] = 'error'; } ?> Try this instead: <?php if(!preg_match("/\A[a-z0-9_]{6,16}$/i",$_POST['name'])){ $error['name'] = 'Must be Alphanumerical between 6 and 16 characters long.'; }else{ $name = $_POST['name']; } ?> \A = From the start of the string, [a-z0-9_] = match all characters in a single unbroken string, including underscores, that is between: {6,16} = minimum if 6 characters, maximum of 16 characters to be matched by [a-z0-9_] $ = until the very end of subject. ---- As long as the whole subject from \A (start) to $ (finish) matches between 6-16 characters containing a-z, 0-9 or underscores. you can take out the _ in the pattern to disallow that too. Quote Link to comment Share on other sites More sharing options...
Don the dragon Posted February 7, 2009 Author Share Posted February 7, 2009 Wow. That looks complicated. Excuse my ignorance, Im still quite new to php, but would I do that for all the other fields to? Donovan Quote Link to comment Share on other sites More sharing options...
uniflare Posted February 7, 2009 Share Posted February 7, 2009 yes, you can change the pattern to validate emails etc as well. Do a google search for "preg_match validate form data" Quote Link to comment Share on other sites More sharing options...
Don the dragon Posted February 12, 2009 Author Share Posted February 12, 2009 I tried the method of using 'preg_match'. It still seems that this person is able to submit the form without any data in it. Donovan Quote Link to comment Share on other sites More sharing options...
Don the dragon Posted February 12, 2009 Author Share Posted February 12, 2009 I tried using preg_match on the form validations, but someone is still submitting blank forms. How is it possible for anyone to get passed my validations? Quote Link to comment Share on other sites More sharing options...
Don the dragon Posted February 13, 2009 Author Share Posted February 13, 2009 Hi Thank you for all your help. I think i know what the problem was. I had and old form that was connected to the same submittion page. Cheers Donovan Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.