newbtophp Posted September 1, 2009 Share Posted September 1, 2009 Im have a really bad day. I've got a form, when its filled in and the visitor clicks submit, i want it too validate the number field, so its correct. The validation format would be: the number must be 10 characters in length or below, only numbers and no spaces. So if it contains non numeric characters they are removed aswell as the spaces. I've tried using str replace to clear the space, but was wondering is their any easier way of what im doing? <form action='mail.php' name="myForm" method='post'> Number<br> <? // This field (number) needs to be validated before submitted ?> <input id='number' name="number" class='ptext' size='55'><br> Data<br> <select name='data' id='data' class='ptext'> <option value="" selected>- Data -</option> <?php $sql = "SELECT * FROM data"; $result = mysql_query($sql); while($row = mysql_fetch_array($result)) { ?> <option value="<? echo $row["id"]; ?>"><? echo $row["name"]; ?></option> <? } ?> </p> </br> </select><br> Subject<br> <input id='subject' type='text' name='subject' value='' class='ptext' size='55'/><br> Your Email<br> <input id='from' type='text' name='from' value='' class='ptext' size='55'/><br> Message<br> <textarea id='message' type='text' name='message' class='ptext' style="width: 415px; height: 100px;"></textarea><br> <input type='submit' class='psubm' name="submit" value='Submit'> </form> Quote Link to comment Share on other sites More sharing options...
Philip Posted September 1, 2009 Share Posted September 1, 2009 I typically just reject the form and make them fill it out again. I can't always read their mind, so how do I know they didn't just read the question wrong? Plus, I like making my visitors work for their bandwidth. Quote Link to comment Share on other sites More sharing options...
newbtophp Posted September 1, 2009 Author Share Posted September 1, 2009 I typically just reject the form and make them fill it out again. I can't always read their mind, so how do I know they didn't just read the question wrong? Plus, I like making my visitors work for their bandwidth. So if them propertys which i mentioned above were their, how would i reject the form from submitting and to echo the error? example please im interested ^^ Quote Link to comment Share on other sites More sharing options...
Philip Posted September 1, 2009 Share Posted September 1, 2009 This is what I've done in the past, using $ERROR as an array of any errors they had... <?php if(!empty($_POST)) { // do your processing... if(!is_numeric($_POST['num'])) { $ERROR[] = 'Numeric field needs to be numeric'; } if(!isset($ERROR) || empty($ERROR)) { // no errors // send to db or whatever // redirect if wanted } } if(isset($ERROR) && is_array($ERROR)) { echo'Errors:'; foreach($ERROR as $error) { echo $error,'<br>'; } } ?> <form> ... </form> Quote Link to comment Share on other sites More sharing options...
newbtophp Posted September 1, 2009 Author Share Posted September 1, 2009 Thanks!, I tried: <?php if(!empty($_POST)) { // do your processing... if(!is_numeric($_POST['number'])) { $ERROR[] = 'Numeric field needs to be numeric'; } if(!isset($ERROR) || empty($ERROR)) { // no errors // send to db or whatever // redirect if wanted } } if(isset($ERROR) && is_array($ERROR)) { echo'YOU GOT AN ERROR!:'; foreach($ERROR as $error) { echo $error,'<br>'; } } ?> <form action='mail.php' name="myForm" method='post'> Number<br> <? // This field (number) needs to be validated before submitted ?> <input id='number' name="number" class='ptext' size='55'><br> Data<br> <select name='data' id='data' class='ptext'> <option value="" selected>- Data -</option> <?php $sql = "SELECT * FROM data"; $result = mysql_query($sql); while($row = mysql_fetch_array($result)) { ?> <option value="<? echo $row["id"]; ?>"><? echo $row["name"]; ?></option> <? } ?> </p> </br> </select><br> Subject<br> <input id='subject' type='text' name='subject' value='' class='ptext' size='55'/><br> Your Email<br> <input id='from' type='text' name='from' value='' class='ptext' size='55'/><br> Message<br> <textarea id='message' type='text' name='message' class='ptext' style="width: 415px; height: 100px;"></textarea><br> <input type='submit' class='psubm' name="submit" value='Submit'> </form> But even if the number field contains other character it still proceeds to mail.php Quote Link to comment Share on other sites More sharing options...
MadTechie Posted September 1, 2009 Share Posted September 1, 2009 try this <?php $valid = false; //check it has a value if(!empty($_POST['number'])) { //remove unwanted (leave numbers only) $num = preg_replace('/[^\d]/', '', $_POST['number']); //only valid if its 0 to 10 numbers only $valid = (bool)preg_match('/^\d{0,10}$/', $num); } var_dump($valid); ?> 0123456789 = valid 0123456789abcd = valid (with clean up used) 01234567890 = not valid (11 numbers) 123 = valid 123abc = valid(with clean up used) Quote Link to comment Share on other sites More sharing options...
newbtophp Posted September 1, 2009 Author Share Posted September 1, 2009 @ MadTechie It dont work either, the form still executes. Also it says "bool(false)" Quote Link to comment Share on other sites More sharing options...
MadTechie Posted September 1, 2009 Share Posted September 1, 2009 What was the input? Quote Link to comment Share on other sites More sharing options...
newbtophp Posted September 1, 2009 Author Share Posted September 1, 2009 What was the input? this: 01234567890 Quote Link to comment Share on other sites More sharing options...
MadTechie Posted September 1, 2009 Share Posted September 1, 2009 that's 11 numbers, thus is more than 10 the number must be 10 characters in length or below, Quote Link to comment Share on other sites More sharing options...
newbtophp Posted September 1, 2009 Author Share Posted September 1, 2009 that's 11 numbers, thus is more than 10 the number must be 10 characters in length or below, yes i tested 11 to see if the submission can still be posted and it worked, i tested 10 numbers it worked which is great, i also tested 11 numbers and it worked. Quote Link to comment Share on other sites More sharing options...
MadTechie Posted September 1, 2009 Share Posted September 1, 2009 Can you post the code, Quote Link to comment Share on other sites More sharing options...
newbtophp Posted September 1, 2009 Author Share Posted September 1, 2009 <?php $valid = false; //check it has a value if(!empty($_POST['number'])) { //remove unwanted (leave numbers only) $num = preg_replace('/[^\d]/', '', $_POST['number']); //only valid if its 0 to 10 numbers only $valid = (bool)preg_match('/^\d{0,10}$/', $num); } var_dump($valid); ?> <form action='mail.php' name="myForm" method='post'> Number<br> <? // This field (number) needs to be validated before submitted ?> <input id='number' name="number" class='ptext' size='55'><br> Data<br> <select name='data' id='data' class='ptext'> <option value="" selected>- Data -</option> <?php $sql = "SELECT * FROM data"; $result = mysql_query($sql); while($row = mysql_fetch_array($result)) { ?> <option value="<? echo $row["id"]; ?>"><? echo $row["name"]; ?></option> <? } ?> </p> </br> </select><br> Subject<br> <input id='subject' type='text' name='subject' value='' class='ptext' size='55'/><br> Your Email<br> <input id='from' type='text' name='from' value='' class='ptext' size='55'/><br> Message<br> <textarea id='message' type='text' name='message' class='ptext' style="width: 415px; height: 100px;"></textarea><br> <input type='submit' class='psubm' name="submit" value='Submit'> </form> Quote Link to comment Share on other sites More sharing options...
MadTechie Posted September 1, 2009 Share Posted September 1, 2009 okay var_dump($valid); should be replaced with your error capturing ie if(!$valid) echo "ERROR: in-valid number"; Quote Link to comment Share on other sites More sharing options...
newbtophp Posted September 1, 2009 Author Share Posted September 1, 2009 okay var_dump($valid); should be replaced with your error capturing ie if(!$valid) echo "ERROR: in-valid number"; It displays: ERROR: in-valid number above my form even though i didnt fill anything in, do I have to add that in mail.php? Quote Link to comment Share on other sites More sharing options...
MadTechie Posted September 1, 2009 Share Posted September 1, 2009 you need to put it where you deal with the posted data, (from looking at your form), I would have to say yes, it goes in the mail.php script Quote Link to comment Share on other sites More sharing options...
newbtophp Posted September 1, 2009 Author Share Posted September 1, 2009 Ok I've added it to mail.php This is the contents of mail.php: <?php $valid = false; //check it has a value if(!empty($_POST['number'])) { //remove unwanted (leave numbers only) $num = preg_replace('/[^\d]/', '', $_POST['number']); //only valid if its 0 to 10 numbers only $valid = (bool)preg_match('/^\d{0,10}$/', $num); } if(!$valid) echo "ERROR: in-valid number"; ?> <?php session_start(); if (strtoupper($_POST['code']) != substr(strtoupper(md5("Mytext".$_SESSION["sessioncode"])), 0,6)) { ?> <?php include 'templates/header.php';?> <BR> <BR> Please fill in all fields correctly. Click <a href="../index.php">here</a> to go back. <BR> <BR> <?php include 'templates/footer.php'; ?> <?php unset($_SESSION["sessioncode"]); exit; } //valid code start here $number=$_POST['number']; $data=$_POST['data']; $from=$_POST['from']; $subject=$_POST['subject']; $message=$_POST['message']; $day = date("mdy"); $ip = gethostbyname($_SERVER['REMOTE_ADDR']); include("config.php"); $checkuses=mysql_num_rows(mysql_query("select * from users where ip='$ip' and day='$day'")); if($checkuses >= $alloweduses) { echo "Sorry, you have used all of your free messages for today. Come back tomorrow."; unset($_SESSION["sessioncode"]); exit; } else { $query = "INSERT INTO users VALUES ('$ip','$number','$day')"; $result = mysql_query($query) or die("Unable to Add IP Entry"); } $sql = "SELECT * FROM data WHERE id = '$data'"; $result = mysql_query($sql); $row = mysql_fetch_array($result); $email = $row["email"]; $to = $number . $email; $number = $_REQUEST['number'] ; $headerstouse=''; $headers = $headerstouse; $message = $message; mail ($to, $subject, $message, $headers); include 'templates/header.php'; echo "<BR><BR>Sent!<br>"; echo "<b>TO:</b> ".$number."<br>"; echo "<b>FROM:</b> ".$from."<br>"; echo "<b>SUBJECT:</b> ".$subject."<br>"; echo "<b>MESSAGE:</b> ".$message."<br><br>"; echo "Click <a href=\"".$_SERVER['HTTP_REFERER']."\">here</a> to go back and send another message.<BR><BR>"; include 'templates/footer.php'; //prevent reuse session (bypass captcha) unset($_SESSION["sessioncode"]); ?> Now it say invalid number if its invalid number, but doesnt reject the script from executing the mail. Would die("Error!") do the trick? Quote Link to comment Share on other sites More sharing options...
MadTechie Posted September 1, 2009 Share Posted September 1, 2009 as your other errors use die then that would be okay I guess Quote Link to comment Share on other sites More sharing options...
newbtophp Posted September 1, 2009 Author Share Posted September 1, 2009 as your other errors use die then that would be okay I guess Ok thanks I got a question, from mail.php can you spot any security weaknesses like xss or sql inject?, and their solutions, because I heard INSERT into and $_POST can be vulnerable. Quote Link to comment Share on other sites More sharing options...
MadTechie Posted September 1, 2009 Share Posted September 1, 2009 on any SQL you should use mysql_real_escape_string(); on your strings and convert your integers to integers and floats to floats the number is safe providing filter is used before the sql statement, also the date is safe, anything from the user is unsafe Quote Link to comment Share on other sites More sharing options...
newbtophp Posted September 1, 2009 Author Share Posted September 1, 2009 Ok thanks for all your help! Thanks MadTechie and thanks KingPhilip! Topic Solved Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.