gocondo Posted November 25, 2010 Share Posted November 25, 2010 Does anyone have an example for PHP subscription code? I used Javascript to validate the subscription form and PHP to update the mailing list in my Toronto condo website, but lately some hackers were able to subscribe and bypass the Javascript validation function. How they did it? I wouldl ike to use only PHP for the subscription to avoid this problem. Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted November 25, 2010 Share Posted November 25, 2010 Javascript is NOT validation. All I have to do is disable javascript in my browser, (hint: spambots don't use javascript) and I can send any values I want through your form. Validation must be done server-side. Quote Link to comment Share on other sites More sharing options...
gocondo Posted November 25, 2010 Author Share Posted November 25, 2010 But if I do the validation on the server side, how can I issue alert with the error message to the client? Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted November 25, 2010 Share Posted November 25, 2010 Using JS in a form should be viewed as nothing more than a convenience for the user, although if it's done improperly, it can become a huge inconvenience instead. You should always assume that any JS used to check form input is not going to work at all, and perform the validations server-side. If the validation routine detects errors server-side, you can then redisplay the form with the values already filled in, and any errors highlighted so the user can make needed corrections and resubmit it. Here's a (somewhat stripped down) example that you can paste into a file and mess with. Enter the wrong values in the fields and see how it handles the errors. <?php if( $_POST['submitted'] == 'yes' ) { //check for hidden field value to indicate form has been submitted $errors = array(); // initialize an array to hold validation errors array_map('trim', $_POST); // trim all $_POST array values if( !empty($_POST['name']) ) { // validate the name field if( !ctype_alpha($_POST['name']) ) { $errors[] = 'Name must be alphabetic characters only.'; // if name has non alpha chars, store error } if( strlen($_POST['name']) < 3 || strlen($_POST['name'] > 20) ) { $errors[] = 'Name must be from 3 to 20 characters.'; // if name has too many/few chars, store error } } else { $errors[] = 'Name is a required field.'; // if name is empty, store error } if( !empty($_POST['number']) ) { // same validations as in name, above. if( !ctype_digit($_POST['number']) ) { $errors[] = 'Number must be numeric.'; } if( strlen($_POST['number']) < 5 || strlen($_POST['number']) > 20 ) { $errors[] = 'Number must be from 5 to 20 digits. It is currently ' . strlen($_POST['number']) . ' digits'; } } else { $errors[] = 'Number is a required field.'; } if( !empty($errors) ) { // if the $errors array is not empty, display the errors to allow the user to correct them and resubmit the form echo "<font color=\"red\">The following errors were detected"; foreach( $errors as $value ) { echo "<br>$value"; } echo '</font>'; } else { echo "<font color=\"green\">Congratulations, no errors detected!</font>"; } } ?> <form method="post"> Name (3-20 letters): <input type="text" name="name" value="<?php echo isset($_POST['name']) ? $_POST['name'] : ''; ?>"><br> Number (5-10 numbers): <input type="text" name="number" value="<?php echo isset($_POST['number']) ? $_POST['number'] : ''; ?>"><br> <input type="hidden" name="submitted" value="yes"> <input type="submit" name="submit" value="Submit"> </form> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.