Jump to content

Sanitize A Simple Form


wright67uk

Recommended Posts

What would be the best way to sanitize the simple form below?

  • FILTER_SANITIZE_EMAIL
  • FILTER_VALIDATE_EMAIL
  • (isset($_REQUEST['email']))

Ive seen the above, but to be quite honest im not sure where or how they would go.

Ive had a play around but im not getting very far!

 

Any help would be really great!

 

<div id="box">
<?php
$con = mysql_connect("userdb,pw");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
mysql_select_db("database", $con);
$sql="INSERT INTO tablename (name, email)
VALUES
('$_POST[name]','$_POST[email]')";
if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "Thankyou! We will be in touch soon.";

mysql_close($con);
?>

</div>

Edited by wright67uk
Link to comment
Share on other sites

isset ($_POST['email']) is for checking whether or not the field has actually been submitted, it has nothing (or very little) to do with validation. This is usually done before validation, to ensure that you're not getting any warnings from the PHP parser or potential side-effects of missing the data.

 

Validation (which isn't quite the same as sanitation) should then be performed immediately after verifying that the field has been submitted, and before you do anything else with the data posted. This is to ensure that the user has indeed filled out the form with valid data, which adheres to what you've written your code to expect later on. If the validation fails you should show the form anew, with the data from the user already filled out and with an error message detailing everything that failed.

Sanitation, on the other hand, doesn't check that the data is correct, but it silently changes it to adhere to your rules. Meaning that the user has no control or knowledge of what's really been saved, which can (in the worst case) make your application/site completely useless for him/her. It can also open for other injection attacks, in some cases, by being fed malformed data which is then transformed in to well formed but unwanted data, by your sanitation routine.

 

Quick pseudo-code describing how I'd do a simple form validation and presentation.

$message = array ();

if ($_GET['success']) {
   $message[] = FORM_SUCCESS

if (!isset ($_POST) || empty ($_POST)) {
   Show_Form ($message[]);
   return;
}

if (isset ($_POST['email']) && !$email = validate_email ($_POST['email'])) {
   $message[] = FORM_EMAIL_FAILED;
   $email = $_POST['email'];
}

if (isset ($_POST['name']) && !$name = validate_name ($_POST['name'])) {
   $message[] = FORM_NAME_FAILED;
   $name = $_POST['name'];
}

if (!empty ($message)) {
   show_form ($message, $email, $name)
   return
}

redirect ("?success=yes");

Edited by Christian F.
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.