Jump to content

Sanitize Form Fields With A Function


wright67uk

Recommended Posts

I'm attempting to sanatise a form input.

At the moment I can type in <h1> and for it to effect my webpage.

 

Can you tell me where I am going wrong?

At the moment I'm trying to sanitize the location, but plan to use the function on all of the fields

 


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>

<style type="text/css">
input[type=text] {width: 40px;}
p {font-family: sans-serif; font-size:14px;}
#Score {color:#CCCCCC;}
#ParScore {color:#CCCCCC;}
</style>

<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(
["phpf._setAccount", "UA-33447233-1"],
["phpf._setDomainName", "phpfreaks.com"],
["phpf._trackPageview"]
);
_gaq.push(
["orig._setAccount", "UA-1625146-1"],
["orig._setDomainName", "phpfreaks.com"],
["orig._trackPageview"]
);
(function() {
var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;
ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";
var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(
["phpf._setAccount", "UA-33447233-1"],
["phpf._setDomainName", "phpfreaks.com"],
["phpf._trackPageview"]
);
_gaq.push(
["orig._setAccount", "UA-1625146-1"],
["orig._setDomainName", "phpfreaks.com"],
["orig._trackPageview"]
);
(function() {
var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;
ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";
var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);
})();
</script></head>

<body>

<?php
// Sanitize input

function sanitize($in) { return addslashes(htmlspecialchars(strip_tags(trim($in)))); }

if(isset($_POST['processForm']))
{
$location = sanitize($_POST['location']);
$par1 = $_POST['par1']; $par1 = trim($par1);
$par2 = $_POST['par2']; $par2 = trim($par2);
$par3 = $_POST['par3']; $par3 = trim($par3);
$par4 = $_POST['par4']; $par4 = trim($par4);
$par5 = $_POST['par5']; $par5 = trim($par5);
$par6 = $_POST['par6']; $par6 = trim($par6);
$par7 = $_POST['par7']; $par7 = trim($par7);
$par8 = $_POST['par8']; $par8 = trim($par8);
$par9 = $_POST['par9']; $par9 = trim($par9);

if (empty($location)) {echo "You haven't entered a location"; exit();}
else if (empty($par1)) {echo "You haven't entered a score for Hole 1"; exit();}
else if (empty($par2)) {echo "You haven't entered a score for Hole 2"; exit();}
else if (empty($par3)) {echo "You haven't entered a score for Hole 3"; exit();}
else if (empty($par4)) {echo "You haven't entered a score for Hole 4"; exit();}
else if (empty($par5)) {echo "You haven't entered a score for Hole 5"; exit();}
else if (empty($par6)) {echo "You haven't entered a score for Hole 6"; exit();}
else if (empty($par7)) {echo "You haven't entered a score for Hole 7"; exit();}
else if (empty($par8)) {echo "You haven't entered a score for Hole 8"; exit();}
else if (empty($par9)) {echo "You haven't entered a score for Hole 9"; exit();}

$user_id = 7;

PASSWORDS HERE

$connect_solning = mysql_connect($hostname_connect, $username_connect, $password_connect) or trigger_error(mysql_error(),E_USER_ERROR);
@mysql_select_db($database_connect) or die (mysql_error());

$sql = "INSERT INTO snag_score_cards
(user_id, location, par1, par2, par3, par4, par5, par6, par7, par8, par9)
VALUES ('$user_id', '$_POST[location]', '$_POST[par1]', '$_POST[par2]', '$_POST[par3]', '$_POST[par4]', '$_POST[par5]', '$_POST[par6]', '$_POST[par7]', '$_POST[par8]', '$_POST[par9]')";

mysql_query($sql);

echo "<br/> A scorecard for $location, has now been added <br/> You can use the form again to enter a new card.";

};
?>
<p>Enter your location</p>
<form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<input type="hidden" name="processForm" value="1" />
<input autocomplete="off" name="location" id="location" size="18" value=""/><br /><br />


<input type="text" autocomplete="off" name="Scores" id="Score" value="Score" readonly style="border:0px" />
<input type="text" autocomplete="off" name="Par1" id="Par" value=" Par" readonly style="border:0px" />
<input name="Par Score" id="ParScore" value=" Par Score" readonly style="border:0px" /><br>

<input type="text" autocomplete="off" name="sum1" id="hole1A" readonly value="" />
<input type="text" autocomplete="off" name="par1" value="" id="hole1B" />
<input type="text" name="sum" value="" id="hole1result" readonly style=""> <br>

<input type="text" autocomplete="off" name="sum1" id="hole2A" readonly value="" />
<input type="text" autocomplete="off" name="par2" value="" id="hole2B" />
<input type="text" name="sum2T" value="" id="hole2result" readonly style=""> <br>

<input type="text" autocomplete="off" name="sum1" id="hole3A" readonly value="" />
<input type="text" autocomplete="off" name="par3" value="" id="hole3B" />
<input type="text" name="sum3" value="" id="hole3result" readonly style=""> <br>

<input type="text" autocomplete="off" name="sum1" id="hole4A" readonly value="" />
<input type="text" autocomplete="off" name="par4" value="" id="hole4B" />
<input type="text" name="sum4" value="" id="hole4result" readonly style=""> <br>

<input type="text" autocomplete="off" name="sum1" id="hole5A" readonly value="" />
<input type="text" autocomplete="off" name="par5" value="" id="hole5B" />
<input type="text" name="sum5" value="" id="hole5result" readonly style=""> <br>


<input type="text" autocomplete="off" name="sum1" id="hole6A" readonly value="" />
<input type="text" autocomplete="off" name="par6" value="" id="hole6B" />
<input type="text" name="sum6" value="" id="hole6result" readonly style=""> <br>

<input type="text" autocomplete="off" name="sum1" id="hole7A" readonly value="" />
<input type="text" autocomplete="off" name="par7" value="" id="hole7B" />
<input type="text" name="sum7" value="" id="hole7result" readonly style=""> <br>

<input type="text" autocomplete="off" name="sum1" id="hole8A" readonly value="" />
<input type="text" autocomplete="off" name="par8" value="" id="hole8B" />
<input type="text" name="sum8" value="" id="hole8result" readonly style=""> <br>

<input type="text" autocomplete="off" name="sum1" id="hole9A" readonly value="" />
<input type="text" autocomplete="off" name="par9" value="" id="hole9B" />
<input type="text" name="sum9" value="" id="hole9result" readonly style=""> <br>

<input type="text" name="" id="" value="" readonly style="border:0px" />
<input type="text" name="" id="" value="" readonly style="border:0px" />


<input type="submit" name="submit" value="Create"/>

</form>
</body> </html>
[/Code]

Link to comment
Share on other sites

The variable you are putting into your query statement is the original $_POST variable, not the filtered/validated/sanitized value, so of course any < > tags will still be present in it. You should also be using mysql_real_escape_string to escape the string data being put into your query. Addslashes does not escape all the sql special characters in the character encoding your database is using and it should not be used to escape string data being put into a query.

 

I think one of the issues with your code is that you have too much of it. You have repeated lines/groups of code that only differ in the name/variable/value it contains. That's a sign you have sets of related data, and sets of data need to use arrays.

 

Here are some general hints -

 

1) You should only use name/id/value attributes in your html markup when they are needed. You have so much extra markup, reused field names, and unused elements in your form, that I don't know what you are trying to do, or I would have posted an example that used the next two items.

 

2) You should have an array that defines the form fields so that you can a) dynamically produce the form by looping over the array, and B) you can use this same defining array of fields in your form processing code to determine what you do for each input.

 

3) You should use a html array for the repetitive form field name, with an index value of 1-9 (name = 'par[1]'), rather than a series of name/numbered fields (name= 'par1'). This will allow you to use php array functions to process/loop over the submitted data, since you are going to process each of those 9 fields identically. It will also allow you to use javascript array functions, assuming that is how you are populating the sum fields in the form.

Edited by PFMaBiSmAd
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.