Sanitize Form Fields With A Function

[wright67uk]

I'm attempting to sanatise a form input.

At the moment I can type in <h1> and for it to effect my webpage.

 

Can you tell me where I am going wrong?

At the moment I'm trying to sanitize the location, but plan to use the function on all of the fields

 

 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>

<style type="text/css">
input[type=text] {width: 40px;}
p {font-family: sans-serif; font-size:14px;} 
#Score {color:#CCCCCC;}
#ParScore {color:#CCCCCC;}
</style>

    <script type="text/javascript">
      var _gaq = _gaq || [];
      _gaq.push(
        ["phpf._setAccount", "UA-33447233-1"],
        ["phpf._setDomainName", "phpfreaks.com"],
        ["phpf._trackPageview"]
      );
      _gaq.push(
        ["orig._setAccount", "UA-1625146-1"],
        ["orig._setDomainName", "phpfreaks.com"],
        ["orig._trackPageview"]
      );
      (function() {
        var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;
        ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";
        var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);
      })();
    </script>
    <script type="text/javascript">
      var _gaq = _gaq || [];
      _gaq.push(
        ["phpf._setAccount", "UA-33447233-1"],
        ["phpf._setDomainName", "phpfreaks.com"],
        ["phpf._trackPageview"]
      );
      _gaq.push(
        ["orig._setAccount", "UA-1625146-1"],
        ["orig._setDomainName", "phpfreaks.com"],
        ["orig._trackPageview"]
      );
      (function() {
        var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;
        ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";
        var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);
      })();
    </script></head>

<body>

<?php 
 // Sanitize input 

 function sanitize($in) { return addslashes(htmlspecialchars(strip_tags(trim($in)))); } 

 if(isset($_POST['processForm'])) 
 {
  $location = sanitize($_POST['location']); 
  $par1 = $_POST['par1']; $par1 = trim($par1);
  $par2 = $_POST['par2']; $par2 = trim($par2);
  $par3 = $_POST['par3']; $par3 = trim($par3);
  $par4 = $_POST['par4']; $par4 = trim($par4);
  $par5 = $_POST['par5']; $par5 = trim($par5);
  $par6 = $_POST['par6']; $par6 = trim($par6);
  $par7 = $_POST['par7']; $par7 = trim($par7);
  $par8 = $_POST['par8']; $par8 = trim($par8);
  $par9 = $_POST['par9']; $par9 = trim($par9); 

  if  (empty($location)) {echo "You haven't entered a location"; exit();} 
  else if (empty($par1)) {echo "You haven't entered a score for Hole 1"; exit();}
  else if (empty($par2)) {echo "You haven't entered a score for Hole 2"; exit();} 
  else if (empty($par3)) {echo "You haven't entered a score for Hole 3"; exit();}
  else if (empty($par4)) {echo "You haven't entered a score for Hole 4"; exit();}
  else if (empty($par5)) {echo "You haven't entered a score for Hole 5"; exit();}
  else if (empty($par6)) {echo "You haven't entered a score for Hole 6"; exit();}
  else if (empty($par7)) {echo "You haven't entered a score for Hole 7"; exit();}
  else if (empty($par8)) {echo "You haven't entered a score for Hole 8"; exit();}
  else if (empty($par9)) {echo "You haven't entered a score for Hole 9"; exit();}  

$user_id = 7;

PASSWORDS HERE

$connect_solning = mysql_connect($hostname_connect, $username_connect, $password_connect) or trigger_error(mysql_error(),E_USER_ERROR);
@mysql_select_db($database_connect) or die (mysql_error()); 

$sql = "INSERT INTO snag_score_cards 
       (user_id, location, par1, par2, par3, par4, par5, par6, par7, par8, par9)
VALUES ('$user_id', '$_POST[location]', '$_POST[par1]', '$_POST[par2]', '$_POST[par3]', '$_POST[par4]', '$_POST[par5]', '$_POST[par6]', '$_POST[par7]', '$_POST[par8]', '$_POST[par9]')";

mysql_query($sql);

echo "<br/> A scorecard for $location, has now been added <br/> You can use the form again to enter a new card."; 

};
?>
<p>Enter your location</p>
<form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> 
<input type="hidden" name="processForm" value="1" />
<input autocomplete="off" name="location" id="location" size="18" value=""/><br /><br />


<input type="text" autocomplete="off" name="Scores"    id="Score"     value="Score"      readonly style="border:0px" />
<input type="text" autocomplete="off" name="Par1"       id="Par"       value=" Par"       readonly style="border:0px" />
<input                                name="Par Score" id="ParScore"  value=" Par Score" readonly style="border:0px" /><br>

<input type="text" autocomplete="off"  name="sum1" id="hole1A" readonly value="" /> 
<input type="text" autocomplete="off" name="par1" value=""  id="hole1B" /> 
<input type="text" name="sum" value="" id="hole1result" readonly style=""> <br>

<input type="text" autocomplete="off" name="sum1" id="hole2A" readonly value="" /> 
<input type="text" autocomplete="off" name="par2" value="" id="hole2B" /> 
<input type="text" name="sum2T" value="" id="hole2result" readonly style=""> <br>

<input type="text" autocomplete="off" name="sum1" id="hole3A" readonly value="" /> 
<input type="text" autocomplete="off" name="par3" value="" id="hole3B"  /> 
<input type="text" name="sum3" value="" id="hole3result" readonly style=""> <br>

<input type="text" autocomplete="off" name="sum1" id="hole4A" readonly value=""  /> 
<input type="text" autocomplete="off" name="par4" value="" id="hole4B"  /> 
<input type="text" name="sum4" value="" id="hole4result" readonly style=""> <br>

<input type="text" autocomplete="off" name="sum1" id="hole5A" readonly value="" /> 
<input type="text" autocomplete="off" name="par5" value="" id="hole5B"  /> 
<input type="text" name="sum5" value="" id="hole5result" readonly style=""> <br>


<input type="text" autocomplete="off" name="sum1" id="hole6A" readonly value=""  /> 
<input type="text" autocomplete="off" name="par6" value="" id="hole6B"  /> 
<input type="text" name="sum6" value="" id="hole6result" readonly style=""> <br>

<input type="text" autocomplete="off" name="sum1" id="hole7A" readonly value=""  /> 
<input type="text" autocomplete="off" name="par7" value="" id="hole7B"  /> 
<input type="text" name="sum7" value="" id="hole7result" readonly style=""> <br>

<input type="text" autocomplete="off" name="sum1" id="hole8A" readonly value=""  /> 
<input type="text" autocomplete="off" name="par8" value="" id="hole8B"  /> 
<input type="text" name="sum8" value="" id="hole8result" readonly style=""> <br>

<input type="text" autocomplete="off" name="sum1" id="hole9A" readonly value=""  /> 
<input type="text" autocomplete="off" name="par9" value="" id="hole9B"  /> 
<input type="text" name="sum9" value="" id="hole9result" readonly style=""> <br>

<input type="text" name=""  id=""  value=""  readonly style="border:0px" />
<input type="text" name=""  id=""  value=""  readonly style="border:0px" />


<input type="submit" name="submit" value="Create"/>

</form>
</body> </html>
[/Code]

[Christian F.]

Use htmlspecialchars () when echoing the text into the HTML code, to "escape the output".

 

Also, I recommend that you take a look at my PHP self sanitizing snippet, to prevent against XSS attacks.

[wright67uk]

Thanks Christian,

 

This works, however $location would be stored in mysql db. Is there away to sanitize it before it goes into the db?

 

Thankyou.

[PFMaBiSmAd]

The variable you are putting into your query statement is the original $_POST variable, not the filtered/validated/sanitized value, so of course any < > tags will still be present in it. You should also be using mysql_real_escape_string to escape the string data being put into your query. Addslashes does not escape all the sql special characters in the character encoding your database is using and it should not be used to escape string data being put into a query.

 

I think one of the issues with your code is that you have too much of it. You have repeated lines/groups of code that only differ in the name/variable/value it contains. That's a sign you have sets of related data, and sets of data need to use arrays.

 

Here are some general hints -

 

1) You should only use name/id/value attributes in your html markup when they are needed. You have so much extra markup, reused field names, and unused elements in your form, that I don't know what you are trying to do, or I would have posted an example that used the next two items.

 

2) You should have an array that defines the form fields so that you can a) dynamically produce the form by looping over the array, and B) you can use this same defining array of fields in your form processing code to determine what you do for each input.

 

3) You should use a html array for the repetitive form field name, with an index value of 1-9 (name = 'par[1]'), rather than a series of name/numbered fields (name= 'par1'). This will allow you to use php array functions to process/loop over the submitted data, since you are going to process each of those 9 fields identically. It will also allow you to use javascript array functions, assuming that is how you are populating the sum fields in the form.

Edited December 24, 2012 by PFMaBiSmAd