Form Validation & Security?

[NewcastleFan]

Hey all, I'm trying a little project to help improve my php and mysql knowledge.

 

I'm struggling with email validation and security.

 

I'm looking to check if an email is valid or not before I add the ability to add it into a database.

 

What I have so far:

<?php
	$errormsg ="";
	if (isset($_POST['adduser'])){

	$email = mysql_real_escape_string($_POST['email']);
	$pword = mysql_real_escape_string($_POST['pword']);
	$pword2 = mysql_real_escape_string($_POST['pword2']);

	if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
	
		if ($email == "") {
			$errormsg ="Error, You must fill in the email box.";
		}
		else if ($pword == "") {
			$errormsg ="Error, You must fill in the password box.";
		}
		else if ($pword2 == "") {
			$errormsg ="Error, You must fill in the repeat password box.";
		}
		else if ($pword != $pword2) {
			$errormsg ="Error, Your passwords don't match!";
		}
		else {
			$errormsg = "Success!";
		}
	} else {
			$errormsg = "Invalid email format, please use a valid email address.";
	
	}	
	
}
?>

This always outputs the error message "Error, You must fill in the email box" now, however without the Filter_Validate_email it outputs success when all boxes are filled in.

 

Anyone got any help on a ) whats going wrong and b ) any other security features I can add?

 

Thanks!

Edited May 25, 2013 by NewcastleFan

[Strider64]

<?php
// At top of file have:
$errorMsg = NULL;

// Inside isset($_POST['adduser']) if statement

if (!filter_var($email, FILTER_VALIDATE_EMAIL) {
    $errorMsg = '<li>Invalid Email Address!'</li>';
}

if ($email == "") {
    $errorMsg .= '<li>Password is blank</li>';
}

function isEmailAvailabe($email) {
   // I'll let you figure this function out...
   return $result;
}

// You can even check the database to see if email has been already used:
if (isEmailAvailable($email)) { // I'll let you figure out how to write that function:
    $errorMsg .= '<li>Password is taken, Please Re-Enter: </li>';        
}

// Then when you are all done validating this:
if (!$errorMsg) {
   // OK to write to Database:
}

?>

if you have errors you maybe can do something like this in your html:

<div class="error-styling">
        <ul>
           <?php echo (isset($errorMsg)) ? $errorMsg : '<li>Registration Page</li>'; ?>
        </ul>
    </div>

Edited May 25, 2013 by Strider64

[kicken]

 

<?php
	$email = mysql_real_escape_string($_POST['email']);
	$pword = mysql_real_escape_string($_POST['pword']);
	$pword2 = mysql_real_escape_string($_POST['pword2']);

	if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {

 

Always do your validations BEFORE you escape the data for use in a query. That is, before you call mysql_real_escape_string or similar. Since the escape function will modify the value, there is the potential for it to turn a valid value into an invalid value. If you do your validations after, the user would get an error on their input even though as far as they can tell it meets all the requirements.

 

Save the escaping for just prior to actually using the value in the SQL query.

[Strider64]

Always do your validations BEFORE you escape the data for use in a query. That is, before you call mysql_real_escape_string or similar. Since the escape function will modify the value, there is the potential for it to turn a valid value into an invalid value. If you do your validations after, the user would get an error on their input even though as far as they can tell it meets all the requirements.

 

Save the escaping for just prior to actually using the value in the SQL query.

I just wanted to add you sometimes can combine Validating & Escaping in the same function thus killing two birds with one stone , but like kicken says always validate first.