Jump to content

Form Validation & Security?

NewcastleFan

By NewcastleFan
in PHP Coding Help

 Share

Recommended Posts

NewcastleFan Member

NewcastleFan

Posted
Posted (edited)

Hey all, I'm trying a little project to help improve my php and mysql knowledge.

 

I'm struggling with email validation and security.

 

I'm looking to check if an email is valid or not before I add the ability to add it into a database.

 

What I have so far:

<?php
	$errormsg ="";
	if (isset($_POST['adduser'])){

	$email = mysql_real_escape_string($_POST['email']);
	$pword = mysql_real_escape_string($_POST['pword']);
	$pword2 = mysql_real_escape_string($_POST['pword2']);

	if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
	
		if ($email == "") {
			$errormsg ="Error, You must fill in the email box.";
		}
		else if ($pword == "") {
			$errormsg ="Error, You must fill in the password box.";
		}
		else if ($pword2 == "") {
			$errormsg ="Error, You must fill in the repeat password box.";
		}
		else if ($pword != $pword2) {
			$errormsg ="Error, Your passwords don't match!";
		}
		else {
			$errormsg = "Success!";
		}
	} else {
			$errormsg = "Invalid email format, please use a valid email address.";
	
	}	
	
}
?>

This always outputs the error message "Error, You must fill in the email box" now, however without the Filter_Validate_email it outputs success when all boxes are filled in.

 

Anyone got any help on a ) whats going wrong and b ) any other security features I can add?

 

Thanks!

Edited by NewcastleFan
Link to comment
Share on other sites
Strider64 Advanced Member

Strider64

Posted
Posted (edited) 
<?php
// At top of file have:
$errorMsg = NULL;

// Inside isset($_POST['adduser']) if statement

if (!filter_var($email, FILTER_VALIDATE_EMAIL) {
    $errorMsg = '<li>Invalid Email Address!'</li>';
}

if ($email == "") {
    $errorMsg .= '<li>Password is blank</li>';
}

function isEmailAvailabe($email) {
   // I'll let you figure this function out...
   return $result;
}

// You can even check the database to see if email has been already used:
if (isEmailAvailable($email)) { // I'll let you figure out how to write that function:
    $errorMsg .= '<li>Password is taken, Please Re-Enter: </li>';        
}

// Then when you are all done validating this:
if (!$errorMsg) {
   // OK to write to Database:
}

?>

if you have errors you maybe can do something like this in your html:

<div class="error-styling">
        <ul>
           <?php echo (isset($errorMsg)) ? $errorMsg : '<li>Registration Page</li>'; ?>
        </ul>
    </div>
Edited by Strider64
Link to comment
Share on other sites
kicken Prolific Member

kicken

Posted
Posted

 

<?php
	$email = mysql_real_escape_string($_POST['email']);
	$pword = mysql_real_escape_string($_POST['pword']);
	$pword2 = mysql_real_escape_string($_POST['pword2']);

	if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {

 

Always do your validations BEFORE you escape the data for use in a query. That is, before you call mysql_real_escape_string or similar. Since the escape function will modify the value, there is the potential for it to turn a valid value into an invalid value. If you do your validations after, the user would get an error on their input even though as far as they can tell it meets all the requirements.

 

Save the escaping for just prior to actually using the value in the SQL query.

Link to comment
Share on other sites
Strider64 Advanced Member

Strider64

Posted
Posted

Always do your validations BEFORE you escape the data for use in a query. That is, before you call mysql_real_escape_string or similar. Since the escape function will modify the value, there is the potential for it to turn a valid value into an invalid value. If you do your validations after, the user would get an error on their input even though as far as they can tell it meets all the requirements.

 

Save the escaping for just prior to actually using the value in the SQL query.

I just wanted to add you sometimes can combine Validating & Escaping in the same function thus killing two birds with one stone ;D , but like kicken says always validate first.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.