Jump to content

Form validation w/ short text description


Recommended Posts

I have a form that I use regex to validate an entered e-mail address and monetary amount.  I'm wondering, though, if I should try using regex to validate an 80 character description field that's in the form in order to tighten security.  Right now, I just pass the value, if there is one, through an escape function:

<?php
$title = 'Advertiser Transaction Form';

require_once('logincheck.php');
require_once('myconnect.php');
include_once('../includes/adminheader.inc');
include_once('../includes/leftpanel.inc');

function myEscape($string){
	return get_magic_quotes_gpc() ? mysql_real_escape_string(stripslashes($string)) : mysql_real_escape_string($string);
}

if(isset($_POST['back'])){
	header('Location: adminhome_new.php');
}

if(isset($_POST['submit'])){ //process the form
	$errMsg = '';

	if(isset($_POST['email'])){
		if(preg_match('/^[\w-]+(\.[\w-]+)*@([\w-]+\.)+[a-zA-Z]{2,7}$/i', $_POST['email'])){
			$email = myEscape($_POST['email']);
		}
		else{
			$errMsg .= "Please enter a correctly formed e-mail address!<br />";
			$email = false;
		}
	}
	else{
		$errMsg .= "Please enter an advertiser's e-mail address!<br />";
		$email = false;
	}

	if(isset($_POST['amount'])){
		if(preg_match('/^\-?[0-9]+(\.[0-9]+)?$/', $_POST['amount'])){
			$amount = myEscape($_POST['amount']);
		}
		else{
			$errMsg .= "Please enter a numeric amount!<br />";
			$amount = false;
		}
	}
	else{
		$errMsg .= "Please enter a transaction amount!<br />";
		$amount = false;
	}

	if(isset($_POST['description'])){
		$desc = myEscape($_POST['description']);
	}
	else{
		$desc = false;
	}

	if($email && $amount){
		$query = "SELECT * FROM sbclassified_advertisers WHERE email='$email'";
		$result = mysql_fetch_assoc(mysql_query($query));

		if($result){
			$id = $result["id"];

			$insertQuery = "INSERT INTO sbclassified_adv_transactions (adv_id, amount, description, date_submitted) VALUES ($id, $amount, '$description', '".date("Ymdhis", time())."')";
         
			$insertResult = mysql_query($insertQuery);

			if(mysql_affected_rows() == 1){
				header("Location: view_adv_transactions.php?id=$id");
			}
			else{
				echo "<span style='color: red;'>There was a problem with the transaction.  Please try again</span><br /><br />";
			}
		}
		else{
			echo "<span style='color: red;'>The e-mail address entered does not match any within the system.  Please try again</span><br /><br />";
		}
	}
	else{
		echo "<p style='color: red;'>$errMsg</p>";
	}
}
?>

<!-- <script type="text/javascript" src="add_adv_transaction.js"></script> -->

<div id="admincontent">
<div class="admintitlebar">
	Advertiser Transaction Form
</div>

<div id="adminsearch">
	<form id="advTransaction" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
		<fieldset>
			<legend>Enter transaction info below</legend>

			<p>
				<label for="email">Advertiser E-mail: </label>
				<input type="text" name="email" />
			</p>
			<p>
				<label for="amount">Amount:<sup>1</sup> </label>
				<input type="text" name="amount" />
			</p>
			<p>
				<label for="description">Description:<sup>2</sup> </label>
				<input type="text" name="description" maxlength="80" />
			</p>
			<p class="smalltext">
				<br />
				1: Do not input your currency's symbol.  If you want to deduct money, enter the amount as a negative entry.<br />
				2: Description must not be more than 80 characters long.
			</p>
		</fieldset>
		<input type="submit" name="submit" value="Submit" /><input type="submit" name="back" value="Go Back" />
	</form>
</div>
</div>

<?php
include_once('../includes/footer.inc');
?>

 

Should I even bother with trying regex in this case?  I'm thinking it would be a pain trying to come up with a truly useful pattern.

Link to comment
https://forums.phpfreaks.com/topic/70483-form-validation-w-short-text-description/
Share on other sites

What makes the 80 character field valid?

 

That's actually where I'm stuck.  Basically, anything that won't attempt to inject into/hijack my database, or profanity (it's an e-commerce site, after all), could be considered valid.  That's a rather large range, hence my trepidation.  The 80 character limit helps, but not by much.

I prefer to use htmlentities over strip_tags simply because it makes it easier to spot attacks; it also clearly shows to the attacker (assuming they can view what they've submitted) that you protecting against it.  Hopefully that would limit their inclination to try and attack more forms in your site.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.