PHP - Trying To Validate Input, But It's Not Working

Hi,

I want to control a variable (decide whether to track click if coming from a specific site oppose to hitting the final site (destination) directly.
For example:

www.portal.com - this will be a management site that will redirect viewers to the the final destination based on variable info - for exmample $a=123 or $a= 567 - which would come in as www.portal.com?a=123 or www.portal.com?a=567

Note: 123 would redirect to www.abc.com?a=123 and/or 567 would redirect to www.xyz.com?a=567 with said variable(s).
------

My question is this: What is the best method to authenticate (both on) www.abc.com and/or www.xyz.com that the referred viewer came from www.portal.com?
I know about the super globals (HTTP_REFERER) but want to know if there are other (more) secure method to manage this interaction between external domains /websites?

Any insight on this appreciated - thanks!

This is probably a simple one, but I'm not experienced with arrays.

I have a form with looped dropdowns for items from a database. On submit it goes to a second page. Before I run any script I want to make sure the array created from the dropdowns contains anything greater than 0...

I thought this would do it:

if (isset($_POST['participantqty']) && ($_POST['participantqty']) > 0){
But it does nothing.

I also tried:
if (isset($_POST['participantqty[]']) && ($_POST['participantqty[]']) > 0){

Hi Everyone..   I am not sure if I should post this question here. I would like to fix this problem using PHP rather than HTML. I am new to PHP. This code is part of an old PHP gallery file. I am trying to validate my site but the site's links have some characters that makes the link throw errors in W3C Validator. So I tried to replace the characters with HTML characters for example ? are now replaced by ?   so my original link before using valid HTML characters looked like

www.awebsite.com/viewgallery.php?cname=Colorado-Fall&pcaption=Lost-In-The-art

And now it looks like this ...

www.awebsite.com/viewgallery.php?cname=Colorado-Fall&pcaption=Lost-In-The-art

But now W3C Validator shows an error like this Line 32, Column 240: an attribute value must be a literal unless it contains only name characters

…n class='next'><a href=viewgallery.php&#63;cname&#61;Colorado-Journeys&amp;pca…

✉ You have used a character that is not considered a "name character" in an attribute value. Which characters are considered "name characters" varies between the different document types, but a good rule of thumb is that unless the value contains only lower or upper case letters in the range a-z you must put quotation marks around the value. In fact, unless you have extreme file size requirements it is a very very good idea to always put quote marks around your attribute values. It is never wrong to do so, and very often it is absolutely necessary.

I do not know whats going on.  I have tried two different methods of validating and email and it keeps saying invalid email
I have even tried to debug it by putting errors and nothing
i have tried
preg_match("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$^", $e)
and
fliter_var($e, FLITER_VALIDATE_EMAIL);

the email i am trying to debug is a valid one.  its one I use daily.  I have tried different emails and still no luck.... someone help me please!

Hi, I am fairly new to php and I wanted to know whether you could validate a "input type = text ". I have made a class where i've made functions to validate test fields but i dont know how to call them with the html form.

Any suggestions or tips .... Thanks in advance. 

Hey everyone, im building my first newsletter sign up and wanted to add the validation of checking if the email is already in the database.

This is the top part of the code that works.
<?php

switch ($_REQUEST['action']) {

default:

foreach($_POST as $key=>$value){
$$key = $value;
}

if ($email == ''){
$error_msg = 'email required';
}

elseif (!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)) { 
    $error_msg = 'Invalid email address'; 
}
echo "";


if ($error_msg == ''){

foreach($_POST as $key=>$value){
$$key = htmlentities(stripslashes($value));
}
 $Q = mysql_query("INSERT INTO newsletter (`email`) VALUES ('$email')");

But when i add my attempted validation it doesn't work.

$check = mysql_query("SELECT FROM newsletter WHERE email = '$email'") or die(mysql_error()); 
 $check2 = mysql_num_rows($check); 
 if ($check2 != 1) {
 
 $error_msg = 'email exists'; 

Could someone be so kind to add this code where it should go, iv tried everything.

I am working on a script for a simple form with only 2 options that are dropdowns.  I need to validate these two options that there is a selection made.

I have gotten the first one to validate, but I cannot get the second one to validate.  Can anyone steer me in the right direciton why only one is working?  I get no errors in the script, so I assume I am just missing something.

Code: [Select]
<?php
// options for drop-down menu
$choices = array('-- Choose Your Item','Anniversary Jacket', 'Anniversary T-Shirt');
$sizes = array('-- Choose Your Size','L', 'XL');

if($_SERVER['REQUEST_METHOD'] == 'GET'){
    // display form when GET
    showForm(array());
}
else{
    // process form if POST
    $errors = validateForm();
    if(count($errors)) showForm($errors); // if errors show again
    else print 'Form submitted succesfully!'; // no errors
}


// function generating form
function showForm($errors){

    global $choices,$sizes;

    // set defaults
    $defaults = array();
    foreach($choices as $key => $choice){
        if(isset($_POST['item']) && ($_POST['item'] == $key)) $defaults['item'][$key] = 'selected';
        else $defaults['item'][$choice] = '';
    } 
    foreach($sizes as $key => $size){
        if(isset($_POST['size']) && ($_POST['size'] == $key)) $defaults['size'][$key] = 'selected';
        else $defaults['size'][$size] = '';
    } 


    // print form
    print "<form action='{$_SERVER['SCRIPT_NAME']}' method='post'>";

    print "<div>";
    print "<select name='item'>";
    foreach($choices as $key => $choice){
        print "<option value='{$key}' {$defaults['item'][$key]}>{$choice}</option>"; 
    }
    print "</select>";
    showError('item', $errors);
    print "</div>";



print "<div>";
    print "<select name='size'>";
    foreach($sizes as $key => $size){
        print "<option value='{$key}' {$defaults['size'][$key]}>{$size}</option>"; 
    }
    print "</select>";
    showError('size', $errors);
    print "</div>";
    
    
    print "<input type='submit'/>";




    print "</form>";

}

// display error
function showError($type, $errors){
    if(isset($errors[$type])) print "<b>{$errors[$type]}</b>";
}

// validate data
function validateForm(){

    global $choices,$sizes;
    
    // start validation and store errors
    $error = array();
    

    // validate drop-down
    if(!(isset($_POST['item']) && (array_key_exists($_POST['item'], $choices)) && $_POST['item'] != 0)) $errors['item'] = 'Select Item';


     return $errors;
    

    // validate drop-down
    if(!(isset($_POST['size']) && (array_key_exists($_POST['size'], $choices)) && $_POST['size'] != 0)) $errors['size'] = 'Select Size';


     return $errors;

}







?>

Where should I validate the return value? In the function should I validate the value before returning it. Or once the value has been returned, should I check it? Is it really necessary to validate the return value? Thank you.    

How do I make email, name and phone required fields?

thanks in advance

<?php
$email = $_POST['email'];
$name = trim($_POST['name']);
$phone = trim($_POST['phone']);
$time = trim($_POST['time']);
$zipcode = trim($_POST['zipcode']);
$date = trim($_POST['date']);


$EmailTo = "myemail@somedomain.com";
$Subject = "form"; /// Add a subject

$Body = "";
$Body .= "Full name:\n$name\n\n";
$Body .= "Primary phone:\n$phone\n\n";
$Body .= "time:\n$time\n\n";
$Body .= "Zip code:\n$zipcode\n\n";
$Body .= "date:\n$date\n\n";

if($Subject == NULL) {$Subject = "From $EmailFrom";}
$success = mail($EmailTo, $Subject, $Body, "From: <$EmailFrom>");

if ($success){ header ('Location: confirm.html');}
else{  echo "Error! Your e-mail was not sent!";}
?>

I am writing a script that will parse my PHP classes and check for things like coupling, visualize my objects and connections, dependencies, check for convention usage, etc.   So, I have a simple file upload.  I'm never saving the files, just get contents and dump the file and work with the string version.   I'm writing it for me, but I figure I might want to open it for others to use in the future, so I may as well write it that way to begin with -- so I need to validate user input.  Problem is, the user input is supposed to be valid PHP code.  I'm thinking that, as long as I'm careful, I shouldn't be executing any code contained in strings, but I'm no security expert and I want a warm fuzzy that my thought on this is correct.  What kinds of things do I need to look out for?  Is it possible to inject when working with strings?   My initial thought is to regex the entire file and replace key portions with known replacements.  So ( and ) would become !* and !^ or $ would become @~ (combinations that -- I think -- don't make sense to php?)  But that may be completely unnecessary processing time if I'm not in any danger, here.  Thanks ahead of time for any help.   PS - as a side question -- what's the best way to verify a file is a php file?  I know of getimagesize for images, but should I just check for <? to verify it's php?  That seems like it would be too easy to fool -- then again, it might not matter much.   -Adam

I hope I can explain what is happening.  I have created two forms in PHP.  The first 'almost' works, i.e. it shows the data.  But I have two problems - 1) the second pulldown menu is always empty and 2) $value from the first pulldown menu ALWAYS equals the last entry thus the last 'if' in the function subdomains ($domains) is always called (but still empty).  The code may explain this better than me:

<!DOCTYPE html>
<html>
<body>
   <!-- processDomains.php is this file - it calls itself (for testing purposes so I can see what is happening) -->
   <form action="processDomains.php" method="post">
   <?php
       // create the domains array (there are actually several entries in the array but I cut it down for testing)
       $domains = array (1 => 'Decommission', 'Migration');
    
       echo "Select Domain:";
       echo "<br>";
    
       // Make the domain pull-down menu - this displays correctly
       echo '<select name="domain">';
       foreach ($domains as $key => $value) {
          echo "<option value=\"$key\">$value</option>\n";
       }
       echo '</select>';

       // input doesn't matter what is 'submitted', always goes to last $value
       echo '<input type="submit" name="submit" value="Submit">';

       // call function subdomains
       subdomains ($value);
    
       function subdomains ($domains) {
           // define values for each array - each array contains available choices for the subdomain pulldown menu
           $migration = array (1 => 'Application Migration', 'Application Patch', 'Application Upgrade');
           $decommission = array (1 => 'Applications', 'Servers', 'Storage');
    
           if ($domains === 'Migration') {
              echo "Select subdomain:";
              echo "<br>";
              // Make the Migration pull-down menu
              echo '<select name="migration">';
              foreach ($migration as $key => $value) {
                  echo "<option value=\"$key\">$value</option>\n";
              }
              echo '</select>';
           } else if ($domains === 'Decommission') {

              /* ===
               * since 'Decommission' is the last entry in the 'Domains' pulldown list, $value ALWAYS equals
               * 'Decommission' and $domains equals $value. So this menu SHOULD work but is always
               * empty.  Thus, two problems - the pulldown menu is always empty and $value isn't based
               * upon user input.
              */
              echo "Select subdomain:";  // this prints so I know I'm in 'Decommission (I eliminated the echo "$domain" to show I'm always coming here)'
              echo "<br>";
              // Make the 'Decommission' pull-down menu
              echo '<select name="decommission">';
              foreach ($decommission as $key => $value) {
                  echo "<option value=\"$key\">$value</option>\n";
              }
              echo '</select>';
              echo '<input type="submit" name="submit" value="Submit">'
           ) // end of 'if-else'
    } // end of function 'subdomain'
     
?>
</form>
</body>
</html>

Let me say thank you in advance and I appreciate the help!  I know I'm doing something (or more than one thing) wrong and I hope someone can tell me what it is.    Best Regards!
Edited by mac_gyver, 19 January 2015 - 09:37 PM.
code tags around posted code please

There is a login page called login.php, after user type their username and password into textbox, then the page direct it to the page validate, which is validate.php. In validate.php, if user do not type anything, then direct it to the login.php again; if user type their username and password worng less than 3 times, then direct it to the login.php also. However, if user type their username and password more than 3 times, then direct it to the register.php.   Question: i don't know how to make 3 attempts (maybe there are something worng in my page), it doesn't work, Please help, here is my validate.php

<?php
$loginErrorV = false;
$loginErrorW = false;
if(!empty($_POST['username']) && !empty($_POST['password']) && strlen($_POST['username'])!=0 && strlen($_POST['password'])!=0)
{
	//
	$username = $_POST['username'];
	$password = $_POST['username'];

	//Connect to Database
	$conn = mysql_connect("localhost", "root", "");
	if(!$conn){
		die('Could not connect:'.mysql_error());
	}
	mysql_select_db("logindb", $conn);

	//
	$sql = "Select count(username) as user_exist from logint where username = '$username' and password = '$password'";
	$result = mysql_query($sql, $conn);
	$row = mysql_fetch_assoc($result);

	//
	if($row['user_exist'] == 1){
		session_start();
		$_SESSION['username'] = $username;
		header('Location: 10586740.html');
		mysql_close($conn);
	} else {
		$loginErrorV = true;
	}
} else {
	$loginErrorW = true;
}

if($loginErrorV){
	if(isset($_COOKIE['login'])){
		if($_COOKIE['login']<3){
			header('Location:login.php');
			$attempts = $_COOKIE['login'] + 1;
		} else {
			header('Location:register.php');
		}
	}
}

if($loginErrorW){
	header('Location:login.php');
}
?>

Hey Everyone,

Im having trouble with this code, i'm trying to use preg_match to display an error when someone inputs their email and it doesnt have a specific domain (like for example yahoo.com). My logic is to use it as a filter, if the input doesnt have the word '@yahoo.com' it will show the error. What am I doing wrong?

Code: [Select]
if(preg_match("/^[a-zA-Z]\w+(\.\w+)*\@\yahoo.com", $data['email']) === 0)
$err .= "&bull; $lang[ERROR_DOMAIN]<br>";
Any help will be greatly appreciated.

Thanks.

- STG

I need to validate the POST fields below except a few hidden inputs like User_id & category: They are not huge but i would not like to write for each a line of code like if(empty($_popst['field'])) ...
How can simplify this by checking only if they are empty and display a message that lists all fields that were not filled?

Code: [Select]
array('user_id'=>$data['Id'], 'surname'=>$_POST['surname'], 'firstname'=>$_POST['firstname'], 'middlename'=>$_POST['middlename'], 'id_number'=>$_POST['id_number'], 'pin_number'=>$_POST['pin_number'], 'street'=>$_POST['street'], 'estate'=>$_POST['estate'], 'hse_number'=>$_POST['hse_number'], 'town'=>$_POST['town'], 'tele'=>$_POST['tele'], 'mobi'=>$_POST['mobi'], 'work_street'=>$_POST['work_street'], 'work_building'=>$_POST['work_building'], 'company'=>$_POST['company'], 'work_town'=>$_POST['work_town'], 'work_tele'=>$_POST['work_tele'], 'work_fax'=>$_POST['work_fax'], 'cont_surname'=>$_POST['cont_surname'], 'cont_firstname'=>$_POST['cont_firstname'], 'cont_middlename'=>$_POST['cont_middlename'], 'cont_street'=>$_POST['cont_street'], 'cont_building'=>$_POST['cont_building'], 'cont_company'=>$_POST['cont_company'], 'cont_home_tele'=>$_POST['cont_home_tele'], 'cont_office_tele'=>$_POST['cont_office_tele'], 'cont_mobi'=>$_POST['cont_mobi']);