|
PHP - Form Validation/regex/sql Injection Question
Similar TutorialsHey Guys! I have the following Working php script (receives the variables from Flash) //LOGIN! if ($action == "login") { //retreive data from flash $username=mysql_real_escape_string($_POST['Username']); $password=mysql_real_escape_string($_POST['txtPassword']); $result = mysql_query("SELECT name, activated from buyers WHERE email = '$username' AND password = md5('$password')"); $cant = 0; while($row=mysql_fetch_array($result)) { echo "name$cant=$row[name]&activated$cant=$row[activated]&"; $cant++; } echo "cant=$cant&"; if (mysql_num_rows($result) > 0) { echo "status1=exists"; } else { echo "status1=Incorrect Login"; } } As you can see I have used mysql_real_escape_string for the variables $username and $password that are coming from Flash. I would really appreciate some guidence if this is the only safe code I need in this script? For example: Does $action == "login" need also mysql_real_escape_string ?? That variable $action is also coming from flash (but is not inputted by a user) Any ideas? Thanks in advance, Cheers! Hi all, I thought instead of just simple do all the security stuff automatically, why not see for myself what the it can do. So I made a simple table besides the other tables named delete_me, made a form and started testing. But for some reason I can get that table to drop. this is what i did on the front end with help from he http://en.wikipedia.org/wiki/SQL_injection in all 3 fields (firstname, lastname email) put a value and in the last one i put: but nothing happend. if someone knows what i am doing wrong please tell me because I think it's vital in order to protect yourself one needs to know what he or she is up against. been wondering about this for a while do I need to put the escape on each WHERE? or do i really only need to put it on the $_POST i can probably understand why i need it on $_GET also after WHERE. So wondering about the session id. Code: [Select] <?php mysql_query("UPDATE systems SET homes= $homes + '".mysql_real_escape_string($_POST['homes'])."' WHERE address = '".mysql_real_escape_string($_GET['planet'])."' AND id = '".($_SESSION['user_id'])."'"); ?> I have a PHP comments filtration/validation script incorporated into my PHP/mysql custom built blog (under development).
This script uses REGEX to evaluate the format of user created comments. This function is supposed to accomplish the following tasks: All code except those in the whitelist must be wrapped in the permitted bbcode tags. The bbcode tags can not be empty The bbcode tags must be used in pairs other forms of bbcode tag must be rejected except if wrapped in the permitted bbcode tag user can not post only code, some descriptive text must be added to explain code. this text can be before or after the code. posted comment string must satisfy minimum and maximum length criteria I shall provide the developer with my current PHP script so he may understand how to lay the script out. If your are good at REGEX, contact me. Thanks. Given the below rules and following browser input: user/joe/x All right, so I've been sober for YEARS and now all of a sudden I'm tempted to have just ONE..... This topic has been moved to PHP Regex. http://www.phpfreaks.com/forums/index.php?topic=307000.0 Hi Guys. This should- hopefully- be a pretty simple question for someone with regex experience to answer. I've been reading all the regex guides and tried various things but none have worked and I'm starting to get a headache. I've decided to just pitch the question here. How do I test if a string contains ONLY a certain character- but could be one or more instances of that character. In this case it's a comma. So: ',' -> Would return TRUE ',,,' -> Would return TRUE ',,,,,,,' -> Would return TRUE ',,,hello,' -> Would return FALSE 'hi,,,' -> Would return FALSE Thanks in advance! Hi guys, I would normally research this myself, but I am in a hurry just now. My question is - how would I take a string like: "Customer Name" or "Product Cost Price" and produce a result where all upper case letters are made lower case and all spaces replaced by under-scores. Like this: "Customer Name" would become "customer_name", and "Product Cost Price" would become "product_cost_price" Many thanks for any swift help, S I am working on a form validation script and not sure how to approach this. I can validate current entries that are required but I am trying to figure out how to validate an entry only if submitted and ignored if field is empty. /*form field*/ <input type="text" name="account"> <?php echo "<div class='note'>".$msg_acct."<br/>"; /*This is in the validation script*/ if(empty($_POST['account'])) $acct_subject = $_POST['account']; $acct_pattern = '/^[0-9]*$/'; preg_match($acct_subject, $aact_matches); if(!$acct_matches[0]) $msg_acct = "Only numbers are allowed";
I'm new to php, so please excuse my ignorance. Here's my issue: On my website, I want to ask the following question to validate the person filling in the form is a real person: Which is the hottest: FIRE or ICE ? Right now, my code is only set to accept all caps - which is confusing some of my customers. How to I update the following code, to allow caps and lowercase answers? if (empty( $_POST['validate'] ) || !ctype_upper( $_POST['validate'] ) || ($_POST['validate']!="ICE" and $_POST['validate']!="FIRE")){ $errors->add('empty_username', __('<strong>ERROR</strong>: Please check your validation answer.')); } I wrote this code many moons ago... Code: [Select] if (preg_match('#^[A-Z \'.-]{2,20}$#i', $trimmed['firstName'])){ Can someone please help me remember... What do the two # signs do? Thanks, Debbie Hey guys.. I'm new to the forum and have a quick question about some coding i've been doing for my website. A couple index errors are coming up when I run my code, but I believe it all should be working fine. I am going to paste the code, but also upload the files so that you can understand the problem better. ANY help is greatly appreciated. I am currently making a contact form with validation. I know that using ifempty() is probably the best way, but I am unclear as to how to use it. I have two files, an html containing my form, and a php file containing the following code: //Define Variables $FirstName = $_GET['FirstNameTextBox']; $LastName = $_GET['LastNameTextBox']; $PhoneNumber = $_GET['PhoneNumberTextBox']; $EmailAddress = $_GET['EmailAddressTextBox']; $Address = $_GET['AddressTextBox']; $City = $_GET['CityTextBox']; $State = $_GET['StateDropDownBox']; $Zip = $_GET['ZipTextBox']; $error1='*Please enter a First Name<br>'; $error2='*Please enter a Last Name<br>'; $error3='*Please enter a Phone Number<br>'; $error4='*Please choose a state<br>'; $error5='*Please enter a valid email address<br>'; $day2 = mktime(0,0,0,date("m"),date("d")+2,date("Y")); $day3 = mktime(0,0,0,date("m"),date("d")+3,date("Y")); $day7 = mktime(0,0,0,date("m"),date("d")+7,date("Y")); if($FirstName=="") {echo $error1; exit;} if($LastName=="") {echo $error2; exit;} if($PhoneNumber=="") {echo $error3; exit;} if($State=="") {echo $error4; exit;} if($EmailAddress=="") {echo $error5; exit;} if($State == "NY") { echo "$FirstName $LastName - we will get back to you within 2 days, ie before " .date("d M Y", $day2); exit; } if($State == "NJ") { echo "$FirstName $LastName - we will get back to you within 3 days, ie before " .date("d M Y", $day3); exit; } if($State == "Other") { echo "$FirstName $LastName - we will get back to you within 1 week, ie before " .date("d M Y", $day7); exit; } The following errors come up: Notice: Undefined index: FirstNameTextBox in C:\Users\Jonny P\Documents\My Web Sites\JMPMySite\AddContact.php on line 14 Notice: Undefined index: LastNameTextBox in C:\Users\Jonny P\Documents\My Web Sites\JMPMySite\AddContact.php on line 15 Notice: Undefined index: PhoneNumberTextBox in C:\Users\Jonny P\Documents\My Web Sites\JMPMySite\AddContact.php on line 16 Notice: Undefined index: EmailAddressTextBox in C:\Users\Jonny P\Documents\My Web Sites\JMPMySite\AddContact.php on line 17 Notice: Undefined index: AddressTextBox in C:\Users\Jonny P\Documents\My Web Sites\JMPMySite\AddContact.php on line 18 Notice: Undefined index: CityTextBox in C:\Users\Jonny P\Documents\My Web Sites\JMPMySite\AddContact.php on line 19 Notice: Undefined index: StateDropDownBox in C:\Users\Jonny P\Documents\My Web Sites\JMPMySite\AddContact.php on line 20 Notice: Undefined index: ZipTextBox in C:\Users\Jonny P\Documents\My Web Sites\JMPMySite\AddContact.php on line 21 *Please enter a First Name Again, ANY help is greatly appreciated.. it is for a class, but I have honestly exhasted all my sources to figure out what is wrong. Are my codes correct and all there? Thanks for the help! -WPN Hi, I currently have the following code in my form processing script: Code: [Select] $string_exp = "/^[A-Za-z .'-]+$/"; $error_missing = 'This field is required'; if(!preg_match($string_exp,$Name)) { $errors[] = $error_missing; } if(!preg_match($string_exp_number,$Phone)) { $errors[] = $error_missing; } if(is_array($errors)) { echo 'Your message could not be sent due to the following errors:'; while (list($key,$value) = each($errors)) { echo '<span class="error">'.$value.'</span><br />'; } If the user enters no data into the required fields, the script prevents the form from being submitted and displays an error. At present the errors for all the required fields are displayed in a long list at the top of my HTML form e.g. This field is required This field is required What I want to do, is place the error message under each required field e.g. this http://coreyworrell.com/assets/uploads/images/ajax_contact_form.png instead of this http://cdn1.1stwebdesigner.com/wp-content/uploads/2010/02/validation-ajax-css-form.jpg What do I need to do? My form looks similar to this at the moment: Code: [Select] <div id="log"> <div id="log_res"> </div> </div> <form id="contact" name="contact" method="post" action="process.php"> <label>Name</label> <input type="text" name="Name" id="Name" tabindex="1" /> <label>Email</label> <input type="text" name="Phone" id="Phone" tabindex="2" /> </form> The error messages are placed in the <div> section at the top of the form (using ajax) I'm trying to get validation messages to display on the same page as my login form without any PHP within my login page, is that possible?
Hi there, I've got a HTML textarea with the name attribute of 'review' and I've posted this into a variable called $review. I want to say if the characters are less than 30, please enter more words etc. The problem is, I get the if statement's error even when there are more than 30 characters. Can anyone figure out why I'm getting this? Code: [Select] if ($review < 30){ echo '<p class="red">Review is too short, please enter at least 15 words</p>'; } Hi, I am trying to setup a PHP script that will validate an html form. The form and the PHP script are separate from each other. The code that I have was modified from a tutorial on YouTube. The example used there works but as I have began to tailor it to my purpose, it is now broke. I just added one line for validation to simplify troubleshooting. If I find an empty field on the form, I would like to display the error message on the form itself rather than start a new html page with the PHP script. I am not sure if that is possible. Here is my form: http://www.tallfirshoa.com/adform.htm YouTube videos that I was working from. The video's example has the form and PHP combined as one. In my case, I need the form and PHP separate. http://www.youtube.com/watch?v=yuLpSospbBk&feature=search http://www.youtube.com/watch?v=LF5zTWthpn0&feature=search The code works fine if I leave out the validation. As soon as I add if(!$fname), the script becomes broken. I'm guessing that it has something to do with $errorstring and how it works. I am new to PHP and have tried as many things as I can think of but I can't make any forward progress. Thanks for your help! Rob Code: [Select] <html> <h1>Tall Firs Ad Submission</h1> <?php if ($_POST['submit']) { //Get form data $fname = $_POST['fname']; $lname = $_POST['lname']; $email = $_POST['email']; $displayemail = $_POST['displayemail']; $phone = $_POST['phone']; $category = $_POST['category']; $description = $_POST['description']; //Declare variables $to = "email@gmail.com"; $subject = "Request"; $headers = "From: $email \r\n Reply-To: $email"; } //Setup form validation $errorstring = "" //default value of error string //Begin validation if (!$fname) $errorstring = $errorstring."First Name<br>"; ?> </html> Hi I am currently writing code to validate a form using PHP. What i wanted was to validate all inputs and then post the data to a external mysql server. However, i want a function placed on the submit/send button of the form, in which the function checks to see if there are no errors and then forwards the user to another page where the data is inserted into the sql database. Here is what i have so far: add_test.php Code: [Select] <?php include("validation.php"); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>test</title> <link rel="stylesheet" href="test.css" type="text/css" media="screen" /> </head> <body> <div id="container"> <h1>Add a Product</h1> <?php if(isset($_POST['send']) AND (!validateModel($_POST['model']) || !validatePrice($_POST['price']) || !validateProduct($_POST['product']) || !validateImage($_FILES['photo']) || !validateDescription($_POST['description']) ) ):?> <div id="error"> <ol> <center><p><b>Oops, Please fix these errors:</b></p></center><br /> <?php if(!validateModel($_POST['model'])):?> <li><strong>Invalid Model:</strong> Model Number must be more than 3 letters!</li> <?php endif?> <?php if(!validatePrice($_POST['price'])):?> <li><strong>Invalid Price:</strong> Price must be in integers!</li> <?php endif?> <?php if(!validateProduct($_POST['product'])):?> <li><strong>Invalid Product:</strong> You didn't select a product!</li> <?php endif?> <?php if(!validateImage($_FILES['photo'])):?> <li><strong>Invalid Image:</strong> You didn't select an image! - (ONLY: GIF/JPEG/JPG/PNG)</li> <?php endif?> <?php if(!validateDescription($_POST['description'])):?> <li><strong>Invalid Description:</strong> Description must have at least 10 characters in length!</li> <?php endif?> </ol> </div> <?elseif(isset($_POST['send'])):?> <div id="error" class="valid"> <ul> <li><strong>Congratulations!</strong> All fields are OK ;)</li> </ul> </div> <?endif?> <form method="post" id="customForm" action="" enctype="multipart/form-data"> <div> <label for="model">Model Number</label> <input id="model" name="model" type="text" /> <span id="modelInfo">Please enter your Product Model Number!</span> </div> <div> <label for="product">Product</label> <select class="product" name="product"> <option value="please_select">Please select an option below</option> <option value="1">19" LCD TV</option> <option value="2">22" LCD TV</option> <option value="3">26" LCD TV</option> <option value="4">32" LCD TV</option> <option value="5">37" LCD TV</option> <option value="6">42" LCD TV</option> <option value="7">37" Plasma TV</option> <option value="8">42" Plasma TV</option> <option value="9">46" Plasma TV</option> <option value="10">50" Plasma TV</option> <option value="11">54" Plasma TV</option> <option value="12">58" Plasma TV</option> <option value="13">Wall Bracket</option> <option value="14">Home Cinema System</option> <option value="15">Bluray Home Cinema System</option> <option value="16">DVD Recorder</option> <option value="17">DVD Player</option> <option value="18">DVD Portable</option> <option value="">Bluray Recorder</option> <option value="">Bluray Player</option> <option value="">Bluray Portable</option> <option value="">Projector</option> <option value="">37" LCD TV</option> <option value="">42" LCD TV</option> <option value="">Personal Video Recorder (PVR)</option> <option value="">3D Technology</option> <option value="">Upright Cleaner</option> <option value="">Cylinder Cleaner</option> <option value="">DECT Phone</option> <option value="">DECT Answer Phone</option> <option value="">Washing Machines</option> <option value="">Tumble Dryers</option> <option value="">Dishwashers</option> <option value="">Fridge-Freezers</option> <option value="">Freezers</option> <option value="">Refridgerators</option> <option value="">Microwave (Solo)</option> <option value="">Microwave (Grill)</option> <option value="">Microwave Combination</option> <option value="">Kettles</option> <option value="">Toasters</option> <option value="">Irons</option> <option value="">Breadmakers</option> <option value="">Microsystems</option> <option value="">Minisystems</option> <option value="">CD, Radio and Cassette Players</option> <option value="">Pure Radios</option> <option value="">Dimplex Fires</option> <option value="">Convector Heaters</option> <option value="">Fan Heaters</option> <option value="">Mens Shavers/Grooming</option> <option value="">Ladies Shavers/Beauty</option> <option value="">Straighteners</option> <option value="">Epilators</option> <option value="">Stylish Cameras</option> <option value="">Super Zoom Cameras</option> <option value="">SD Camcorders</option> <option value="">HD Camcorders</option> <option value="">HDD Camcorders</option> <option value="">Bluray Discs</option> <option value="">DVD Discs</option> <option value="">Leads</option> <option value="">Mini DV Tapes</option> <option value="">SD/SDHC/SDXC Cards</option> </select> <span id="productInfo">Please choose a Product Title!</span> </div> <div> <label for="price">Price</label> <input id="price" name="price" type="text" /> <span id="priceInfo">Please enter a Price!</span> </div> <div> <label for="photo">Image</label> <input style="font-size:13px;" class="file" name="photo" type="file" /> <span id="imageInfo">Please choose an Image!</span> </div> <div> <label for="message">Description</label> <textarea id="description" name="description" cols="" rows=""></textarea> </div> <div> <input id="send" name="send" type="submit" value="Send" /> </div> </form> </div> </body> </html> Here is my validation php document validation.php <?php function validateModel($model){ //if it's NOT valid if(strlen($model) < 4) return false; //if it's valid else return true; } function validatePrice($price){ //if it's NOT valid if(is_numeric($price) == '') return false; //if it's valid else return true; } function validateProduct($product){ //if it's NOT valid if(($product)=='please_select') return false; //if it's valid else return true; } function validateImage($photo){ //if it's valid if ((($_FILES["photo"]["type"] == "image/gif") || ($_FILES["photo"]["type"] == "image/jpeg") || ($_FILES["photo"]["type"] == "image/pjpeg")) && ($_FILES["photo"]["size"] < 2000000)) return true; else return false; } function validateDescription($description){ //if it's NOT valid if(strlen($description) < 10) return false; //if it's valid else return true; } ?> any suggestions on how to write the code for the send button? Im abit stuck and being a newbie dont help lol. Hi. I'm new to PHP and have a problem with some form validation. The code below is my contact form. It was working until I added a dropdown list and checkbox. For all the other fields I created an input variable using the 'name' attribute to reference the data entered into the input fields and the validation appeared to work and an email was sent to the appropriate email address. For the checkbox field I have also created a 'name' attribute but don't know whether this is right way to confirm whether the box has been checked? For the field with a dropdown selection I have used the option 'selected', but again, don't know whether this is right or not. Now when I enter valid data into all the fields, select a value from the dropdown and check the checkbox, I get an error message stating that I need to fill in all the form fields. I am pretty sure it is to do with the way I have tried to pick up the data from dropdown list and the checkbox, but can't figure out what it is. Any help would be much appreciated. Thanks in advance.
<?php echo file_get_contents('header.php'); ?>
<?php
// Message Vars
$msg = '';
$msgClass = '';
// Check to see if the form has been submitted
if(filter_has_var(INPUT_POST, 'submit')) {
//Input Data Variables
$firstname = htmlspecialchars($_POST['firstname']);
$lastname = htmlspecialchars($_POST['lastname']);
$phonenumber = htmlspecialchars($_POST['phonenumber']);
$email = htmlspecialchars($_POST['email']);
$selected = htmlspecialchars($_POST['selected']);
$message = htmlspecialchars($_POST['message']);
$checkbox = htmlspecialchars($_POST['checkbox']);
//Check required fields
if(!empty($firstname) && !empty($lastname) && !empty($phonenumber) && !empty($email) && !empty($selected) && !empty($message) && !empty($checkbox)) {
// If passed, check email address
if(filter_var($email, FILTER_VALIDATE_EMAIL) === false) {
//If failed, Email address is not valid
$msg = 'Please use a valid email address';
$msgClass = 'alert-danger';
} else {
//Recipient email address and information to be sent to them
$toEmail = 'hello@example.co.uk';
$subject = 'Contact Request from Website';
$body = '<h2>Contact Request</h2>
<h4>Name</h4><p>'.$firstname. ''.$lastname.'</p>
<h4>Phone Number</h4><p>'.$phonenumber.'</p>
<h4>Email Address</h4><p>'.$email.'</p>
<h4>Subject</h4><p>'.$selected.'</p>
';
// Email Headers
$headers = "MIME-VERSION: 1.0" ."\r\n";
$headers .="Content-Type:text/html;charset=UTF-8" ."\r\n";
// Additional Headers
$headers .= "From: " .$firstname. " ".$lastname." <".$email.">" ."\r\n";
if(mail($toEmail, $subject, $body, $headers)) {
// Message Sent
$msg = 'Your message has been sent';
$msgClass = 'alert-success';
} else {
// Message failed
$msg = 'Your message has NOT been sent';
$msgClass = 'alert-danger';
}
}
} else {
//Failed
$msg = 'Please fill in all fields';
$msgClass = 'alert-danger';
}
}
?>
<div class="container clearfix content-container">
<h1 class="section-title">Contact Us</h1>
<p>If you have any questions about the services we provide or would like to chat about a new website project, please get in touch using any of the options below. We would love to hear from you!</p>
<!--Contact Page Row-->
<div class="row">
<div class="col-lg-6 contact-details">
<div class="row">
<div class="col-lg-12">
<img src="assets/img/contact-us.jpg" class="img-responsive d-block contact-image" alt="Contact Us Image">
</div>
</div>
<div class="row">
<div class="col-lg-12 contact-name">
<span class="d-inline-block contact-inline-block"><i class="fas fa-user fa-2x">
</i></span>
<span class="d-inline-block"><p class="contact-details">sn0wman23</p></span>
</div>
</div>
<div class="row">
<div class="col-lg-12 contact-phone">
<span class="d-inline-block contact-inline-block"><a href="tel:+447740484798"><i class="fas fa-mobile-alt fa-2x"></i></a></span>
<span class="d-inline-block"><a href="tel:+441234567890"><p class="contact-details">01234 567890</a></p></span>
</div>
</div>
<div class="row">
<div class="col-lg-12 contact-email">
<span class="d-inline-block contact-inline-block"><a href="mailto:hello@example.co.uk"><i class="fas fa-envelope-square fa-2x"></i></a></span>
<span class="d-inline-block"><a href="mailto:hello@example.co.uk"><p class="contact-details">hello@example.co.uk</a></p></span>
</div>
</div>
<div class="row">
<div class="col-lg-12 contact-fb">
<span class="d-inline-block contact-inline-block"><a href="https://www.facebook.com/" target="_blank"><i class="fab fa-facebook-square fa-2x"></a></i></span>
<span class="d-inline-block"><a href="https://www.facebook.com/example/" target="_blank"><p class="contact-details">@example</a></p></span>
</div>
</div>
</div>
<!--Contact Form-->
<div class="col-lg-6 contact-form d-block">
<?php if($msg != ''): ?>
<div class="alert <?php echo $msgClass; ?>"><?php echo $msg; ?></div>
<?php endif;?>
<form method="post" action="contact.php" role="form">
<div class=" row form-group">
<div class="col-lg-6">
<label for="firstnameid">First name:</label>
<input type="text" name="firstname" class="form-control mb-3" id="firstnameid">
</div>
<div class="col-lg-6">
<label for="lastnameid">Last name:</label>
<input type="text" name="lastname" class="form-control mb-3" id="lastnameid">
</div>
</div>
<div class="row form-group">
<div class="col-lg-6">
<label for="phonenumber">Phone number:</label>
<input type="tel" name="phonenumber" class="form-control mb-3" id="phonenumberid">
</div>
<div class="col-lg-6">
<label for="emailid">Email address:</label>
<input type="email" name="email" class="form-control mb-3" id="emailid">
</div>
</div>
<div class="row form-group">
<div class="col-lg-12">
<label for="subjectid">How can I help?:</label>
<select class="form-control mb-3" id="subjectid">
<option selected>Select one from this list</option>
<option value="1">Value 1</option>
<option value="2">Value 2</option>
<option value="3">Value 3</option>
</select>
</div>
</div>
<div class="row form-group">
<div class="col-lg-12">
<label for="messageid">Tell me a little bit mo </label>
<textarea name="message" class="form-control mb-3" id="messageid" rows="6"></textarea>
</div>
</div>
<div class="row form-group">
<div class="col-lg-12 form-check">
<input type="checkbox" name="checkbox" class="form-check-input" id="formcheckid">
<label for="formcheckid" class=form-check-label mb-3>By checking this tickbox you have confirmed that we can collect the information in this form for the purposes outlined in our <a href="privacy-policy.html">privacy policy.</a></label>
</div>
</div>
<div class="row form-group">
<div class="col-lg-12">
<button type="submit" name="submit" class="btn btn-primary mt-4">Send Message
</button>
</div>
</div>
</form>
</div>
<!--Contact Form End-->
</div>
<!--Contact Page Row End-->
</div>
<!--Container end-->
<?php echo file_get_contents('footer.php'); ?>
|
|||||||