Really need help! Form validation!

**RJhawkes** · 03-09-2011 03:35 PM

Ok guys please help me

I've been going mad over this, I just can't see why it is not working.. I know the PHP validation is not complete, I'm taking one step at a time and trying to figure out why this isn't working!

Basically what I'm trying to do is stop e-mail injection with ''\n'' ''\r'' for new lines so people can't CC and use my form as spam.

here is my code (PHP) :

PHP Code:


if(!isset($_POST['submit'])) {

    

    echo '<form class="contact_form" action="." method="post">

     Your Name :<textarea rows="1"  cols="30" input type="text" name="name" class="form_box"></textarea><br />

     E-mail :<textarea rows="1"  cols="30" input type="text" name="email" class="form_box"></textarea><br />

     Project :<textarea rows="1"  cols="30" input type="text" name="project" class="form_box"></textarea><br />

     Budget :<textarea rows="1"  cols="30" input type="text" name="budget" class="form_box" ></textarea><br />

     <div id="form_fix">More Info :</div><p><textarea rows="6"  cols="30" input type="text" name="message" class="form_box"></textarea></p>

     <div id="submit"><button name="submit" type="submit" class="submit_b"/></div>

    </form>';

    

} else {

    

    //variables

    $to = ".....";

    $name = htmlspecialchars($_POST['name']);

    $email = htmlspecialchars($_POST['email']);

    $project = htmlspecialchars($_POST['project']);

    $budget = htmlspecialchars($_POST['budget']);

    $message = htmlspecialchars($_POST['message']);

    $message = wordwrap ($message, 70);

    $email_header = ("From:".$name." - Project:".$project." Email:". $email);

    $message = (" Budget: ".$budget."  Message: ".$message);

    //end of variables

    

    if ( preg_match( "/[\r\n]/", $name ) || preg_match( "/[\r\n]/", $email ) )

        {

           echo "<tr><td>The email: ".$_POST['email']." is inValid!</td></tr>";

        }

      else {

          echo "<tr><td>The email: ".$_POST['email']." is valid!</td></tr>";

      }   

}

Thankyou!!

**NogDog** · 03-09-2011 05:24 PM

It worked OK for me after I changed the form action to "" instead of ".". (I also changed the submit button mark-up so I could see it.)

Note however that the current logic will report that the email is invalid even if it's the $name value that is causing the problem. If you want to track which fields are problems, I often like to create an array of error messages, something like:

PHP Code:


<?php

if (!isset($_POST['submit'])) {

   echo '<form class="contact_form" action="" method="post">

     Your Name :<textarea rows="1"  cols="30" input type="text" name="name" class="form_box"></textarea><br />

     E-mail :<textarea rows="1"  cols="30" input type="text" name="email" class="form_box"></textarea><br />

    Project :<textarea rows="1"  cols="30" input type="text" name="project" class="form_box"></textarea><br />

    Budget :<textarea rows="1"  cols="30" input type="text" name="budget" class="form_box" ></textarea><br />

     <div id="form_fix">More Info :</div><p><textarea rows="6"  cols="30" input type="text" name="message" class="form_box"></textarea></p>

    <div id="submit"><button name="submit" type="submit" class="submit_b">Submit</button></div>

    </form>';

} else {

   //variables

   $to = ".....";

   $name = htmlspecialchars($_POST['name']);

   $email = htmlspecialchars($_POST['email']);

   $project = htmlspecialchars($_POST['project']);

   $budget = htmlspecialchars($_POST['budget']);

   $message = htmlspecialchars($_POST['message']);

   $message = wordwrap($message, 70);

   $email_header = ("From:" . $name . " - Project:" . $project . " Email:" . $email);

   $message = (" Budget: " . $budget . "  Message: " . $message);

   //end of variables

   $errors = array();

   if (preg_match("/[\r\n]/", $name)) {

      $errors[] = "The name '$name' is invalid.";

   }

   if(preg_match("/[\r\n]/", $email)) {

      $errors[] = "The email: " . $_POST['email'] . " is inValid!";

   }

   if(count($errors)) {

      foreach($errors as $message) {

         echo "<p class='error'>$message</p>\n";

      }

   }

   else {

      echo "<p>Everything is copacetic.</p>\n";

   }

}

**RJhawkes** · 03-10-2011 02:49 AM

Ok thanks!

The only thing that doesn't seem to work, Is when I try to test my e-mail area, when I type in something@something.com \n CC: Somethingelse@something.com

It says it is fine, Which the below code I thought would stop the e-mail injection.

PHP Code:


if (preg_match("/[\r\n]/", $name)) { 

      $errors[] = "The name '$name' is invalid."; 

   } 

   if(preg_match("/[\r\n]/", $email)) { 

      $errors[] = "The email: " . $_POST['email'] . " is inValid!"; 

   }

Thanks for your response ! Much much appreciated

**RJhawkes** · 03-10-2011 09:35 AM

Ok the above code doesn't work but if i put the input as ''something@something.com\n somethingelse@something.com" it finds the match
If I run this code it works and finds the match:

PHP Code:


<?php

    

    $input = "something@something.com\n somethingelse@something.com" ;

    $pattern = "/[\n\r]/i";

    

    if (preg_match($pattern, $input))

    {

        echo " A match was found! " . $input;

    

    }else

    {

        echo "No match" .$input;

    }

?>

But then if i run this code: and enter the same text as input ''something@something.com\n somethingelse@something.com" It doesn't find the match.

PHP Code:


if(!isset($_POST['submit'])) {

    

    echo '<form class="contact_form" action="" method="post">



     E-mail :<textarea rows="1"  cols="30" input type="text" name="email" class="form_box"></textarea><br />

 

     <div id="submit"><button name="submit" type="submit" class="submit_b"/></div>

    </form>';

}

else{

    

    $input = $_POST['email'];

    $pattern = "/[\n\r]/i";

    

    if (preg_match($pattern, $input))

    {

        echo " A match was found! " . $input;

    

    }else

    {

        echo "No match" .$input;

    }

}

It doesn't find a match. Please help, where am I going wrong?

So confused!!

**NogDog** · 03-10-2011 09:54 AM

Are you typing a literal "\n" (back-slash and "n") in the form, or just using the return/enter key to insert a new line (which is what your pattern is testing for)?

**RJhawkes** · 03-10-2011 10:22 AM

Originally Posted by NogDog

Are you typing a literal "\n" (back-slash and "n") in the form, or just using the return/enter key to insert a new line (which is what your pattern is testing for)?

Ohh when I'm entering in the form I'm literally typing

''something@something.com\n somethingelse@something.com"

So if someone were to attempt to do a e-mail injection they would just press 'Enter' and type CC:Someoneelse@something.com

**RJhawkes** · 03-10-2011 04:26 PM

resolved, It was working all along! Me being stupid and not realizing it :P

Thanks for your help nogdog!

Thread: Really need help! Form validation!

Thread Tools

Display

Really need help! Form validation!

Thread Information

Users Browsing this Thread

Bookmarks

Bookmarks

Posting Permissions