www.webdeveloper.com
Results 1 to 7 of 7

Thread: Really need help! Form validation!

  1. #1
    Join Date
    Jan 2011
    Posts
    20

    Question Really need help! Form validation!

    Ok guys please help me

    I've been going mad over this, I just can't see why it is not working.. I know the PHP validation is not complete, I'm taking one step at a time and trying to figure out why this isn't working!

    Basically what I'm trying to do is stop e-mail injection with ''\n'' ''\r'' for new lines so people can't CC and use my form as spam.

    here is my code (PHP) :
    PHP Code:
    if(!isset($_POST['submit'])) {
        
        echo 
    '<form class="contact_form" action="." method="post">
         Your Name :<textarea rows="1"  cols="30" input type="text" name="name" class="form_box"></textarea><br />
         E-mail :<textarea rows="1"  cols="30" input type="text" name="email" class="form_box"></textarea><br />
         Project :<textarea rows="1"  cols="30" input type="text" name="project" class="form_box"></textarea><br />
         Budget :<textarea rows="1"  cols="30" input type="text" name="budget" class="form_box" ></textarea><br />
         <div id="form_fix">More Info :</div><p><textarea rows="6"  cols="30" input type="text" name="message" class="form_box"></textarea></p>
         <div id="submit"><button name="submit" type="submit" class="submit_b"/></div>
        </form>'
    ;
        
    } else {
        
        
    //variables
        
    $to ".....";
        
    $name htmlspecialchars($_POST['name']);
        
    $email htmlspecialchars($_POST['email']);
        
    $project htmlspecialchars($_POST['project']);
        
    $budget htmlspecialchars($_POST['budget']);
        
    $message htmlspecialchars($_POST['message']);
        
    $message wordwrap ($message70);
        
    $email_header = ("From:".$name." - Project:".$project." Email:"$email);
        
    $message = (" Budget: ".$budget."  Message: ".$message);
        
    //end of variables
        
        
    if ( preg_match"/[\r\n]/"$name ) || preg_match"/[\r\n]/"$email ) )
            {
               echo 
    "<tr><td>The email: ".$_POST['email']." is inValid!</td></tr>";
            }
          else {
              echo 
    "<tr><td>The email: ".$_POST['email']." is valid!</td></tr>";
          }   

    Thankyou!!

  2. #2
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,636
    It worked OK for me after I changed the form action to "" instead of ".". (I also changed the submit button mark-up so I could see it.)

    Note however that the current logic will report that the email is invalid even if it's the $name value that is causing the problem. If you want to track which fields are problems, I often like to create an array of error messages, something like:
    PHP Code:
    <?php
    if (!isset($_POST['submit'])) {
       echo 
    '<form class="contact_form" action="" method="post">
         Your Name :<textarea rows="1"  cols="30" input type="text" name="name" class="form_box"></textarea><br />
         E-mail :<textarea rows="1"  cols="30" input type="text" name="email" class="form_box"></textarea><br />
        Project :<textarea rows="1"  cols="30" input type="text" name="project" class="form_box"></textarea><br />
        Budget :<textarea rows="1"  cols="30" input type="text" name="budget" class="form_box" ></textarea><br />
         <div id="form_fix">More Info :</div><p><textarea rows="6"  cols="30" input type="text" name="message" class="form_box"></textarea></p>
        <div id="submit"><button name="submit" type="submit" class="submit_b">Submit</button></div>
        </form>'
    ;
    } else {
       
    //variables
       
    $to ".....";
       
    $name htmlspecialchars($_POST['name']);
       
    $email htmlspecialchars($_POST['email']);
       
    $project htmlspecialchars($_POST['project']);
       
    $budget htmlspecialchars($_POST['budget']);
       
    $message htmlspecialchars($_POST['message']);
       
    $message wordwrap($message70);
       
    $email_header = ("From:" $name " - Project:" $project " Email:" $email);
       
    $message = (" Budget: " $budget "  Message: " $message);
       
    //end of variables
       
    $errors = array();
       if (
    preg_match("/[\r\n]/"$name)) {
          
    $errors[] = "The name '$name' is invalid.";
       }
       if(
    preg_match("/[\r\n]/"$email)) {
          
    $errors[] = "The email: " $_POST['email'] . " is inValid!";
       }
       if(
    count($errors)) {
          foreach(
    $errors as $message) {
             echo 
    "<p class='error'>$message</p>\n";
          }
       }
       else {
          echo 
    "<p>Everything is copacetic.</p>\n";
       }
    }
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  3. #3
    Join Date
    Jan 2011
    Posts
    20
    Ok thanks!

    The only thing that doesn't seem to work, Is when I try to test my e-mail area, when I type in something@something.com \n CC: Somethingelse@something.com

    It says it is fine, Which the below code I thought would stop the e-mail injection.

    PHP Code:
    if (preg_match("/[\r\n]/"$name)) { 
          
    $errors[] = "The name '$name' is invalid."
       } 
       if(
    preg_match("/[\r\n]/"$email)) { 
          
    $errors[] = "The email: " $_POST['email'] . " is inValid!"
       } 
    Thanks for your response ! Much much appreciated

  4. #4
    Join Date
    Jan 2011
    Posts
    20

    Question

    Ok the above code doesn't work but if i put the input as ''something@something.com\n somethingelse@something.com" it finds the match
    If I run this code it works and finds the match:

    PHP Code:
    <?php
        
        $input 
    "something@something.com\n somethingelse@something.com" ;
        
    $pattern "/[\n\r]/i";
        
        if (
    preg_match($pattern$input))
        {
            echo 
    " A match was found! " $input;
        
        }else
        {
            echo 
    "No match" .$input;
        }
    ?>
    But then if i run this code: and enter the same text as input ''something@something.com\n somethingelse@something.com" It doesn't find the match.

    PHP Code:
    if(!isset($_POST['submit'])) {
        
        echo 
    '<form class="contact_form" action="" method="post">

         E-mail :<textarea rows="1"  cols="30" input type="text" name="email" class="form_box"></textarea><br />
     
         <div id="submit"><button name="submit" type="submit" class="submit_b"/></div>
        </form>'
    ;
    }
    else{
        
        
    $input $_POST['email'];
        
    $pattern "/[\n\r]/i";
        
        if (
    preg_match($pattern$input))
        {
            echo 
    " A match was found! " $input;
        
        }else
        {
            echo 
    "No match" .$input;
        }

    It doesn't find a match. Please help, where am I going wrong?

    So confused!!

  5. #5
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,636
    Are you typing a literal "\n" (back-slash and "n") in the form, or just using the return/enter key to insert a new line (which is what your pattern is testing for)?
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  6. #6
    Join Date
    Jan 2011
    Posts
    20
    Quote Originally Posted by NogDog View Post
    Are you typing a literal "\n" (back-slash and "n") in the form, or just using the return/enter key to insert a new line (which is what your pattern is testing for)?
    Ohh when I'm entering in the form I'm literally typing

    ''something@something.com\n somethingelse@something.com"

    So if someone were to attempt to do a e-mail injection they would just press 'Enter' and type CC:Someoneelse@something.com

  7. #7
    Join Date
    Jan 2011
    Posts
    20
    resolved, It was working all along! Me being stupid and not realizing it :P

    Thanks for your help nogdog!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles