Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

validating a form - server side

Status
Not open for further replies.
rastaIT34

rastaIT34

Technical User
Sep 9, 2009
103
US
this post is a continuation from post:



I am trying to make my form more secure. Preventing robots and making users fill in all fields. I used a client side JavaScript; but i kept getting empty fields. After some research I found that a server side php script would be better.

This is what was suggested:

Code: 
<?PHP

if(!isset($_POST['fieldnamex'])||empty($_POST['fieldnamex'])){
echo "This field is not correct...."
return;
...
}
else{
include("formail.php");
}
?>


This is the link to the test site :





I tried modifying the code above but i get an error in line 5; as you can see if you test the form. See my modification below.


Code: 
<?PHP

if(!isset($_POST['Full_Name'])||empty($_POST['Full_Name'])){
echo "This field is not correct...."
return;
...
}

if(!isset($_POST['Email'])||empty($_POST['Email'])){
echo "This field is not correct...."
return;
...
}

if(!isset($_POST['Comments_Questions'])||empty($_POST['Comments_Questions'])){
echo "This field is not correct...."
return;
...
}


else{
include("formmail.php");
}
?>


Artist/Designer
 
Sort by date Sort by votes
Hi rastaIT34,

there is a semicolon missing at the end of echo. And "..." is no code. Either you are hinting there is more code instead of the three dots, or it's an error, too. There is not much sense to put code right after a return, as a return finishes execution.

I also read the preceeding thread. You copied over the ... from there, right? This wasn't meant literally, but simply indicate further code.

Besides that it doesn't make sense to have only one else after a series of ifs. Either you use if...elseif...elseif...else without a return in them or a series of ifs each doing a return and then the final code without else. The final code will only run, if no previous if did quit via return.

For PHP references see here:


Indeed for such a series of validations, each check potentially ending the processing, not calling the mail script, you could use switch instead:


Bye, Olaf.
Bye, Olaf.
 
Upvote 0 Downvote
Besides me not posting double signature, you may not want to display identical error messages to your users. Each echo should indicate what field is not correct. The message "This field is not correct...." in any case is a start for a functional test, but nobody will know what field faild to validate.

Bye, Olaf.
 
Upvote 0 Downvote
I just tried to integrate this code:




here:

formvalidate.php

Code: 
<?php
if($_POST)
{
$Full_Name = $_POST['Full_Name'];
$Email = $_POST['Email'];
$Comments_Questions = $_POST['Comments_Questions'];

// Full Name
if (eregi('^[A-Za-z0-9 ]{3,20}$',$Full_Name))
{
$valid_Full_Name=$Full_Name;
}
else
{
$error_name='Enter valid Full Name.';
}


// Email
if (eregi('^[a-zA-Z0-9._-]+@[a-zA-Z0-9._-]+\.([a-zA-Z]{2,4})$', $Email))
{
$valid_Email=$Email;
}
else
{
$error_email='Enter valid Email.';
}


// Comment
if (eregi('^[A-Za-z0-9 ]{3,20}$',$Comments_Questions))
{
$valid_Comments_Questions=$Comments_Questions;
}
else
{
$error_name='Enter valid Comment.';
}


if((strlen($valid_Full_Name)>0)&&(strlen($valid_Email)>0)
&&(strlen($valid_Comments_Questions)>0) )
{
mysql_query(" SQL insert statement ");
header("Location: contactsent.html");
}
else{ }

}
?>





And the html page here:

Code: 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "[URL unfurl="true"]http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">[/URL]
<html xmlns="[URL unfurl="true"]http://www.w3.org/1999/xhtml">[/URL]
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<meta name="description" content="The website and portfolio of  – Figure painting, Figurative painting, Figurative style, Figure in surroundings, Spatial painting, Floating, Painting of Swimming, Swimming figures, Swimming paintings, Water motif, Figure in water, Realistic, Realism, Figuration, Representationalism, New england art, Life painting, Painting from life, Observational art, Observational painting, Painting from observation "/>


<title> | ARTWORK</title>

<link href="css/global_style.css" rel="stylesheet" type="text/css" />
<link href="css/contactform.css" rel="stylesheet" type="text/css" />
<link rel="stylesheet" href="css/font_stylesheet.css" type="text/css" charset="utf-8" />




</head>

<body>

<div id="container">

  
   <div id="header">   
  <center><a href="index.html"><img src="images/title.jpg" width="502" height="82" alt="_title" border="0" /></a>
  </center></div>


<div id="navbckgrnd">

	<div id="nav_menucontainer">
<ul id="navmenu">
            <li><a href="paintings.html" >Paintings</a></li>
            <li><a href="bio.html" >Biography</a></li>
            <li><a href="contact.html" >Contact</a></li>
        </ul>
	</div>
     
</div>




<div id="sitemap"><a href="index.html">home</a> | contact</div>


<?php include("formvalidate.php"); ?>

<div id="formwrap">
<form name="myForm" action="" method="post">

<fieldset>
<div class="row"><label class="col1">Full Name:&nbsp;&nbsp;</label>
  <span class="col2">
  <input name="Full_Name" class="input" type="text" id="First Name" size="20" tabindex="1" style="font-size:17px;"  value="<?php echo $valid_Full_Name; ?>"/> <?php echo $error_Full_Name; ?> 
  </span></div>


  <div class="row"><label class="col1">Mailing List:&nbsp;&nbsp;</label>
  <span class="col2">
<input name="Mailing List" type="checkbox" value="Please add me to the mailing list." />
<font size="2">Please add me to the mailing list.</font>
  </span></div> 

<div class="row"><label class="col1">Email:&nbsp;&nbsp;</label>
  <span class="col2">
  <input name="Email" class="input" type="text" id="Email" size="20" tabindex="2"  style="font-size:17px;" value="<?php echo $valid_Email; ?>"/> <?php echo $error_Email; ?> 
  </span></div>
  

<div class="row"><label class="col1">Comments:&nbsp;<br />Questions&nbsp;&nbsp; </label>
  <span class="col2">
  
  <textarea name="Comments_Questions" class="input" type="text" id="comments" cols="18" rows="5" tabindex="2" style="font-size:17px;"value="<?php echo $valid_Comments_Questions; ?>"/> <?php echo $error_Comments_Questions; ?> </textarea>  
    
  </span></div>
  
    
      <div id="formbuttonsContainer">
      <input type="submit"  class="submitButton"/>
    </div>

 </fieldset> 
</form>


</div>

        <div id="footer">
        <div class="copyright" >© 1999-2011 test. All Rights Reserved.</div>
        </div>


</div>

</body>
</html>




any thoughts why it isn't working?





Artist/Designer
 
Upvote 0 Downvote
i assume that the 'html' page is called 'something.php'?
 
Upvote 0 Downvote
ok. in which case can you define what you mean by "it isn't working"?

1. are you not getting any post input at all? have you tested this by printing the $_POST variable
2. is the sql statement failing? if so, please provide the sql statement and a dump of
Code: 
show columns from [i]table name[/i]
3. is the cascade of validation conditions failing? if so, which condition is failing first, and against what input? I recommend using preg_match over ereg.

from a quick peruse, i would say that
1. allowing only 20 characters of comments might be a bit too ungenerous.
2. you need to expand your regex to allow for vertical space. you might also allow punctuation. for pcre something like this perhaps
Code: 
[b][COLOR=#0000FF ]if[/color][/b] [COLOR=#990000 ]([/color][b][COLOR=#000000 ]preg_match[/color][/b][COLOR=#990000 ]([/color][COLOR=#FF0000 ]'/^([A-Za-z0-9,.;:\(\)\&\%\$\£\@\!"\']|\n|\s)+$/i'[/color][COLOR=#990000 ],[/color] [COLOR=#009900 ]$Comments_Questions[/color][COLOR=#990000 ]))[/color] [COLOR=#FF0000 ]{[/color]
Unless you allow for vertical spaces your test will always fail because the your <textarea> tag and close tag are on separate lines (thus a line break is already present within the value of the textarea).
3. you probably do not want to use $error_name for the variable in the comments condition.

generally, this seems to be a poor way of validating form input. ok perhaps if you have a single form but if you ever go beyond that it would be better to build a reusable class to do your validation. take a look at HTML_QuickForm in the pear repository as a very full form form manager. Not quickform2 but the original. quickform2 is not yet ready for publication and the deprecation warning on quick form is an artefact of how pear works rather than a genuine statement of obsolescence.

 
Upvote 0 Downvote
As stated above I am using this validation:




I had a client side javascript validation of the form. But it wasn't secure because it could easily be hacked. I kept receiving blank form results or form results with junk characters.

I am trying to create a sever side validation with php.

So that is what I am using in the link above.

I tried to reconfigure the example above to work with my form. It is not working because if you go the test link i supplied and submit without entering any characters it doesn't prompt you with a error message.




Artist/Designer
 
Upvote 0 Downvote
ok i think i found some errors and fixed them....

if you test the link :



> i have the full name and email fields checked for content.

> click the submit button without entering info and notice the "enter valid.." message (i still need to use css to change it to red and a smaller font.)

> problem is how do i get it to send the data to me by email using formmail and then to go to a sent page.

any thoughts?


validation code

Code: 
<?php
if($_POST)
{
$FullName = $_POST['FullName'];
$Email = $_POST['Email'];
//$CommentsQuestions = $_POST['CommentsQuestions'];

// Full Name
if (eregi('^[A-Za-z0-9 ]{3,20}$',$FullName))
{
$valid_FullName=$FullName;
}
else
{
$error_FullName='Enter valid Full Name.';
}


// Email
if (eregi('^[a-zA-Z0-9._-]+@[a-zA-Z0-9._-]+\.([a-zA-Z]{2,4})$', $Email))
{
$valid_Email=$Email;
}
else
{
$error_Email='Enter valid Email.';
}


//// Comment
//if (eregi('/^([A-Za-z0-9,.;:\(\)\&\%\$\£\@\!"\']|\n|\s)+$/i', $CommentsQuestions))
//{
//$valid_CommentsQuestions=$CommentsQuestions;
//}
//else
//{
//$error_CommentsQuestions='Enter valid Comment.';
//}


if((strlen($valid_FullName)>0)&&(strlen($valid_Email)>0) )
{
//mysql_query(" SQL insert statement ");
header("Location: contact_sent.html");
}
else{ }

}
?>



contact.php code

Code: 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "[URL unfurl="true"]http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">[/URL]
<html xmlns="[URL unfurl="true"]http://www.w3.org/1999/xhtml">[/URL]
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<meta name="description" content="The website and portfolio of  – Figure painting, Figurative painting, Figurative style, Figure in surroundings, Spatial painting, Floating, Painting of Swimming, Swimming figures, Swimming paintings, Water motif, Figure in water, Realistic, Realism, Figuration, Representationalism, New england art, Life painting, Painting from life, Observational art, Observational painting, Painting from observation "/>


<title> | ARTWORK</title>

<link href="css/global_style.css" rel="stylesheet" type="text/css" />
<link href="css/contactform.css" rel="stylesheet" type="text/css" />
<link rel="stylesheet" href="css/font_stylesheet.css" type="text/css" charset="utf-8" />




</head>

<body>

<div id="container">

  
   <div id="header">   
  <center><a href="index.html"><img src="images/title.jpg" width="502" height="82" alt="_title" border="0" /></a>
  </center></div>




<div id="navbckgrnd">

	<div id="nav_menucontainer">
<ul id="navmenu">
            <li><a href="paintings.html" >Paintings</a></li>
            <li><a href="bio.html" >Biography</a></li>
            <li><a href="contact.html" >Contact</a></li>
        </ul>
	</div>
     
</div>

<div id="sitemap"><a href="index.html">home</a> | contact</div>


<?php include("formvalidate.php"); ?>

<div id="formwrap">
<form name="myForm" action="" method="post">

<fieldset>
<div class="row"><label class="col1">Full Name:&nbsp;&nbsp;</label>
  <span class="col2">
  <input name="FullName" class="input" type="text" id="First Name" size="20" tabindex="1" style="font-size:17px;"  value="<?php echo $valid_FullName; ?>"/> <?php echo $error_FullName; ?> 
  </span></div>


  <div class="row"><label class="col1">Mailing List:&nbsp;&nbsp;</label>
  <span class="col2">
<input name="Mailing List" type="checkbox" value="Please add me to the mailing list." />
<font size="2">Please add me to the mailing list.</font>
  </span></div> 

<div class="row"><label class="col1">Email:&nbsp;&nbsp;</label>
  <span class="col2">
  <input name="Email" class="input" type="text" id="Email" size="20" tabindex="2"  style="font-size:17px;" value="<?php echo $valid_Email; ?>"/> <?php echo $error_Email; ?>
  </span> 
  </div>
  

<div class="row"><label class="col1">Comments:&nbsp;<br />Questions&nbsp;&nbsp; </label>
  <span class="col2">
  
  <textarea name="CommentsQuestions" class="input" type="text" id="comments" cols="18" rows="5" tabindex="2" style="font-size:17px;"value=""/>  </textarea>  
    
  </span></div>
  
    
      <div id="formbuttonsContainer">
      <input type="submit"  class="submitButton"/>
    </div>
  
    
 </fieldset> 
</form>


</div>

        <div id="footer">
        <div class="copyright" >© 1999-2011 test. All Rights Reserved.</div>
        </div>


</div>

</body>
</html>


Artist/Designer
 
Upvote 0 Downvote
so you're now not validating the comments field? it would have worked fine had you used preg_match rather than eregi. Ereg* is now a deprecated function set.

to mail information to yourself use the mail() function. or use phpmailer().


 
Upvote 0 Downvote
I would think the comments section are optional.

I'm not a coding expert....

================================================

I don't know whats going on....While I have a test site up I'm still getting blank emails. Any thoughts why?

I'm currently using formmail.php.

I just noticed something.... In a few of the websites I designed it is easy to look at my code and see I am using "formmail.php". Then user can enter formmail in the URL line and the page will just go to the sent html page without any data.

I looked at some other contact pages that have a php script in the action section. But wasn't able to get the page to send a mail without entering data.

How do I protect the directory? Make it hack proof?





Artist/Designer
 
Upvote 0 Downvote
It seems that you are not currently at a level of skill that you can understand the code that you are taking from third-party sites.

this is a forum for professionals in the IT field. the best advice I can give in that context is that you should never use code from any source that you have not reviewed and fully understand.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

P
  • Locked
  • Question
JPgraph - How to stop a line graph from dropping to zero?
Replies
2
Views
362
Chris Miller
Chris Miller
EdLentz
  • Locked
  • Question
I need a simple example of how to send a table of info .
Replies
8
Views
402
EdLentz
EdLentz
lexer
  • Locked
  • Question
Fetching Data from Mysql and filling Inputs in a Form
Replies
0
Views
144
lexer
lexer
Gerrit Broekhuis
  • Locked
  • Question
PHP form with captcha and file upload
Replies
4
Views
199
Gerrit Broekhuis
Gerrit Broekhuis
Kennelbloke
  • Locked
  • Question
Returning PostCode to Form field 1
Replies
3
Views
184
Kennelbloke
Kennelbloke

Part and Inventory Search

Sponsor

Back
Top