Kryptronic Software Support Forum

Design_Wholesale · 01-30-2011 14:14:57

I have put together a form (it says customer_feedback, but I have various purposes in mind for it - at the moment it is intended as a proof of concept, and that's it) and am having problems validating the field content. I know there are forms built into CCP, but I have had such horrible problems modifying them that is easier to build outside of the software, borrowing from the software only when necessary to ease implementation with the store.

Anyway, I am happy with the email validation, which seems to work and do as expected. Validation of the name and comment content is not so good, and is currently being tested with several methods, none of which seem to be working satisfactorily (either on their own or in conjunction with any of the other methods).

This is the form:

Code:

<form action="form.php" method="post">
Name: <input type="text" name="name" />
Age: <input type="text" name="comment" />
Email: <input type="text" name="email" />
<input type="submit" />
</form>

...and this is the .php for inserting the input into the database:

Code:

<?php

include '/var/wetsocks.php';

//connect to the database
$access = mysql_pconnect("$s","$u","$p");

if (!$access) {

     die('Could not connect: ' . mysql_error());

} // End of if statement.

mysql_select_db("$d") or trigger_error('Query failed: ' . mysql_error($db), E_USER_ERROR);

$name    = $_POST['name'];
$comment = $_POST['comment'];
$email   = $_POST['email'];

function emailcheck($field) {

$field=filter_var($field, FILTER_SANITIZE_EMAIL);

     if(filter_var($field, FILTER_VALIDATE_EMAIL)) {

          return TRUE;

     } else {

          return FALSE;

     } // End of if statement.

} // End of function.


$name    = $_POST['name'];
$comment = $_POST['comment'];
$email   = $_POST['email'];


if (isset($_POST['email'])) {

$mailcheck = emailcheck($_POST['email']);

     if (($mailcheck==FALSE) || (empty($_POST['name'])) || (empty($_POST['comment'])) || (empty($_POST['email']))) {

          print 'Not Likely!';

          die();

     } // End of if statement.

} // End of if statement.


if (isset($_POST['name'])) {

     filter_var($_POST['name'], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_AMP);

     trim($_POST['name']);
     stripslashes($_POST['name']);
     htmlspecialchars($_POST['name']);

     mysql_real_escape_string($_POST['name']);

} // End of if statement.


if (isset($_POST['comment'])) {

     filter_var($_POST['comment'], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_AMP);

     trim($_POST['comment']);
     stripslashes($_POST['comment']);
     htmlspecialchars($_POST['comment']);

     mysql_real_escape_string($_POST['comment']);

} // End of if statement.


$sql="INSERT INTO custom_feedback (name,comment,email) VALUES ('$_POST[name]','$_POST[comment]','$_POST[email]')";

print 'Record Added!';


if (!mysql_query($sql,$access)) {

  die('Error: ' . mysql_error());

  } // End of if statement.

?>

...so what I need is some advice on sections like this:

Code:

if (isset($_POST['comment'])) {

     filter_var($_POST['comment'], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_AMP);

     trim($_POST['comment']);
     stripslashes($_POST['comment']);
     htmlspecialchars($_POST['comment']);

     mysql_real_escape_string($_POST['comment']);

} // End of if statement.

- is that necessary, will it work to prevent bad data from entering the database, is there a better way, etc.? - My tests so far have not proved to be very helpful. In fact, it would appear, so far, that none of the above actual does anything at all to prevent any kind of any input from being entered into the table ...

Last edited by Design_Wholesale (01-30-2011 14:16:22)

Dave · 01-30-2011 15:58:50

FWIW I've been simply using strip_tags on user supplied input for almost 10 years without running into any problems/issues.

Code:

if (isset($_POST['Prop_Owner'])) {$Prop_Owner = strip_tags($_POST['Prop_Owner']);}

I notice that you are not assigning the results of the filtering to a variable so they really aren't doing anything helpful as written. Instead of

Code:

filter_var($_POST['comment'], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_AMP);

use something like

Code:

$_POST['comment'] = filter_var($_POST['comment'], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_AMP);

Design_Wholesale · 02-06-2011 19:00:47

Thanks, - that will help a lot. - I had realised that the filters did not seem to be doing anything, but could not work out why, nor had I been able to find anything helpful on using the flags. - There is a big tutorial site that has an extensive tutorial on their use, but their examples are much too vague to really give any insight on the differences between the different flags and their use (well, okay, most people should not need the likes of FILTER_ENCODE_AMP explaining... ).

Kryptronic Software Support Forum

#1 01-30-2011 14:14:57

Verification of Form Input - What Works Best?

Code:

Code:

Code:

#2 01-30-2011 15:58:50

Re: Verification of Form Input - What Works Best?

Code:

Code:

Code:

#3 02-06-2011 19:00:47

Re: Verification of Form Input - What Works Best?

Board footer