[End User]

Quote:

Originally Posted by PopSmith

I am thinking that my above use of preg_match would validate that the $c_fname variable, which is the sanitized output of the variable $first_name, contains only characters a-z in either upper or lower case as well as the period or underscore. The {1,15} would limit the preg_match to between 1 and 15 characters.

return preg_match("/^[a-zA-Z\._]{1,15}/")

I believe that's correct, although make sure you escape the period as shown above since it's a meta character. I'm not sure if you want the dollar-sign meta in there- it indicates matching at the end of the line (or before newline at the end) and I don't know if that's what you really want to do or not.

You might grab a copy of Regex Buddy and give it a try, I find it invaluable in creating and working out regex strings.

[PopSmith]

I was experimenting with this again and I can't get it to post any of the information to the database. I have it posting back to the same page and when I hit "Submit" it shows the page minus the forum. I don't have a problem there, from what I know.

However, the information isn't being recorded into the database. I modified the code a bit since I last posted so I'm posting it again. I'll keep playing with it and if I get it to work I'll report back.

The index.php file:

php Code:

<?php
include('../includes/constants.php');
include('../includes/sanitize.php');
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Coming Soon!</title>
</head>
 
<body>
We are trying to get things running, please pardon the virtual dust!
<p>If you would like us to notify you when we get setup fill out the form below with your name and email address.</p>
<?php
if (isset($_POST&#91;'submitted'])) {
        require_once(MYSQL);
        
        //Sanitize data before validation
        $c_fname = sanitize(3, 15, $_POST&#91;'first_name']);
        $c_lname = sanitize(3, 25, $_POST&#91;'last_name']);
        $c_email = sanitize(5, 60, $_POST&#91;'email']);
        $c_email_2 = sanitize(5, 60, $_POST&#91;'email_2']);
        
        //Validate the first name
        return preg_match("/^
        [a-zA-Z]
        [a-zA-Z.-]{1,15}/", $c_fname);
        
        //Validate last name
        return preg_match("/^
        [a-zA-Z]
        [a-zA-Z-]{1,25}/", $c_lname);
        
        //Is the email valid and not empty?
        if (empty($c_email_2)) {
            echo '<p>Please enter your email address in both fields.</p>';
        } else if ($c_email != $c_email_2) {
            echo '<p>The email fields do not match. Please confirm them again.</p>';
        } else {
            function isValidEmail( $c_email = null ) {
            return preg_match( "/^ 
            [\d\w\/+!=#|$?%{^&}*`'~-] 
            [\d\w\/\.+!=#|$?%{^&}*`'~-]*@ 
            [A-Z0-9] 
            [A-Z0-9.-]{1,60} 
            [A-Z0-9]\. 
            [A-Z]{2,6}/", $c_email);
                }
        }
 
        if (!empty($c_email) && $c_email == $c_email_2) {
            $access = "SELECT Email FROM customers WHERE Email='$c_email'";
            $r = mysqli_query($dbc, $access) or trigger_error("Query: $access\n<br />MySQL error: " . mysqli_error($dbc));
        }
        
        //Insert information if email is unique:
        if (mysqli_num_rows($r) == 0) {
            $access = "INSERT INTO customers (email, first, last) VALUES ('$c_email', '$c_fname', '$c_lname')";
            $r = mysqli_query($dbc, $access) or trigger_error("Query: $access\n<br />MySQL error: " . mysqli_error($dbc));
        } else {
            echo '<p>Your email address could not be recorded due to an error, please try again.</p>';
}
mysqli_close($dbc);
} // End Submit IF.
?>
<form action="index.php" method="post">
<fieldset>
<p><b>First name:</b> <input type="text" name="first_name" size="20" maxlength="15" value="<?php if(isset($c_fname)) echo $c_fname; ?>" /></p>
<p><b>Last name:</b> <input type="text" name="last_name" size="20" maxlength="25" value="<?php if(isset($c_lname)) echo $c_lname; ?>" /></p>
<p><b>Email Address:</b> <input type="text" name="email" size="30" maxlength="60" value="<?php if(isset($c_email)) echo $c_email; ?>" /> (Required)</p>
<p><b>Confirm email address:</b> <input type="text" name="email_2" size="30" maxlength="60" value="<?php if(isset($c_email_2)) echo $c_email_2; ?>" /> (Required)</p>
<br />
</fieldset>
<div class="center"><input type="submit" name="submit" value="Register" /></div>
<input type="hidden" name="submitted" value="TRUE" />
</form>
</body>
</html> 

Constants.php:

php Code:

<?php
define('BASE_URL', 'http://mysite.com');
define('MYSQL', '../SQL/mysqli_connect.php');
?> 

php Code:

<?php
//Set database access information:
DEFINE('DB_USER', '********');
DEFINE('DB_PASSWORD', '********');
DEFINE('DB_HOST', '*****');
DEFINE('DB_NAME', '******');
 
//Attempt to connect to MySQL
$dbc = @mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
if (!$dbc) {
    trigger_error('Could not connect to MySQL: ' . mysqli_connect_error() );
}
?> 

[PopSmith]

Sorry for the bump, it seems the forum has a time limit before you can't edit a post anymore which is why I am posting this instead of editing my previous post:

I was debugging my form earlier and decided to add echoes due to it's strange behavior to see if I could tell where it's getting stuck. I added echoes after specific events so I could tell where the code stops processing.


The code appears to be getting stuck on the preg_matches, here is the php part of the code. Other than the echoes I haven't changed any code from my previous post. If I fix the problem I'll report back:

php Code:

<?php
if (isset($_POST&#91;'submitted'])) {
        echo "Successful submit!";
        require_once('../includes/sanitize.php');
    
        //Sanitize data before validation
        $c_fname = sanitize(3, 15, $_POST&#91;'first_name']);
        $c_lname = sanitize(3, 25, $_POST&#91;'last_name']);
        $c_email = sanitize(5, 60, $_POST&#91;'email']);
        $c_email_2 = sanitize(5, 60, $_POST&#91;'email_2']);
        
        echo "Sanitization complete!";
        
        require_once(MYSQL);
        
        echo "MySQL included!";
        
        //Validate the first name
        return preg_match("/^[a-zA-Z\.]{1,15}/", $c_fname);
        
        echo "Preg_match for first name should have worked!";
        
        //Validate last name
        return preg_match("/^
        [a-zA-Z\-.]{1,25}/", $c_lname);
        
        echo "Name(s) validated!";
        
        //Is the email valid and not empty?
        if (empty($c_email_2)) {
            echo '<p>Please enter your email address in both fields.</p>';
        } else if ($c_email != $c_email_2) {
            echo '<p>The email fields do not match. Please confirm them again.</p>';
        } else {
            function isValidEmail( $c_email = null ) {
            return preg_match( "/^ 
            [\d\w\/+!=#|$?%{^&}*`'~-] 
            [\d\w\/\.+!=#|$?%{^&}*`'~-]*@ 
            [A-Z0-9] 
            [A-Z0-9.-]{1,60} 
            [A-Z0-9]\. 
            [A-Z]{2,6}/", $c_email);
                }
        }
        
        echo "Emails are valid!";
 
        if (!empty($c_email) && $c_email == $c_email_2) {
            $access = "SELECT Email FROM customers WHERE Email='$c_email'";
            $r = mysqli_query($dbc, $access) or trigger_error("Query: $access\n<br />MySQL error: " . mysqli_error($dbc));
        }
        
        //Insert information if email is unique:
        if (mysqli_num_rows($r) == 0) {
            $access = "INSERT INTO customers (Email, First, Last) VALUES ('$c_email', '$c_fname', '$c_lname')";
            $r = mysqli_query($dbc, $access) or trigger_error("Query: $access\n<br />MySQL error: " . mysqli_error($dbc));
        } else {
            echo '<p>Your email address could not be recorded due to an error, please try again.</p>';
}
mysqli_close($dbc);
} // End Submit IF.
?> 

[wirehopper]

You might want to change the 'return preg_match' lines to:

PHP Code:

$bResult=preg_match( ... );

if (!$bResult)  /* If it didn't match okay */

  return false;



/* Match okay, continue processing */ 

[PopSmith]

Thanks wirehopper, that did the trick and now the form is fully processing.

However, it looks like either the preg_match or the sanitizer script is inserting the letter "x" into the beginning (and other places) in the fields. I'll see if I can figure out the problem but here is what it's doing:

As a test I entered the following into the forum; all without the quotes and the output was placed successfully into the MySQL database:

First name: "Franky"
Output: "xFranky"

Last name: "Miller"
Output: "xMilxer"

Email (same in both fields): "franky@mailinator.com"
Output: "xfraxnky@xmaixlinxator.xcom"

If I figure out a solution I'll report back.

EDIT: I used echo so I could see the variables pre- and post-sanitize by simply echoing both the variables and it looks like the sanitizer is placing the "x" into the variable, just FYI.

[End User]

Quote:

Originally Posted by PopSmith

However, it looks like either the preg_match or the sanitizer script is inserting the letter "x" into the beginning (and other places) in the fields.

Mighty weird....I've not see this issue before so I'm not sure what to say. I took a quick look but didn't see anywhere that the sanitizer should do this, but maybe I missed something. Did you modify it at all, add anything, remove anything, etc?

There are a lot of 'x' chars used in the sanitizer matching items like 'x00' (the null character) and 'x20' (a space), but I can't think of any reason it would substitute just the 'x'.

Try commenting out the sanitizer lines and see if it passes the data normally. (Or comment out the preg_match() lines and see what happens.)

[wirehopper]

Check the number of backslashes in the related preg calls.

Sometimes, when code is posted here, backslashes get removed.

[PopSmith]

Quote:

Originally Posted by End User

Mighty weird....I've not see this issue before so I'm not sure what to say. I took a quick look but didn't see anywhere that the sanitizer should do this, but maybe I missed something. Did you modify it at all, add anything, remove anything, etc?

I only added one modification to the script. I did it so I could remember how to use the script in case I ever forget.

php Code:

/////////////////////////////////////////////////////////////
// Example- allow numbers and letters up to 50 chars in the variable "$foo"
// $foo = sanitize(2, 50, $_POST['name']);
///////////////////////////////////////////////////////////// 
 

I added that directly below the dtype explanations.

Quote:

Originally Posted by End User

There are a lot of 'x' chars used in the sanitizer matching items like 'x00' (the null character) and 'x20' (a space), but I can't think of any reason it would substitute just the 'x'.

Try commenting out the sanitizer lines and see if it passes the data normally. (Or comment out the preg_match() lines and see what happens.)

I commented out the sanitizer lines in my code and by doing so the script now prints and passes everything to the MySQL database correctly. I'm wondering if something got screwed up when I copied the sanitize script originally.

Quote:

Originally Posted by wirehopper

Check the number of backslashes in the related preg calls.

Sometimes, when code is posted here, backslashes get removed.

Everything there looks OK. However, I'll go over the sanitizer script again just to double check it.

[End User]

Quote:

Originally Posted by wirehopper

Check the number of backslashes in the related preg calls.
Sometimes, when code is posted here, backslashes get removed.

Hmmm, I'm betting that's probably it.

[PopSmith]

I believe I found and fixed the error. I wasn't quite sure how to best go about finding it so I went line by line, commenting each one out and uploading it.

Turns out the error was in this section:

php Code:

// URL Decode 
// Just in case stuff like this is submitted: 
// <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a> 
// Note: Normally urldecode() would be easier but it removes plus signs 
    $data = preg_replace("/([a-z0-9]{3})/i", "&#x\\1;", $data); 
    $data = preg_replace("/%([a-z0-9]{2})/i", "&#x\\1;", $data); 

When I commented out $data = preg_replace("/([a-z0-9]{3})/i", "&#x\\1;", $data); the error went away. By looking at the next line I figured "Put a % in that same spot and try it". That fixed the problem!

Basically it's supposed to be:
$data = preg_replace("/%([a-z0-9]{3})/i", "&#x\\1;", $data);

Instead of:
$data = preg_replace("/([a-z0-9]{3})/i", "&#x\\1;", $data); <-- Missing % after the forward slash.

However, I don't see how that line was causing an "x" to be added to the data.