[PopSmith]

I have been looking at End Users' script for sanitizing data and was wondering how to use it. I have a general idea but I'm not sure if it is correct.

I am planning on having a "Coming soon" image (which I haven't made yet) on my temporary homepage as well as some text that says "If you would like us to email you when the site is launched fill out the form below."

I also plan on adding BotScout and ReCAPTCHA to this once I get it working to help prevent spambots from attacking the site.

I intend on having the only mandatory field be their email address with their first and last name being optional. So far here is what I've come up with, although I am pretty sure I've screwed up somewhere, which is why I am asking for help with it.

The reason I don't have the image linked, or the code for ReCAPTCHA/BotScout is because I figured I should K.I.S.S. and try to get the base of it working first.

Main page:

php Code:

<?php include('./includes/stuff/sanitize.php');
include('./includes/stuff/constants.php');?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Coming Soon!</title>
</head>
 
<body>
The site will be launching soon!
<p>If you would like us to email you when the site is launched fill out the form below.</p>
<?php
if (isset($_POST&#91;'submitted'])) {      
        require_once('MYSQL');
        
        //Sanitize data
        $c_fname = sanitize(3, 20, $_POST&#91;'first_name']);
        $c_lname = sanitize(3, 40, $_POST&#91;'last_name']);
        $c_email = sanitize(5, 50, $_POST&#91;'email']);
        
        if (empty($c_email)) {
            echo '<p>Please enter your email address.</p>';
        } elseif (!empty($c_email)) {
            $access = "SELECT email FROM customers WHERE email='$c_email'"
            $r = mysqli_query($dbc, $access) or trigger_error("Query: $access\n<br />MySQL error: " . mysqli_error($dbc));
        }
        
        //Insert information if email is unique:
        if (mysqli_num_rows($r) == 0) {
            $access = "INSERT INTO customers (email) VALUES ('$c_email')";
            $r = mysqli_query($dbc, $access) or trigger_error("Query: $access\n<br />MySQL error: " . mysqli_error($dbc));
} else {
    echo '<p>Your email address could not be recorded due to an error, please try again.</p>';
}
mysqli_close($dbc);
?>
<form action="sanitize.php" method="post">
<fieldset>
<p><b>First name:</b> <input type="text" name="first_name" size="20" maxlength="15" value="<?php if(isset($cleaned_fname)) echo $c_fname; ?>" /></p>
 
<p><b>Last name:</b> <input type="text" name="last_name" size="20" maxlength="25" value="<?php if(isset($cleaned_lname)) echo $c_lname; ?>" /></p>
 
<p><b>Email Address:</b> <input type="text" name="email" size="30" maxlength="50" value="<?php if(isset($cleaned_email)) echo $c_email; ?>" /></p>
 
<div class="center"><input type="submit" name="submit" value="Register" /></div>
<input type="hidden" name="submitted" value="TRUE" />
</form>
</body>
</html> 

I don't have the spacing between forum fields (other than the paragraph tags) like I do above, I just did that so it would be easier to read.

Sanitize code removed.

constants.php Code:

<?phpdefine('BASE_URL', 'http://mywebsite.com');define('MYSQL', '../SQL/mysqli_connect.php');?>

and, finally, mysqli_connect.php I edited the user information in the script below to random stuff:

php Code:

<?php
//Set database access information:
DEFINE('DB_USER', '**********');
DEFINE('DB_PASSWORD', '********');
DEFINE('DB_HOST', 'localhost');
DEFINE('DB_NAME', 'blah');
 
//Attempt to connect to MySQL
$dbc = @mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
if (!$dbc) {
    trigger_error('Could not connect to MySQL: ' . mysqli_connect_error() );
}
?> 

Again the reason I am even posting this is because I am not sure how to use End Users' script and would like to in order to help prevent my server from being hijacked.

[wirehopper]

I use sanitize for inputs that can't be validated - like textareas or strings where the user can type anything they want to.

For other inputs, all data must be valid.

[End User]

Looks like you're using it correctly to me. What part are you having trouble with?

PHP Code:

$c_fname = sanitize(3, 20, $_POST['first_name']);

$c_lname = sanitize(3, 40, $_POST['last_name']);

$c_email = sanitize(5, 50, $_POST['email']); 

[PopSmith]

Quote:

Originally Posted by End User

Looks like you're using it correctly to me. What part are you having trouble with?

PHP Code:

$c_fname = sanitize(3, 20, $_POST['first_name']);

$c_lname = sanitize(3, 40, $_POST['last_name']);

$c_email = sanitize(5, 50, $_POST['email']); 

I haven't actually put it up on my server yet, though I will be doing that in a few hours. I just wanted to get some sort of confirmation that it was at least somewhat correct before it goes "live".

I will test it out after I upload it and if it gives me problems I'll report back.

[wirehopper]

It is 'somewhat correct', but you need to validate it as well as sanitize.

Sanitize will protect your server, application, and data - but it won't ensure the email address is valid. You need to test for a valid email address before letting it go live.

[PopSmith]

@wirehopper,

OK I will look around and see what I can find on validation around here as well as the web.

I assume that one should sanitize the input and then validate it to make sure it's still valid after it's sanitized, correct?

[End User]

Quote:

Originally Posted by PopSmith

I assume that one should sanitize the input and then validate it to make sure it's still valid after it's sanitized, correct?

Correct. Clean it and then check it to make sure it's legit data. Here's some simple email validation code:

PHP Code:

function isValidEmail( $email = null ){

    return preg_match( "/^

    [\d\w\/+!=#|$?%{^&}*`'~-]

    [\d\w\/\.+!=#|$?%{^&}*`'~-]*@

    [A-Z0-9]

    [A-Z0-9.-]{1,61}

    [A-Z0-9]\.

    [A-Z]{2,6}$/ix", $email );

}

?> 

Or:

PHP Code:

function checkEmail($email) {

    if (ereg("^[a-zA-Z0-9][a-zA-Z0-9_\.\-]*[@][a-zA-Z0-9\.\-]*[\.][a-zA-Z]{2,4}$", $email)) {

        return TRUE;

    } else {

        return FALSE;

    }

}

?> 

[PopSmith]

Thanks for the validation stuff, End User.

I experimented with that code and so here is my index.php file again. I just want to make sure that I'm using, and understanding, the usage of preg_match correctly.

I've gathered that preg_match checks whatever variable is listed after the comma against the specified parameters. For my $c_fname variable it would only be returned to the form if it contains only upper or lowercase A-Z as well as periods and dashes. It also must be between 1 and 15 characters as dictated by the {1,15}.

php Code:

<?php include('../includes/stuff/sanitize.php');
include('../includes/stuff/constants.php');
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Coming Soon!</title>
</head>
 
<body>
We are hard at work getting the site up and running! We are hoping to get running by early December!
<p>If you would like us to notify you when we get setup fill out the form below with your name and email address.</p>
<?php
if (isset($_POST&#91;'submitted'])) {
        require_once('MYSQL');
        
        //Sanitize data before validation
        $c_fname = sanitize(3, 15, $_POST&#91;'first_name']);
        $c_lname = sanitize(3, 25, $_POST&#91;'last_name']);
        $c_email = sanitize(5, 60, $_POST&#91;'email']);
        $c_email_2 = sanitize(5, 60, $_POST&#91;'email_2']);
        
        //Validate the first name
        return preg_match("/^
        [a-zA-Z]
        [a-zA-Z.-]{1,15}$/ix", $c_fname );
        
        //Validate last name
        return preg_match("/^
        [a-zA-Z]
        [a-zA-Z-]{1,25}$/ix", $c_lname);
        
        //Is the email valid and not empty?
        if (empty($c_email && $c_email_2)) {
            echo '<p>Please enter your email address.</p>';
        } else if ($c_email != $c_email_2) {
            echo '<p>The email fields do not match. Please confirm them again.</p>';
        } else {
            function isValidEmail( $c_email = null ) {
            return preg_match( "/^ 
            [\d\w\/+!=#|$?%{^&}*`'~-] 
            [\d\w\/\.+!=#|$?%{^&}*`'~-]*@ 
            [A-Z0-9] 
            [A-Z0-9.-]{1,60} 
            [A-Z0-9]\. 
            [A-Z]{2,6}$/ix", $c_email );
                }
        }
 
        (!empty($c_email) && $c_email == $c_email_2) {
            $access = "SELECT email FROM customers WHERE email='$c_email'"
            $r = mysqli_query($dbc, $access) or trigger_error("Query: $access\n<br />MySQL error: " . mysqli_error($dbc));
        }
        
        //Insert information if email is unique:
        if (mysqli_num_rows($r) == 0) {
            $access = "INSERT INTO customers (email) VALUES ('$c_email')";
            $r = mysqli_query($dbc, $access) or trigger_error("Query: $access\n<br />MySQL error: " . mysqli_error($dbc));
        } else {
            echo '<p>Your email address could not be recorded due to an error, please try again.</p>';
}
mysqli_close($dbc);
?>
<form action="sanitize.php" method="post">
<fieldset>
<p><b>First name:</b> <input type="text" name="first_name" size="20" maxlength="15" value="<?php if(isset($c_fname['first_name'])) echo $c_fname['first_name']; ?>" /></p>
<p><b>Last name:</b> <input type="text" name="last_name" size="20" maxlength="25" value="<?php if(isset($c_lname['last_name'])) echo $c_lname['last_name']; ?>" /></p>
<p><b>Email Address:</b> <input type="text" name="email" size="30" maxlength="60" value="<?php if(isset($c_email['email'])) echo $c_email['email']; ?>" /> (Required)</p>
<p><b>Confirm email address:</b> <input type="text" name="email_2" size="30" maxlength="60" value="<?php if(isset($c_email_2['email_2'])) echo $c_email_2['email_2']; ?>" /> (Required)</p>
<br />
</fieldset>
<div class="center"><input type="submit" name="submit" value="Register" /></div>
<input type="hidden" name="submitted" value="TRUE" />
</form>
</body>
</html> 

[End User]

Quote:

Originally Posted by PopSmith

For my $c_fname variable it would only be returned to the form if it contains only upper or lowercase A-Z as well as periods and dashes. It also must be between 1 and 15 characters as dictated by the {1,15}.

With this usage:

$c_fname = sanitize(3, 15, $_POST['first_name']);

....the '15' means it will truncate anything over 15 chars long. No minimum length is enforced.
The '3' means it'll pass numbers and letters, with a couple of other chars:

// allow only alphanumeric characters, space, '_', period, colon, and '-'
$data = preg_replace("/[^0-9a-zA-Z~\-\ \.\:\_]/",'', $data);

[PopSmith]

I was looking over my previous response and realized that I didn't make any sense, compared to what I really meant to ask about.

I am actually looking for clarification on the preg_match function as I used here:

php Code:

//Validate the first name
return preg_match("/^
[a-zA-Z]
[a-zA-Z._]{1,15}$/ix", $c_fname ); 

I am thinking that my above use of preg_match would validate that the $c_fname variable, which is the sanitized output of the variable $first_name, contains only characters a-z in either upper or lower case as well as the period or underscore. The {1,15} would limit the preg_match to between 1 and 15 characters.

However, I could (and probably am) wrong in my thinking.