looking for a php script to clean up form info before sending

dreamydesigner · #1 (**permalink**) 04-01-08, 05:53 PM

I have a html page with a basic quote form, in which the form info gets emailed to me. I have recently experienced virus issues because of scripts being submitted through my form. I need some sort of php script which removes special characters or something like that, and I can add to my current for. I'm not sure what, if any, of my script you might need to see in order to answer this question. Please let me know!

Thanks so much.

TheKiser · #2 (**permalink**) 04-01-08, 06:39 PM

Give us the form and the code that emails it.

curbview.com · #3 (**permalink**) 04-02-08, 02:39 AM

Quote:

Originally Posted by TheKiser

Give us the form and the code that emails it.

What for? All the OP needs is a regex to allow for certain characters being submitted. For example, the php script should not allow anything but [a-zA-Z a space and a period] to sanitize the name field. Another slightly modded regex to allow the "@" sign and, viola, you're done.

-OR-

Add a captcha to the form. Which ever is simpler for the OP.

dreamydesigner · #4 (**permalink**) 04-02-08, 11:30 AM

Hi curbview,
Thanks for your suggestion. While I am not at all scared of tweaking code, I have to admit that I do not regularly write it. I am still quite a beginner, actually, more of a designer. I did not understand some of what you said, like what an "OP" is or a modded regex. Do you know of an existent script I could modify? Thanks.

curbview.com · #5 (**permalink**) 04-02-08, 11:54 AM

Quote:

Originally Posted by dreamydesigner

Hi curbview,

Hi,

Quote:

Originally Posted by dreamydesigner

... I did not understand some of what you said, like what an "OP" is

OP stands for "Original Poster" or Original Person

Quote:

Originally Posted by dreamydesigner

or a modded regex.

Here's a modded regex sample to filter out unwanted scripts in the user-submitted form you have on your web site:

PHP Code:


			
$name = $POST_['NAME'];
// let's remove all non-alphanumeric characters from the person's name!
$name = preg_replace('/[^a-zA-Z0-9 ]/', '', $name);

Quote:

Originally Posted by dreamydesigner

Do you know of an existent script I could modify? Thanks.

Taking the above example and using it to filter out people or bots from submitting unwanted code through the form on your web site is easy. You could use the same regex above to filter the address field like so:

PHP Code:


			
$address = $POST_['ADDRESS'];
// let's remove all non-alphanumeric characters from the person's address!
$address = preg_replace('/[^a-zA-Z0-9 ]/', '', $address);

If you need more help, let me know.

TheKiser · #6 (**permalink**) 04-02-08, 03:11 PM

That is a fine solution if you want to strip-out all of the punctuation. Along with anything else that is not a letter, a number, or a space.

The reason I asked to see the form and the script is because he was obviously an novice and it isn't easy to fill in a form and create a virus with it. (Members here excepted.) I wanted to see how the information was collected and how it was processed since what he is describing is a major security breach that should be looked into. I guess I just wanted to give him more than a band-aid.

curbview.com · #7 (**permalink**) 04-02-08, 04:30 PM

Quote:

Originally Posted by TheKiser

I guess I just wanted to give him more than a band-aid.

What do you consider to be a *band-aid* fix? Having been in programming for 15+ years, I don't know of any better way to secure an application than sanitizing user input with a solid regex.

Teach us an even better solution that is shorter code and more secure? I guess I am open to learning the "latest" fashion but rather stick to tried and true methods.... I am a Penetration Tester and this has always worked.

dreamydesigner · #8 (**permalink**) 04-03-08, 11:30 AM

Thanks for both of your suggestions, and for explaining them so well. It is very helpful for me. Here is my script in case either of you would care to look more. I will try adding in the code you gave me and see how it goes, curbview.

I hope it works ok to upload the script in a Word doc. I thought that pasting the whole code from the page right into the forum window might be a little much. Please let me know if it is more optimal to view another way.

curbview.com · #9 (**permalink**) 04-03-08, 10:58 PM

Quote:

Originally Posted by dreamydesigner

Please let me know if it is more optimal to view another way.

NO problem sharing code with you it is what the forum is all about "Programming Talk"... About posting code that you have a problem with:

Only post the relevant sections of your code for the world to see. ( May I also suggest in the future to not use MS WORD to upload code. Use a basic text editor )

Upload a .txt version and I will have a look.

dreamydesigner · #10 (**permalink**) 04-11-08, 02:31 PM

Sorry for delay. I got tied up with some other projects and am just now able to get back to this. Below is the relevant code for my form. Thanks for taking a look.

HTML Code:

<p align="left"><img src="images/quote_header.jpg" width="765" height="234" /></p>
    <!-- InstanceEndEditable --><!-- InstanceBeginEditable name="area2" -->
    <form name="frm" action="/cgi-bin/FormMail.quoteform.pl" method="post" enctype="application/x-www-form-urlencoded" onsubmit="return validate(frm)">