I'm working on validating a form from both client side and server side, but there seems to be a bug. When I submit my form with my first name as Jeremy$ it still lets me in. Can anyone see anything super wrong with this, other than error handling? $userName = $_POST['userName']; $firstName = $_POST['firstName']; $lastName = $_POST['lastName']; $userCountry = $_POST['userCountry']; $userCity = $_POST['userCity']; $password = $_POST['password']; $password2 = $_POST['password2']; $email = $_POST['userEmail']; $email2 = $_POST['userEmail2']; $tou = $_POST['tou']; $verCode = ''; $regSpec1 = "/\W/"; $regSpec2 = '/[^a-zA-Z0-9|@|_|-|.]/'; $regSpec3 = '/[^a-zA-Z0-9|\s]/'; $error = ''; // Test all post data for correct information. foreach($_POST as $key => $val) { // Test all required fields for empty. if($key != 'userCountry' && $key != 'userCity' && $key != 'tou') { if($val == "") { $error = 'empty field'; } } // Test all non special elements for special characters if($key != 'userEmail' || $key != 'userEmail2' || $key != 'password' || $key != 'password2' || $key != 'userCountry' || $key != 'userCity' || $key != 'userName') { if(preg_match($regSpec1, $key)) { $error = 'special'; } } // Test all special fields for invalid characters if($key == 'userName' || $key == 'password' || $key == 'password2' || $key == 'email' || $key == 'email2') { if(preg_match($regSpec2, $key)) { $error = 'special'; } } // Test city for anything other than whitespace and letters if($key == 'userCity' && preg_match($regSpec3, $key)) { $error = 'special'; } } if($password != $password2 && $email != $email2) { $error = 'password or email doesn\'t match'; } if(!$tou) { $error = 'no policy'; } if($error != '') { // There was an error in the form go back to index before registering header('Location: ../../../index.php?error=yes'); exit; } PHP:
lol, I actually just found that. I simplified a bit too. I think once I add testing for string length and proper error handling I'll have a pretty tight validation. Let me know if there are any other red flags in here $userName = $_POST['userName']; $firstName = $_POST['firstName']; $lastName = $_POST['lastName']; $userCountry = $_POST['userCountry']; $userCity = $_POST['userCity']; $password = $_POST['password']; $password2 = $_POST['password2']; $email = $_POST['userEmail']; $email2 = $_POST['userEmail2']; $tou = $_POST['tou']; $verCode = ''; $regSpec1 = "/\W/"; $regSpec2 = '/[^a-zA-Z0-9|@|_|-|.]/'; $regSpec3 = '/[^a-zA-Z0-9|\s]/'; $error = ''; // Test all post data for correct information. foreach($_POST as $key => $val) { // Test all required fields for empty. if($key != 'userCountry' && $key != 'userCity' && $key != 'tou') { if($val == "") { $error = 'empty field'; } } // Test all non special elements for special characters if($key == 'firstName' || $key == 'lastName') { if(preg_match($regSpec1, $val)) { $error = 'non special spec'; } } // Test all special fields for invalid characters if($key == 'userName' || $key == 'password' || $key == 'password2' || $key == 'email' || $key == 'email2') { if(preg_match($regSpec2, $key)) { $error = 'email and others spec'; } } // Test city for anything other than whitespace and letters if($key == 'userCity' && preg_match($regSpec3, $key)) { $error = 'City alone spec'; } } // Test email for proper symbols. if(!strpos($email, '@') || !strpos($email, '.') || !strpos($email2, '@') || !strpos($email2, '.')) { $error = 'invalid email'; } if($password != $password2 || $email != $email2) { $error = 'password or email doesn\'t match'; } if(!$tou) { $error = 'no policy'; } if($error != '') { // There was an error in the form go back to index before registering header('Location: ../../../index.php?error=' . $error); exit; } PHP:
You might wanna better the email-validation a bit - right now, I could make an email like this: @. and it would be valid. Just use the built-in PHP functions: filter_var($email, FILTER_VALIDATE_EMAIL); It'll return false if not valid.
You could also check if the emails domain has an mx record. if(!checkdnsrr($domain,'MX')) { // domain is not valid } PHP: