1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Bug in php validation

Discussion in 'PHP' started by Jeremy Benson, Oct 20, 2014.

0
  1. #1
    I'm working on validating a form from both client side and server side, but there seems to be a bug. When I submit my form with my first name as Jeremy$ it still lets me in. Can anyone see anything super wrong with this, other than error handling?

    
  $userName = $_POST['userName'];
  $firstName = $_POST['firstName'];
  $lastName = $_POST['lastName'];
  $userCountry = $_POST['userCountry'];
  $userCity = $_POST['userCity'];
  $password = $_POST['password'];
  $password2 = $_POST['password2'];
  $email = $_POST['userEmail'];
  $email2 = $_POST['userEmail2'];
  $tou = $_POST['tou'];
  $verCode = '';
 
  $regSpec1 = "/\W/";
  $regSpec2 = '/[^a-zA-Z0-9|@|_|-|.]/';
  $regSpec3 = '/[^a-zA-Z0-9|\s]/';
   
  $error = '';
 
  // Test all post data for correct information.
 
  foreach($_POST as $key => $val)
  {
 
  // Test all required fields for empty.
  if($key != 'userCountry' && $key != 'userCity' && $key != 'tou')
  {
   
  if($val == "")
  {
   
  $error = 'empty field';
   
  }
   
  }
  // Test all non special elements for special characters
   
  if($key != 'userEmail' || $key != 'userEmail2' || $key != 'password' || $key != 'password2'  || $key != 'userCountry' || $key != 'userCity' || $key != 'userName')
  {
   
  if(preg_match($regSpec1, $key))
  {
   
  $error = 'special';
   
  }
   
  }
   
  // Test all special fields for invalid characters
   
  if($key == 'userName' || $key == 'password' || $key == 'password2' || $key == 'email' || $key == 'email2')
  {
   
  if(preg_match($regSpec2, $key))
  {
   
  $error = 'special';
   
  }
   
  }
   
  // Test city for anything other than whitespace and letters
   
  if($key == 'userCity' && preg_match($regSpec3, $key))
  {
   
  $error = 'special';
   
  }
   
   
  }
 
  if($password != $password2 && $email != $email2)
  {
 
  $error = 'password or email doesn\'t match';
 
  }
 
  if(!$tou)
  {
 
  $error = 'no policy';
 
  }
 
  if($error != '')
  {
   
  // There was an error in the form go back to index before registering
  header('Location: ../../../index.php?error=yes');
  exit;
   
  }
    PHP:
     
    Jeremy Benson, Oct 20, 2014 IP
  2. Anveto

    Anveto Well-Known Member

    Messages:
    697
    Likes Received:
    40
    Best Answers:
    19
    Trophy Points:
    195
    #2
    Maybe pregmatch on the value instead of the key?
     
    Anveto, Oct 20, 2014 IP
  3. Jeremy Benson

    Jeremy Benson Well-Known Member

    Messages:
    364
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    123
    #3
    lol, I actually just found that. I simplified a bit too. I think once I add testing for string length and proper error handling I'll have a pretty tight validation. Let me know if there are any other red flags in here :)

    
$userName = $_POST['userName'];
  $firstName = $_POST['firstName'];
  $lastName = $_POST['lastName'];
  $userCountry = $_POST['userCountry'];
  $userCity = $_POST['userCity'];
  $password = $_POST['password'];
  $password2 = $_POST['password2'];
  $email = $_POST['userEmail'];
  $email2 = $_POST['userEmail2'];
  $tou = $_POST['tou'];
  $verCode = '';

  $regSpec1 = "/\W/";
  $regSpec2 = '/[^a-zA-Z0-9|@|_|-|.]/';
  $regSpec3 = '/[^a-zA-Z0-9|\s]/';
  
  $error = '';

  // Test all post data for correct information.

  foreach($_POST as $key => $val)
  {

  // Test all required fields for empty.
  if($key != 'userCountry' && $key != 'userCity' && $key != 'tou')
  {
  
  if($val == "")
  {
  
  $error = 'empty field';
  
  }
  
  }
  // Test all non special elements for special characters
  
  if($key == 'firstName' || $key == 'lastName')
  {
  
  if(preg_match($regSpec1, $val))
  {
  
  $error = 'non special spec';
  
  }
  
  }
  
  // Test all special fields for invalid characters
  
  if($key == 'userName' || $key == 'password' || $key == 'password2' || $key == 'email' || $key == 'email2')
  {
  
  if(preg_match($regSpec2, $key))
  {
  
  $error = 'email and others spec';
  
  }
  
  }
  
  // Test city for anything other than whitespace and letters
  
  if($key == 'userCity' && preg_match($regSpec3, $key))
  {
  
  $error = 'City alone spec';
  
  }
  
  
  }

  // Test email for proper symbols.
  
  if(!strpos($email, '@') || !strpos($email, '.') || !strpos($email2, '@') || !strpos($email2, '.'))
  {
  
  $error = 'invalid email';
  
  }
  
  
  if($password != $password2 || $email != $email2)
  {

  $error = 'password or email doesn\'t match';

  }

  if(!$tou)
  {

  $error = 'no policy';

  }

  if($error != '')
  {
  
  // There was an error in the form go back to index before registering
  header('Location: ../../../index.php?error=' . $error);
  exit;
  
  }
    PHP:
     
    Jeremy Benson, Oct 20, 2014 IP
  4. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #4
    You might wanna better the email-validation a bit - right now, I could make an email like this: @. and it would be valid.
    Just use the built-in PHP functions: filter_var($email, FILTER_VALIDATE_EMAIL); It'll return false if not valid.
     
    PoPSiCLe, Oct 20, 2014 IP
  5. Anveto

    Anveto Well-Known Member

    Messages:
    697
    Likes Received:
    40
    Best Answers:
    19
    Trophy Points:
    195
    #5
    You could also check if the emails domain has an mx record.

    
if(!checkdnsrr($domain,'MX'))
{
// domain is not valid
}
    PHP:
     
    Anveto, Oct 20, 2014 IP