NodeWest-Dan
New Member
Has anyone used the "required" tags when making an input/form? Does it prove to be useful? Would it be better to validate with php?
Sent from my iPhone using Tapatalk
Sent from my iPhone using Tapatalk
HTML 5 Required Tags
- Thread starter NodeWest-Dan
- Start date
NodeWest-Dan
New Member
Thank you. I'll check out the jquery. The html5 looks great in chrome but you never know who will be on what browser.
Sent from my iPhone using Tapatalk
Sent from my iPhone using Tapatalk
This. Bolding for importance: never ever ever ever EVER trust the client to do the validation, no matter what you're validating. Client-side validation is purely for user experience purposes (such as instant feedback and marking invalid fields before the form is submitted), not for security.
NodeWest-Dan
New Member
Any recommendations on a php server side check? I'm not necessarily asking for code, but I can't seem to find much of a guide that I can get to work.
This is what I currently have
This is what I currently have
Code:
<?php
ob_start();
$name = trim($_POST['name']);
$email = $_POST['email'];
$subject = $_POST['subject'];
$comments = $_POST['comments'];
$site_owners_email = 'email@example'; // Replace this with your own email address
$site_owners_name = 'Example'; // replace with your name
# errors
if (!preg_match("/^[a-zA-Z ]*$/",$name))
{
$nameErr = "Only letters and spaces are allowed";
}
if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/",$email))
{
$emailErr = "Invalid email format";
}
if (!$error) {
require_once('phpMailer/class.phpmailer.php');
$mail = new PHPMailer();
$mail->From = $email;
$mail->FromName = $name;
$mail->Subject = $subject;
$mail->AddAddress($site_owners_email, $site_owners_name);
$mail->Body = $comments;
$mail->Send();
$url = "https://www.example.com";
header ("Location: $url");
} # end if no error
ob_end_flush();
?>
Last edited by a moderator:
GIANT_CRAB
New Member
Do this, it changes html into entities:
$comments = htmlentities($comments, ENT_QUOTES | ENT_IGNORE, "UTF-8");
You might also want to apply it to the username, email and subject.
To validate email, use this:
public function checkEmail($email)
{
$valid = (function_exists('filter_var') && filter_var($email, FILTER_VALIDATE_EMAIL)) || (strlen($email) <= 320 && preg_match_all(
'/^(?!(?
?:\\x22?\\x5C[\\x00-\\x7E]\\x22?)|(?:\\x22?[^\\x5C\\x22]\\x22?))'.
'{255,})(?!(??:\\x22?\\x5C[\\x00-\\x7E]\\x22?)|(?:\\x22?[^\\x5C\\x22]\\x22?))'.
'{65,}@)(??:[\\x21\\x23-\\x27\\x2A\\x2B\\x2D\\x2F-\\x39\\x3D\\x3F\\x5E-\\x7E]+)|'.
'(?:\\x22(?:[\\x01-\\x08\\x0B\\x0C\\x0E-\\x1F\\x21\\x23-\\x5B\\x5D-\\x7F]|(?:\\x5C[\\x00-\\x7F]))*\\x22))'.
'(?:\\.(??:[\\x21\\x23-\\x27\\x2A\\x2B\\x2D\\x2F-\\x39\\x3D\\x3F\\x5E-\\x7E]+)|'.
'(?:\\x22(?:[\\x01-\\x08\\x0B\\x0C\\x0E-\\x1F\\x21\\x23-\\x5B\\x5D-\\x7F]|'.
'(?:\\x5C[\\x00-\\x7F]))*\\x22)))*@(???!.*[^.]{64,})'.
'(???:xn--)?[a-z0-9]+(?:-+[a-z0-9]+)*\\.){1,126})'.'{1,}'.
'(??:[a-z][a-z0-9]*)|(??:xn--)[a-z0-9]+))(?:-+[a-z0-9]+)*)|'.
'(?:\\[(??:IPv6??:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){7})|'.
'(??!(?:.*[a-f0-9][:\\]]){7,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?::'.
'(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?)))|'.
'(??:IPv6??:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){5}|'.
'(??!(?:.*[a-f0-9]{5,})'.'(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3})?::'.
'(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3}?)))?(??:25[0-5])|'.
'(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))(?:\\.(??:25[0-5])|'.
'(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))){3}))\\]))$/iD',
$email)
);
if(!$valid)
{
return FALSE;
}
list($prefix, $domain) = split("@",$email);
if(function_exists("checkdnsrr") && checkdnsrr($domain . '.', 'MX'))
{
return TRUE;
}
elseif(function_exists("getmxrr") && getmxrr($domain, $mxhosts))
{
return TRUE;
}
elseif(@fsockopen($domain, 25, $errno, $errstr, 5))
{
return TRUE;
}
else
{
return FALSE;
}
}
Basically it checks if the email is valid through filter function (if you don't have the filter function, it will use preg_match instead to check) and check if email really exists by looking up MX records.
$comments = htmlentities($comments, ENT_QUOTES | ENT_IGNORE, "UTF-8");
You might also want to apply it to the username, email and subject.
To validate email, use this:
public function checkEmail($email)
{
$valid = (function_exists('filter_var') && filter_var($email, FILTER_VALIDATE_EMAIL)) || (strlen($email) <= 320 && preg_match_all(
'/^(?!(?
?:\\x22?\\x5C[\\x00-\\x7E]\\x22?)|(?:\\x22?[^\\x5C\\x22]\\x22?))'.'{255,})(?!(?
?:\\x22?\\x5C[\\x00-\\x7E]\\x22?)|(?:\\x22?[^\\x5C\\x22]\\x22?))'.'{65,}@)(?
?:[\\x21\\x23-\\x27\\x2A\\x2B\\x2D\\x2F-\\x39\\x3D\\x3F\\x5E-\\x7E]+)|'.'(?:\\x22(?:[\\x01-\\x08\\x0B\\x0C\\x0E-\\x1F\\x21\\x23-\\x5B\\x5D-\\x7F]|(?:\\x5C[\\x00-\\x7F]))*\\x22))'.
'(?:\\.(?
?:[\\x21\\x23-\\x27\\x2A\\x2B\\x2D\\x2F-\\x39\\x3D\\x3F\\x5E-\\x7E]+)|'.'(?:\\x22(?:[\\x01-\\x08\\x0B\\x0C\\x0E-\\x1F\\x21\\x23-\\x5B\\x5D-\\x7F]|'.
'(?:\\x5C[\\x00-\\x7F]))*\\x22)))*@(?
??!.*[^.]{64,})'.'(?
??:xn--)?[a-z0-9]+(?:-+[a-z0-9]+)*\\.){1,126})'.'{1,}'.'(?
?:[a-z][a-z0-9]*)|(??:xn--)[a-z0-9]+))(?:-+[a-z0-9]+)*)|'.'(?:\\[(?
?:IPv6??:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){7})|'.'(?
?!(?:.*[a-f0-9][:\\]]){7,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?::'.'(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?)))|'.
'(?
?:IPv6??:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){5}|'.'(?
?!(?:.*[a-f0-9]{5,})'.'(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3})?::'.'(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3}
?)))?(??:25[0-5])|'.'(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))(?:\\.(?
?:25[0-5])|'.'(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))){3}))\\]))$/iD',
$email)
);
if(!$valid)
{
return FALSE;
}
list($prefix, $domain) = split("@",$email);
if(function_exists("checkdnsrr") && checkdnsrr($domain . '.', 'MX'))
{
return TRUE;
}
elseif(function_exists("getmxrr") && getmxrr($domain, $mxhosts))
{
return TRUE;
}
elseif(@fsockopen($domain, 25, $errno, $errstr, 5))
{
return TRUE;
}
else
{
return FALSE;
}
}
Basically it checks if the email is valid through filter function (if you don't have the filter function, it will use preg_match instead to check) and check if email really exists by looking up MX records.
Last edited by a moderator:
You should really use htmlspecialchars rather than htmlentities. htmlentities is known to cause problems with Unicode, even when the encoding parameter is set.
EDIT: Actually, on second look - that is entirely unnecessary here. This is a mail form, and as far as I can tell, it would be sent as plaintext... htmlentities/htmlspecialchars are only meant for HTML output.
That code definitely won't work. $error is never set, so it will always process the form.
Try having an $errors array, then doing $error[] = "New error message";, and checking for empty($errors) to determine if any errors happened. You should also be using filter_var for e-mail addresses, as GIANT_CRAB suggested.
Also, you should really get rid of your "name validation" code - there are large amounts of people on this globe who have names that don't fit into the basic a-z alphabet. I'd actually suggest that you don't need to check the name at all, other than that something is filled in. Don't just design your code for your own culture.
Last edited by a moderator:
NodeWest-Dan
New Member
Thanks for the suggestions. I'll rework the code and repost when done.
NodeWest-Dan
New Member
What framework would you recommend? I saw phpmailer.
NodeWest-Dan
New Member
I reworked it a little bit. I couldn't get the email check with the MX to work properly for some reason. I used phpmailer it said at the very least to include class.phpmailer.php which I did. here is my code. I'm more concerned currently about security rather than validation. I don't want the form to get hijacked and start sending spam.
<?php
ob_start();
$name = trim($_POST['name']);
$email = $_POST['email'];
$subject = $_POST['subject'];
$comments = $_POST['comments'];
$site_owners_email = '[email protected]'; // Replace this with email address
$site_owners_name = 'Example'; // replace with name
# Validation
if (strlen($name) < 2) {
$error['name'] = "Please enter your name";
}
if (!preg_match('/^[a-z0-9&\'\.\-_\+]+@[a-z0-9\-]+\.([a-z0-9\-]+\.)*+[a-z]{2}/is', $email)) {
$error['email'] = "Please enter a valid email address";
}
if (strlen($comments) < 3) {
$error['comments'] = "Please leave a comment.";
}
if (!$error) {
require_once('phpMailer/class.phpmailer.php');
$mail = new PHPMailer();
$mail->From = $email;
$mail->FromName = $name;
$mail->Subject = $subject;
$mail->AddAddress($site_owners_email, $site_owners_name);
$mail->Body = $comments;
$mail->Send();
$url = "https://www.example.com";
header ("Location: $url");
} # end if no error
else {
}
ob_end_flush();
?>
I left the class.phpmailer.php as default so far. Haven't messed around with it.
<?php
ob_start();
$name = trim($_POST['name']);
$email = $_POST['email'];
$subject = $_POST['subject'];
$comments = $_POST['comments'];
$site_owners_email = '[email protected]'; // Replace this with email address
$site_owners_name = 'Example'; // replace with name
# Validation
if (strlen($name) < 2) {
$error['name'] = "Please enter your name";
}
if (!preg_match('/^[a-z0-9&\'\.\-_\+]+@[a-z0-9\-]+\.([a-z0-9\-]+\.)*+[a-z]{2}/is', $email)) {
$error['email'] = "Please enter a valid email address";
}
if (strlen($comments) < 3) {
$error['comments'] = "Please leave a comment.";
}
if (!$error) {
require_once('phpMailer/class.phpmailer.php');
$mail = new PHPMailer();
$mail->From = $email;
$mail->FromName = $name;
$mail->Subject = $subject;
$mail->AddAddress($site_owners_email, $site_owners_name);
$mail->Body = $comments;
$mail->Send();
$url = "https://www.example.com";
header ("Location: $url");
} # end if no error
else {
}
ob_end_flush();
?>
I left the class.phpmailer.php as default so far. Haven't messed around with it.
Last edited by a moderator: