0

Hello,
I'm trying to validate specific fields in my PHP form, such as FirstName, LastName, etc. I've tried several techniques so far from various articles to confirm these fields and nothing seems to work at the moment. Here is the code:

<?php

$host = "xxxxxx";
$username = "xxxxxxx";
$password = "xxxxxxxx";
$database ="xxxxxxx";
$conn = mysql_connect ($host, $username, $password) or die ("could not connect");
$db = mysql_select_db($database, $conn) or die ("could not select DB");
$id=mysql_real_escape_string($_POST['id']); //This value has to be the same as in the HTML form file
$FirstName=mysql_real_escape_string($_POST['FirstName']); //This value has to be the same as in the HTML form file
$LastName=mysql_real_escape_string($_POST['LastName']); //This value has to be the same as in the HTML form file
$FirmName=mysql_real_escape_string($_POST['FirmName']); //This value has to be the same as in the HTML form file
$AttorneyName=mysql_real_escape_string($_POST['AttorneyName']); //This value has to be the same as in the HTML form file
$Phone=mysql_real_escape_string($_POST['Phone']); 
$Email=mysql_real_escape_string($_POST['Email']); 
$ProceedingMonth=mysql_real_escape_string($_POST['ProceedingMonth']);
$ProceedingDay=mysql_real_escape_string($_POST['ProceedingDay']);
$ProceedingYear=mysql_real_escape_string($_POST['ProceedingYear']); 
$ProceedingCity=mysql_real_escape_string($_POST['ProceedingCity']); 
$ProceedingState=mysql_real_escape_string($_POST['ProceedingState']); 
$CaseCaption=mysql_real_escape_string($_POST['CaseCaption']); 
$ProceedingType=mysql_real_escape_string($_POST['ProceedingType']);
$time=mysql_real_escape_string($_POST['time']);
$tzne=mysql_real_escape_string($_POST['tzne']);
$LengthOfDepo=mysql_real_escape_string($_POST['LengthOfDepo']);
$WitnessOrJudgeName=mysql_real_escape_string($_POST['WitnessOrJudgeName']); 
$NeedVideo=mysql_real_escape_string($_POST['NeedVideo']);
$Interpreter=mysql_real_escape_string($_POST['NeedVideo']);
$SpecialInstructions=mysql_real_escape_string($_POST['SpecialInstructions']);
$evilblocker=mysql_real_escape_string($_POST['evilblocker']);
$answer="Accurate";
$promocde=mysql_real_escape_string($_POST['promocde']);
$promoanswer="xxxxxxx";
$syncpromo=mysql_real_escape_string($_POST['syncpromo']);
$correctanswer="Thank you order has been processed.";
$correctanswer2="You have entered a valid promo code please enjoy our gift to you.";
$wronganswer="You have typed in the wrong information in the Security Image field.";
$all= $send . $answer . $send2;
$promo="your promo code does not match a current promo offer";

//Mails the form to Accurate Court Reporting, Inc (to the production department).
$to = "scheduling@acrdepos.com";
$subject = "A client has ordered a Videographer/Court Reporter/VideoConferencing";

$message = "A client has placed an order here are the details."."\n" ."\n"."CLIENT INFORMATION:" ."\n"."\n". "SCHEDULING ATTORNEY: ".$AttorneyName ."\n". "FIRM NAME: ".$FirmName . "\n". "CONTACTS FIRST NAME: ".$FirstName ."\n". "CONTACTS LAST NAME: " .$LastName ."\n". "PHONE:" .$Phone ."\n". "EMAIL ADDRESS:" .$Email ."\n"."\n".
                                                                           "CASE INFORMATION:" ."\n"."\n". "CASE CAPTION:".$CaseCaption ."\n"."DEPONENT:".$WitnessOrJudgeName ."\n"."DATE OF DEPOSITION:" .$ProceedingMonth." ".$ProceedingDay." ".$ProceedingYear ."\n"."TIME OF DEPOSITION:".$time." ,".$tzne ."\n"."ESTIMATED LENGTH OF DEPOSITION: ".$LengthOfDepo ."\n"."\n"."NUMBER OF ATTENDEES: ".$attendees ."\n"."\n"."LOCATION OF DEPOSITION: ".$acrlocal ."\n"."\n"."ADDRESS IF NOT AN ACR, INC. LOCATION: ".$OtherAddress ."\n"."NOTICE OF DEPOSITION SENT VIA: ".$NoticeDelivery ."\n"."\n".  
                                                                           "PRODUCTION INFORMATION:" ."\n"."\n". "TRANSCRIPT DELIVERY DATE: ".$TransDeliveryRequest ."\n". "TRANSCRIPT DELIVERY METHOD:".$TransDeliveryMethod ."\n"."\n".
                                                                           "SPECIAL SERVICES NEEDED:" ."\n"."\n". "REALTIME NEEDED: ".$Reeltime ."\n". "VIDEOGRAPHER NEEDED: ".$NeedVideo ."\n". "INTERPRETER NEEDED: ".$Interpreter ."\n". "INTERPRETER LANGUAGE: ".$Language ."\n". "PROMO CODE: ".$promocde ."\n". "ADDITIONAL COMMENTS:".$SpecialInstructions;

$from = $_REQUEST['Email'];
$header1= "From: Accurate Court Reporting, Inc.";
$subject1 = "You have placed an order with Accurate Court Reporting, Inc.";
$autoreply = "You have placed an order with Accurate Court Reporting, Inc. here are the details."."\n" ."\n"."CLIENT INFORMATION:" ."\n"."\n". "SCHEDULING ATTORNEY: ".$AttorneyName ."\n". "FIRM NAME: ".$FirmName . "\n". "CONTACTS FIRST NAME: ".$FirstName ."\n". "CONTACTS LAST NAME: " .$LastName ."\n". "PHONE:" .$Phone ."\n". "EMAIL ADDRESS:" .$Email ."\n"."\n".
                                                                           "CASE INFORMATION:" ."\n"."\n". "CASE CAPTION:".$CaseCaption ."\n"."DEPONENT:".$WitnessOrJudgeName ."\n"."DATE OF DEPOSITION:" .$ProceedingMonth." ".$ProceedingDay." ".$ProceedingYear ."\n"."TIME OF DEPOSITION:".$time." ,".$tzne ."\n"."ESTIMATED LENGTH OF DEPOSITION: ".$LengthOfDepo ."\n"."\n"."NUMBER OF ATTENDEES: ".$attendees ."\n"."\n"."LOCATION OF DEPOSITION: ".$acrlocal."\n"."\n"."ADDRESS IF NOT AN ACR, INC. LOCATION: ".$OtherAddress ."\n"."NOTICE OF DEPOSITION SENT VIA: ".$NoticeDelivery ."\n"."\n".  
                                                                           "PRODUCTION INFORMATION:" ."\n"."\n". "TRANSCRIPT DELIVERY DATE: ".$TransDeliveryRequest ."\n". "TRANSCRIPT DELIVERY METHOD:".$TransDeliveryMethod ."\n"."\n".
                                                                           "SPECIAL SERVICES NEEDED:" ."\n"."\n". "REALTIME NEEDED: ".$Reeltime ."\n". "VIDEOGRAPHER NEEDED: ".$NeedVideo ."\n". "INTERPRETER NEEDED: ".$Interpreter ."\n". "INTERPRETER LANGUAGE: ".$Language ."\n". "PROMO CODE: ".$promocde."\n". "ADDITIONAL COMMENTS:".$SpecialInstructions;


$sql="INSERT INTO ACRSchedule (AttorneyName,FirmName,FirstName,LastName,Phone,Email,CaseCaption,WitnessOrJudgeName,ProceedingMonth,ProceedingDay,ProceedingYear,time,tzne,LengthOfDepo,attendees,acrlocal,OtherAddress,NoticeDelivery,TransDeliveryRequest,TransDeliveryMethod,Reeltime,NeedVideo,Interpreter,Language,promocde,SpecialInstructions,evilblocker,syncpromo,hereabt,other) VALUES ('$AttorneyName','$FirmName','$FirstName','$LastName','$Phone','$Email','$CaseCaption','$WitnessOrJudgeName','$ProceedingMonth','$ProceedingDay','$ProceedingYear','$time','$tzne','$LengthOfDepo','$attendees','$acrlocal','$OtherAddress','$NoticeDelivery','$TransDeliveryRequest','$TransDeliveryMethod','$Reeltime','$NeedVideo','$Interpreter','$Language','$promocde','$SpecialInstructions','$evilblocker','$syncpromo','$hereabt','$other')"; 
//echo $sql;
if (!mysql_query($sql,$conn)) {
 die('Error: ' . mysql_error()); 
}
if ($promocde == "$promoanswer")
    { echo $correctanswer2;
    }
    if ($evilblocker == "$all") 
    {echo $correctanswer; 
    $send = mail($to,$subject,$message);
    $send2 = mail($from,$header1,$subject1,$autoreply);
    }
    else
{echo $wronganswer; }

mysql_close($conn);

?>

I know the code is quite overwhelming. Any help is appreciated.
Thanks

4
Contributors
13
Replies
62
Views
4 Years
Discussion Span
Last Post by Octet
0

What are you trying to validate? I see no If statements in your code at the moment.

Equally, as you are new to PHP you may aswell get into good habits now, I would suggest you use MySQLi and Prepared Statements, simply using mysql_real_escape_string isn't enough now, and has been depreciated.

If the section:

$id=mysql_real_escape_string($_POST['id']); //This value has to be the same as in the HTML form file
$FirstName=mysql_real_escape_string($_POST['FirstName']); //This value has to be the same as in the HTML form file
$LastName=mysql_real_escape_string($_POST['LastName']); //This value has to be the same as in the HTML form file
$FirmName=mysql_real_escape_string($_POST['FirmName']); //This value has to be the same as in the HTML form file
$AttorneyName=mysql_real_escape_string($_POST['AttorneyName']); //This value has to be the same as in the HTML form file

Is what you're trying to validate then you are using the Assignment operator, and not the comparison operator.

You would use the following code instead:

if($Val1 != $Val2){

    // Do Something

}

In this code, it is asking if Val1 is NOT equal to Val2 (so if they are different). You can then reverse it by using the comparison == which says if they are equal to each other.
The other thing to note is the use of the If statement, anything between the brackets is your conditional and anything between the brackets is what should execute if the statement is true.

Edited by Octet

0

Actually, I just got the code to work. However, I'm stuck now on getting the form to highlight the required fields in red if they didn't fill them out, rather than having a javascript pop-up.

// EMPTY FIELD CHECK
if( (empty($FirstName)) || (empty($LastName)) )
{
    echo '<script>alert("The First Name and Last Name fields are required.");</script>';
    echo '<script>history.back(1);</script>';
    exit;
}
/* EMPTY FIELD CHECK */

Thanks

Edited by ACRDepos: Code worked

0

In addition, this $from = $_REQUEST['Email']; is not good to use: 1) there is no validation and 2) because an attacker can use $_GET or $_COOKIE to inject is own code.

0

Interesting cereal. Is it best just to remove the following line of code? If its not then whats the best solution for validating that?

1

The best solution is to use Prepared SQL statements, which are part of the new MySQLi.

In terms of changing the form field in JS, you would want to use something along the lines of:

document.getElementById('FormField').style.borderColor = "#FF0000";

Edited by Octet

0

I would suggest the new parameterised mysqli or PDO queries. However, you could do an array_map to avoid the onerous mysql_real... on every individual item if you're determined to stick with mysql_* functions:

$post = array_map("mysql_real_escape_string", $_POST);

You could use extract() to get all individual variables if required, but this isn't recommended in the manual.

0

Is it best just to remove the following line of code? If its not then whats the best solution for validating that?

If you have PHP 5.2.0 or higher then use filter_var(): $from = filter_var($_POST['Email'],FILTER_VALIDATE_EMAIL); Otherwise use preg_match() to validate the email.

For more information check: http://www.php.net/manual/en/function.filter-var.php

0

Cereal, I do have PHP 5.2.0.
Would the line:

$from = filter_var($_POST['Email'],FILTER_VALIDATE_EMAIL);

Just replace

$from = $_REQUEST['Email'];

Also, AHarris and diafol, thanks for the reply. I'm going to take a look into that, hopefully soon.
Thanks!

Edited by ACRDepos: More content

0

Yes, it's a replacement. If the validation fails it returns boolean false, so you may want to add a condition to your script, to match false cases, or set up a flag to alter the execution of the script, just remember to trim the values you get from the form, because the validation can fail.. do something like:

$from = trim($_POST['Email']); # removing spaces from the beginning and end of the string
$from = filter_var($from,FILTER_VALIDATE_EMAIL);

Also consider that filter_var() can be used to sanitize, not only to validate, just check the types of filters from the previous link. It becomes important if, in case of errors, you decide to display the values back in the form. If not sanitized an attacker can execute his own code, for example:

$FirstName = 'hello <script>alert("wide")</script> world'; # got from $_POST['FirstName']
echo filter_var($FirstName,FILTER_SANITIZE_STRING);

will print: hello alert(&#34;wide&#34;) world, otherwise the javascript would be excuted. The above, in practice, removes the tags and encodes special characters.

0

Everything seems to be working okay. What would be the best way to test this?
Thanks!

Edited by ACRDepos: More content

0

If by, test you mean the security side of it then I would suggest a professional pen tester, but considering how much they cost, if it is only a small website then download a free program called Vega which shall run a load of common attack methods against your site and tell you what has passed and what has failed.

It isn't the best, but it certainly gives you a good idea of things you may have missed, it shouldn't however replace learning what is happening, and if a test fails then make sure you look up why it failed instead of just filling in the correction.

http://subgraph.com/products.html

Good luck!

Edited by Octet

0

Thanks AHarris,
I downloaded Vega and its expecting for me have a java runtime package. Would any standard java runtime package work and/or do you have a recommendation?
Thanks

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.