Is this form as good as you can get ?

joad

Hi all,

Just been completing a lot of work on a form and wondered if some of you kind souls would take just a couple of minutes to lend a hand:

As I am new to php and forms, it would be very helpful if anyone can please let me know of any ways to improve the form, in any way at all.

Feel free to send tests thru the form as much as you wish.

Tips on preventing spam, the design of the form, input validation, anything at all. I've got the email field set to check for an @ sign and a . should it check for anything else? How about the amount of characters for the name?

Here's the page:
http://www.010805.com/230106/

Here's the code:
http://www.010805.com/230106.phps

Any help appreciated.

joad.

bpat1434

Well, right now your email should validate as any of the following:
" @."
".@."
"-_/@."
"$.-+%20@.1324knaoi12n434(%)!*!" (<-- yes, it does work)

But none of those are valid email addresses are they? You can get quite a bit of spam that way. To solve this, read the user-notes by Bobocop and manuel in the [man]eregi/man manual for a good email validator.

You'll also want to validate the name field. Using just one letter works, which is not a name. You'll probably want a string of no less than 3 characters (Abe, Joe, Jon, Dan being the shortest names I can come up with).

You'll also want to validate the phone-number with a RegEx of something like:

"^[0-9]{3}( -)?[0-9]{3}( -)?[0-9]{4}$" (matches: 123-456-7890)
"^([0-9]{3})( -)?[0-9]{3}( -)?[0-9]{4}$" (matches: i 456 - 7890[/i])
// None of those are definite working, so it may need tweaking

Other than that, you should be okay....

joad

Many thanks for your help Brett, at this stage in my learning, any help is very much appreciated.

What did you mean by " // None of those are definite working, so it may need tweaking " please?

Also, reading thru the link you kindly suggested, I'm a little intimidated by the terminology - is there a newbie place where I can find out how to do what you suggested above for the name, email and number please?

Any help appreciated.

joad.

bpat1434

Well, I meant that you can try with those, but it takes testing to make sure that all of what you want to validate (and all forms of that input).

Well, there isn't really a newbie place. That is kind of the end-all for questions. What terminology don't you get? I'm pretty sure I can explain most of it.

justsomeone

I notice that you're not doing any client-side javascript validation. While it is a Very Bad idea (TM) to rely solely on client-side validation, it makes perfect sense to do whatever checks possible on any input data on the client-side. You can always repeat the same tests on the server side as well. Why is this a good idea? It pushes some work out to the client and takes load off your server. If you can catch errors before they come near your server, so much the better for you.

As regards vetting email addresses, you can use regular expressions to determine what looks like a potentially valid address, as discussed above. It's vital that any test you use is based on the actual standards rather than what people think looks good. I know many sites that reject email addresses with apostrophes in them, allthough they are perfectly valid, and indeed common - think of irish surnames like O'Callaghan etc. John.O'Callaghan@someorg.somewhere.com is syntactically a valid email address.

None of this regular expression matching will determine whether or not a given email actually exists. If you want to you could write a few lines of PHP which will attempt to determine the mail server for the email address given, connect to it and start sending a mail to the address given. If the mail server rejects it then you know that the address is currently invalid. I don't know of too many cases where this is worth doing, but it's certainly an option.

When validating phone numbers, make sure you determine who your audience is. The regular expressions given above are fine for domestic US numbers, but will frustrate the heck out of your international visitors.

Checking for unset variables is not as straightforward as you might think. Checking for ! or isset are open to ambiguities. For instance, if I recall correctly, a (potentially valid) value of $var = 0 (zero ) in a field could cause !$var to be evaluated as true. An article in a past issue of PHP Architect suggested checking the length of the variable value, and only assume it's blank if the length is zero.

Of special importance when you are writing a form which sends an email is to protect it from hijacking by spammers. Otherwise your script will be absuied to send tons of dodgy emails. You should check that the form has only vbeen called from your domain at least. You might also want to consider using your inputform to set a session variable which is hash of the current date, the remote IP and a secret and check for this variable when processing the form input. A failure on this would be a strong indicator that the form is being submitted in a manner other than you would want, and you should probably not send the mail.

Finally, and again cruially for an email form, you need to check all inputs to make sure that things like closing quotes, commas and semicolons dont cause you to do something you didn't intend to.

Just some food for thought

bpat1434

Checking for unset variables is not as straightforward as you might think. Checking for ! or isset are open to ambiguities. For instance, if I recall correctly, a (potentially valid) value of $var = 0 (zero ) in a field could cause !$var to be evaluated as true. An article in a past issue of PHP Architect suggested checking the length of the variable value, and only assume it's blank if the length is zero.

This isn't entirely true. If you have $var=0; (not $var='0') it will be evaluated that $var is FALSE (as 0 and FALSE are synonymous). If $var='0'; then it will evaluate to TRUE since a string is anything but FALSE. But I do agree that using strlen() with empty is better.

As for dodgey emails and spam, you might want to implement visual verification. You know, like phpBB now has with its sign-ups: THe user sees a picture and has to enter the string, or the entire thing is scrubbed.

joad

Many, many thanks Js and Brett, I'm desperately trying to learn this, so the input is appreciated.

If it's any help, I'm not looking for any javascript involvement or email checking to see if the em address domain exists.

Just looking for the form to check:

a) Whether there's at least 3 letters, and no numbers in the name fields.

b) Whether all of the characters that are always in an email address are present and rejecting input of any characters that are never present in an email address.

c) To make sure that the form is not used by spammers.

Any help appreciated.

joad

bpat1434

look into [man]eregi/man....

joad

Many thanks for the input.

I'm making the effort to learn, but I still find the text on the link very difficult to take in.

I don't know if bpat1434 or justsomeone are around at the moment, but how about just a little guidance in newbie lingo on just one thing please? Just the code for how to avoid being a victim of spammers using the form.

If I could somehow get the code for the bit below, that would be brilliant.

<quote>Of special importance when you are writing a form which sends an email is to protect it from hijacking by spammers. Otherwise your script will be absuied to send tons of dodgy emails. You should check that the form has only vbeen called from your domain at least. You might also want to consider using your inputform to set a session variable which is hash of the current date, the remote IP and a secret and check for this variable when processing the form input. A failure on this would be a strong indicator that the form is being submitted in a manner other than you would want, and you should probably not send the mail.</quote>

Any help appreciated.

joad.

justsomeone

Hi joad,

I've only got a few minutes so forgive a brief response.

The IP address of the visitor calling your page is stored in $_SERVER["REMOTE_ADDR"].
The current date eg 20040126 can be given by date("Ymd");
Using the above info with a secret value, you can create a unique hash.

$secretHash = md5($_SERVER["REMOTE_ADDR"].date("Ymd")."MyBIGsecret");

At the very top of the page where you display the form, you can do something like:

$secretHash = md5($_SERVER["REMOTE_ADDR"].date("Ymd")."MyBIGsecret");
$_SESSION["secretHash"] = $secretHash; 
setcookie("secretHash", $secretHash);

This creates a unique hash, and stores it as a session variable and as a cookie.

Now, at the top of the page which processes the login, you can check for it as follows.

$secretHash = md5($_SERVER["REMOTE_ADDR"].date("Ymd")."MyBIGsecret");

//assume it's ok
$error = 0;

if ( (isset($_SESSION["secretHash"])) && ( strlen($_SESSION["secretHash"]) > 0)){
    //session variable was set
    if ($_SESSION["secretHash"] != $secretHash){
        //but it's not right
        $error = 1;
    }else{
        //the session variable is ok
    }
}else{
    //no session variable
    $error = 1;
}


if ( (isset($_COOKIE["secretHash"])) && ( strlen($_COOKIE["secretHash"]) > 0)){
    //cookie was set
    if ($_COOKIE["secretHash"] != $secretHash){
        //but it's not right
        $error = 1;
    }else{
        //the cookie is ok
    }
}else{
    //no cookie
    $error = 1;
}

if ($error == 1){
    //something suspicious happened
    exit();
}

In this (untested) example, you try to set a cookie and a session var when displaying the form and then check both before processing it. This is a reasonable anti-spam measure. Not foolproof, but useful. Many scripted abuses don't bother processing cookies etc, they just try to submit the form.

As well as the above you need to watch you for people injecting unanticipated email commands through your form. Check out the articles below for an intro to this subject - and you can also search the forums here...

http://securephp.damonkohler.com/index.php/Email_Injection
http://help.lockergnome.com/lofiversion/index.php/t28953.html

bpat1434

That's one way.

But ammending what justsomeone said:

 $secretHash = md5($_SERVER["REMOTE_ADDR"].date("Ymd")."MyBIGsecret");
$_SESSION["secretHash"] = $secretHash;
setcookie("secretHash", $secretHash);

That's invalid code, it should be:

 $secretHash = md5($_SERVER["REMOTE_ADDR"].date("Ymd")."MyBIGsecret");
session_start(); // this needs to be there to start the session, otherwise errors
$_SESSION["secretHash"] = $secretHash;
setcookie("secretHash", $secretHash, '/', 'domain.com', time()+(60*10));

Notice where I set a time-limit? That's also helpful because if they figure to try every 10 minutes, the cookie will be remade, so they can't use the same one over and over again. Not the greatest security, but it's helpful none-the-less.

You can change the time-limit by specifying
time()+(secondsminuteshoursdaysweeks*months/years)

So, here are a few examples:
5 minutes: time()+(605)
10 Days: time()+(60602410)
1 Month: time()+(60602431)
Uses an average of 31 days permonth
1 Year: time()+(606024752)
52 weeks per year
1 Year: time()+(6060247412)
*Average of 4 weeks per month

You can use image verification in your form, which would help a lot too. Keep your head around the articles section for my soon-coming article on image verification in forms. Hopefully I'll have it finished today!!

justsomeone

Thanks for the improvement, Brett.

I should have included the session_start() but I've gotten out of the habit, as the PHP on my server is configured to auto create sessions. (I think) It seems to work fine.

The cookie timeout is definitely an improvement.

It still needs further fine-tuning, as the reliance on date means that someone legitimately using the service just before midnight might end up requesting and submitting the form on different days.

But that's a smallish risk, and would only have made the example more difficult to follow. 🙂

joad

Many thanks Brett and Justsomeone, I can see that you are both genuinely trying to help.

I've read, reread and reread again the posts here in my attempts to learn.

Remembering that I am trying to learn this, it seems, from the above, that there should be be more than page to enter some code, but I can only see the one form page, so which bits go on which pages please ;-(

joad

bpat1434

well, the session & cookies shoudl start on the form page, and the check should happen on the submission page.

All form checking should be done on the submission page (the page in the action parameter of the form). So the eregi and Session and Cookie checks go there.

joad

I've only got the form page that you've seen already, and another page called submission page, which just has this code on it:

<?
echo $_POST["name"];
?>

Here's the page:
http://www.010805.com/230106

Here's the code:
http://www.010805.com/230106.phps

Is anyone able to show the whole code, for the complete page at all please?

Any help appreciated.

joad.