Bypassing Validation, Forceing Submit?

mokele

I've had issues with forms being submitted even though I'm validating a number of the fields and I'm real specific about some of the validations. I just got three emails today that I have no idea how they get pass the validaition and submit the form. I've also had issues with ScanAlert doing the the same thing and I've talked with them about it.

We're still in the process of where I work in tightening down security on server, we've still go global variables turned on, but for this one site I've now turned it off, and hopefully that solves it, but I'm still baffled how my validation is being bypassed and form is being submitted, any ideas?

Scott

dougal85

Need to see your code, I'd have to guess a fault in the code, a security flaw in the code.

NogDog

Also, just to be clear: are we talking about server-side validation in your PHP code, or JavaScript validation in the HTML form page (which is easily bypassed - or inapplicable if the user has JS disabled).

mokele

Here's the code:

<?php
//error_reporting(E_ALL);
//ini_set("display_errors", 1);

require_once("includes/form.class.inc2.php");

$form = new Form;

// If form is submitted, check that form fields for have valid
if ((isset($_POST["Submit"]) || isset($_POST["Submit_x"])) && $_POST["Submit"] == "Submit") {

// Take Variables from Form and create PHP variables
extract($_POST);

// Validate Form Fields
//$form->isValidName("Name", "Full Name can only contain letters, spaces, periods, dashes, commas, and single quote.");

$form->isValidName("Name", "Name can only contain letters, spaces, periods, dash, single quote, comma and must start with a letter and must end with a letter or period.");

$form->isValidEmail("Email", "Invalid email format. Please enter format as username@server.com.");

$form->isValidURL("Website", "Please enter website format as http://www.website.com or www.website.com");

$form->isEmpty("Description", "Please enter a description");

if (!$form->isEmpty("City", "")) {
	$form->isValidCity("City", "City can only consist of letters and spaces.");
}

if (!$form->isEmpty("State", "")) {
	$form->isValidState("State", "State can only consist of letters and spaces.");
}

if (!$form->isEmpty("PostalCode", "")) {
	$form->isValidPostalCode("PostalCode", "Zip/Postal Code can only consist of numbers, letters, spaces, and dashes.");
}

if (!$form->isEmpty("Phone", "")) {
	$form->isValidPhone("Phone", "Please enter phone format as 999-999-9999.");
}

if (!$form->isEmpty("Fax", "")) {
	$form->isValidPhone("Fax", "Please enter phone format as 999-999-9999.");
}

if ($TradeLink == "yes") { 
	$form->isValidURL("WebsitePage", "Please enter website page format as http://www.website.com or www.website.com.");
	$form->isEmpty("WhyLink", "Please enter a why would you like to have a link from E-Z Up direct.");
} 
}
else {
	// Set Trade to default to yes when form is first displayed
	$TradeLink = "yes";
	require_once("includes/server.class.inc.php");
	$server = new Server;
}

if ((isset($_POST["Submit"]) || isset($_POST["Submit_x"])) && !count($form->error)) {

require_once("includes/email.class.inc.php");

// EZUP Direct Email
$contactEmail = new Email;
$contactEmail->from = $Email;
$contactEmail->fromName = $Name;

// Set EZUP Email Addresses
//$contactEmail->to = "chris@yourhost.com";
$contactEmail->to = "scott@yourhost.com";
$contactEmail->toName = "E-ZUP Direct";
$contactEmail->subject = "E-ZUP Direct.com Link Request";

// Setup Email Message
$contactEmail->message = "A request has been made for a link to ezupdirect.com.\n\n";
$contactEmail->printFormVariables($_POST);
$contactEmail->message .= "----------------------------------------------\n";
$contactEmail->message .= "Remote Address: " . $RemoteAddress . "\n";
$contactEmail->message .= "Remote Port: " . $RemotePort . "\n";
$contactEmail->message .= "Request Method: " . $RequestMethod . "\n";
$contactEmail->message .= "HTTP User Agent: " . $HTTPUserAgent . "\n";

$contactEmail->sendTextEmail();

// Customer Email
$customerEmail = new Email;
$customerEmail->from = "info1@ezupdirect.com";
$customerEmail->fromName = "EZUP Direct";

// Setup CustomerEmail
$customerEmail->to = $Email;
$customerEmail->toName = $Name;
$customerEmail->subject = "EZUP Direct Link";

$customerEmail->message  = "Dear " . $customerEmail->toName . ",\n\n";
$customerEmail->message .= "Thank you for your request to put a link on our site, www.ezupdirect.com.\n\n";
$customerEmail->message .= "If your inquiry requires a response, we will be in touch with you soon.\n\n";
$customerEmail->message .= "Sincerely,\n\n";
$customerEmail->message .= "EZUP Direct\n";

$customerEmail->sendTextEmail();

require_once("includes/mysql.class.inc2.php");
$db = new MySQL;

// Open Database Connection and Database
if ($db->openDataBaseConnection("localhost", "user", "password", "p")) {
	if ($db->selectDatabase("database")) {
		$db->isValidConnection = true;
	}
	else {
		$errorMessage = "Unable to open database and store your information. Please contact Tech Support.";
		$db->isValidConnection = false;
	}
}
else {
	$errorMessage = "Unable to open database connection and store your information. Please contact Tech Support.";
	$db->isValidConnection = false;
}

if ($db->isValidConnection) {
	$db->sqlStatement = "INSERT INTO ezup_links ";
	$db->createSetStatement("Submit,MAX_FILE_SIZE", $_POST);
	if (!$db->ExecuteSQLStatement()) {
		$errorMessage = "Unable store your information in database. Please contact Tech Support.";
	}
}

// Goto Thank You Page
$location = "ezup-linkback.php";
if (isset($errorMessage)) {
	$location .= "?ErrorMessage=" . urlencode($errorMessage);
}
//echo $location;
header("location:" . $location);
}
?>

mokele

Its sever-side validation with PHP.

NogDog wrote:
Also, just to be clear: are we talking about server-side validation in your PHP code, or JavaScript validation in the HTML form page (which is easily bypassed - or inapplicable if the user has JS disabled).

suntra

First of all, can you reproduce it, I mean, are you able to submit a "not-completely-filled" form ?

Second, what's in the form class ? Maybe the error is there...

Third, why do you do this :

IF submitted
ELSE
END IF
IF submitted and error = 0
END IF

Why don't you do this :

IF submitted
IF no error
ELSE
END IF
ELSE
END IF

mokele

The IF THEN ELSE is just the way I did, no particular reason why.

I can't get the FORM to submit with validation errors coming up, you have to have certain info and it has to be certain formats for fields. Here's emails that I'm getting:

This what comes from ScanAlert:

A request has been made for a link to ezupdirect.com.

TradeLink: no
Name: 80000001
Email: 80000001
Company: 80000001
Website: 80000001
Description: 80000001
City: 80000001
State: 80000001
PostalCode: 80000001
Phone: 80000001
Fax: 80000001
WebsitePage: 80000001

WhyLink: 80000001

Remote Address: 64.41.168.246
Remote Port: 41023
Request Method: GET
HTTP User Agent: ScanAlert

Here's spam email I got:

A request has been made for a link to ezupdirect.com.

Website: k4609@ezupdirect.com
Fax: k4609@ezupdirect.com
Name: k4609@ezupdirect.com
WebsitePage: k4609@ezupdirect.com
Company: k4609@ezupdirect.com
Phone: k4609@ezupdirect.com
City: k4609@ezupdirect.com
State: k4609@ezupdirect.com
PostalCode: k4609@ezupdirect.com
TradeLink: k4609@ezupdirect.com
WhyLink: k4609@ezupdirect.com
Email: k4609@ezupdirect.com

Description: k4609@ezupdirect.com

Remote Address: k4609@ezupdirect.com
Remote Port: k4609@ezupdirect.com
Request Method: k4609@ezupdirect.com
HTTP User Agent: a
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html
Subject: storage temperature for the meat are all
bcc: hufnagt@questfindissm.com

bacon were held within high esteem in their communities. he phrase remains =
in common usage in popular media (see, for example, the 2 ive rew song 2 iv=
e lues from the s asty s hey anna e album). edit ee also

So something is broken in my code, but I don't know what. If people want to test the form its a dev1.ezupdirect.com/ezup-links.php.

Scott

suntra wrote:
First of all, can you reproduce it, I mean, are you able to submit a "not-completely-filled" form ?

Second, what's in the form class ? Maybe the error is there...

Third, why do you do this :

IF submitted
ELSE
END IF
IF submitted and error = 0
END IF

Why don't you do this :

IF submitted
IF no error
ELSE
END IF
ELSE
END IF

mokele

Here's my form class

<?php

class Form {

var $fileName;

var $error = array();
var $message;
var $thankYouPage;
var $errorMessage;

var $uploadDirectory;
var $uploadFileName;
var $uploadErrorMessage;

function form() {
	$this->fileName = $_SERVER["PHP_SELF"];
}

function isEmpty($variable, $message) {

	global $$variable;

	$$variable = strip_tags(stripslashes(trim($$variable)));

	if (empty($$variable)) {
		// if message is passed set error message, if not do not set error message
		if (!empty($message)) {
			$this->error[$variable] = $message;
		}
		return true;
	}
	else {
		return false;
	}
}

function isNumber($variable, $message) {

	global $$variable;

	$$variable = strip_tags(stripslashes(trim($$variable)));

	if (is_numeric($$variable)) {
		return true;
	}
	else { 
		$this->error[$variable] = trim($message);
		return false;
	}
}

function isInteger($variable, $message) {

	global $$variable;

	$$variable = strip_tags(stripslashes(trim($$variable)));

	if (ctype_digit($$variable)) {
			return true;
	}
	else { 
		$this->error[$variable] = trim($message);
		return false;
	}
}

function isFieldSet($variable, $message) {
	global $$variable;

	if (isset($$variable)) {
		return true;
	}
	else { 
		$this->error[$variable] = trim($message);
		return false;
	}
}

function isValidEmail($variable, $message) {
	global $$variable;

	$$variable = strip_tags(stripslashes(trim($$variable)));

	if (eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,6})$", $$variable)) {
		return true;
	}
	else { 
		$this->error[$variable] = trim($message);
		return false;
	}
}

function isValidName($variable, $message) {
	// Name can only contain etters, spaces, periods, dashes.
	global $$variable;

	$$variable = strip_tags(stripslashes(trim($$variable)));

	if (preg_match("/^[a-zA-Z]+([\'\,\.\- a-zA-Z]?)*[a-zA-Z\.]+$/", $$variable)) {
		return true;
	}
	else { 
		$this->error[$variable] = $message;
		return false;
	}
}

function isValidAddress($variable, $message) {
	global $$variable;

	$$variable = strip_tags(stripslashes(trim($$variable)));

	if (preg_match("/^[a-zA-Z0-9]+([\'\#\.\- a-zA-Z0-9]?)*[a-zA-Z0-9\.]+$/", $$variable)) {
		return true;
	}
	else { 
		$this->error[$variable] = trim($message);
		return false;
	}
}

function isValidCity($variable, $message) {
	global $$variable;

	$$variable = strip_tags(stripslashes(trim($$variable)));

	if (preg_match("/^[a-zA-Z]+([a-zA-Z ]?[a-zA-Z]+)*$/", $$variable)) {
		return true;
	}
	else { 
		$this->error[$variable] = trim($message);
		return false;
	}
}

function isValidState($variable, $message) {
	global $$variable;

	$$variable = strip_tags(stripslashes(trim($$variable)));

	if (preg_match("/^[a-zA-Z]+([a-zA-Z ]?[a-zA-Z]+)*$/", $$variable)) {
		return true;
	}
	else { 
		$this->error[$variable] = trim($message);
		return false;
	}
}

function isValidPostalCode($variable, $message) {
	global $$variable;

	$$variable = strip_tags(stripslashes(trim($$variable)));

	if (preg_match("/^[a-zA-Z0-9]+([\- a-zA-Z0-9]?)*[a-zA-Z0-9]+$/", $$variable)) {
		return true;
	}
	else { 
		$this->error[$variable] = trim($message);
		return false;
	}
}

function isValidCountry($variable, $message) {
	global $$variable;

	$$variable = strip_tags(stripslashes(trim($$variable)));

	if (preg_match("/^[a-zA-Z]+([\-\,\' a-zA-Z]?[a-zA-Z]+)*$/", $$variable)) {
		return true;
	}
	else { 
		$this->error[$variable] = trim($message);
		return false;
	}
}

function isValidPhone($variable, $message) {
	global $$variable;

	$$variable = strip_tags(stripslashes(trim($$variable)));

	if (preg_match("/^[0-9]+([\.\-\' 0-9]?[0-9]+)*$/", $$variable)) {
		return true;
	}
	else { 
		$this->error[$variable] = trim($message);
		return false;
	}
}

function isValidURL($variable, $message) {
	global $$variable;

	$$variable = strip_tags(stripslashes(trim($$variable)));

	// url regex from http://regexlib.com/Search.aspx?k=url with mod so that you don't have to enter subdomain
	if (preg_match('/(?#WebOrIP)((?#protocol)((http|https):\/\/)?(?#subDomain)((([a-zA-Z0-9]+\.)?(?#domain)[a-zA-Z0-9\-]+(?#TLD)(\.[a-zA-Z]+){1,2})|(?#IPAddress)((25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9])\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[0-9])))+(?#Port)(:[1-9][0-9]*)?)+(?#Path)((\/((?#dirOrFileName)[a-zA-Z0-9_\-\%\~\+]+)?)*)?(?#extension)(\.([a-zA-Z0-9_]+))?(?#parameters)(\?([a-zA-Z0-9_\-]+\=[a-z-A-Z0-9_\-\%\~\+]+)?(?#additionalParameters)(\&([a-zA-Z0-9_\-]+\=[a-z-A-Z0-9_\-\%\~\+]+)?)*)?/', $$variable)) {
		return true;
	}
	else { 
		$this->error[$variable] = trim($message);
		return false;
	}
}

function dropdownMenu($variable, $array) {

	global $$variable;

	$html = "\n<select name=\"" . $variable . "\">\n";
 	foreach ($array as $arrayKey => $arrayValue) {
		// set first item value to empty
		if ($arrayKey == "SelectText") {
			$arrayKey = "";
		}
		$html .= "<option value=\"" . $arrayKey . "\"";
		if ($arrayKey == $$variable) {
			$html .= " selected=\"selected\"";
		}
		$html .= ">" . $arrayValue . "</option>\n";
	 }
	 $html .= "</select>\n";
	 echo $html;
}

function dropdownMenu2($variable, $array, $selectTextValue, $merge) {

	global $$variable;

	if (is_int(key($array))) {
		$selectTextOption[0] = $selectTextValue;
	}
	else {
		$selectTextOption[""] = $selectTextValue;
	}

	if ($merge) {
		$newArray = array_merge($selectTextOption, $array);
	}
	else {
		$newArray = $selectTextOption + $array;
	}

	$select = "\n<select name=\"" . $variable . "\">\n";
	$options = "";

 	foreach ($newArray as $arrayKey => $arrayValue) {
		if ($arrayKey == "") {
			$selectText = "<option value=\"\"";
			if ($arrayKey == $$variable) {
				$selectText .= " selected=\"selected\"";
			}
			$selectText .= ">" . $selectTextValue . "</option>\n";
		}
		else {
			$options .= "<option value=\"" . $arrayKey . "\"";
			if ($arrayKey == stripslashes($$variable)) {
				$options .= " selected=\"selected\"";
			}
			$options .= ">" . $arrayValue . "</option>\n";
		}
	 }

	 $html = $select . $selectText . $options . "</select>\n";

	 return $html;
}	

function uploadFile($fileField) {
	$uploadFile = $this->uploadDirectory . $this->uploadFileName;
	if (move_uploaded_file($_FILES[$fileField]['tmp_name'], $uploadFile)) {
	   return true;
	}
	else {
		$this->uploadErrorMessage = "Error:" . $_FILES[$fileField]['error'];
		return false;
	}
}
}
?>

suntra wrote:
Second, what's in the form class ? Maybe the error is there...