Validating and Sanitizing PHP INPUT HELP PLEASE

Jane_Smith

Hi,

I would be incredibly grateful for any help as I have taken this as far as I am able and am now in a position where I am just confused by all the different methods I have seen. I have my HTML form and I am sending my information to the insertinto form and am trying to validate, sanitize and prevent injections before the data is put into the database. At the moment it is a mess and not working, all I get is the first response, "Please enter a firstname" even if I have entered a firstname.

Please could someone help me with:
1. What am I doing wrong (I think my code is becoming worse each time I try to solve the problem)?
2. Am I doing everything to protect my code and database, I hear people mentioning MD5 but have no idea what it is. Should I being this or anything else in addition to what is involved?

The code is:


<html>
<head>

</head>
<body>
<?php
$filters=array
	(
	"fname"=>array
		(
		"filter"=>FILTER_SANITIZE_STRING
		),
	"lname"=>array
		(
		"filter"=>FILTER_SANITIZE_STRING
		),
	"email"=>FILTER_VALIDATE_EMAIL,

"cemail"=>FILTER_VALIDATE_EMAIL,

"pword"=>array
	(
	"filter"=>FILTER_SANITIZE_INT,
	"options"=>array
		(
		"min_range"=>1,
		"max_range"=>9,
		"strlen"=>12
		)
	),
"cpword"=>array
	(
	"filter"=>FILTER_SANITIZE_INT,
	"options"=>array
		(
		"min_range"=>1,
		"max_range"=>9,
		"strlen"=>12
		)
	),
"dobyear"=>array
	(
	"filter"=>FILTER_SANITIZE_INT,
	"options"=>array
		(
		"min_range"=>1992
		)
	),
"natcountry"=>array
	(
	"filter"=>FILTER_SANITIZE_STRING
	),
"rcountry"=>array
	(
	"filter"=>FILTER_SANITIZE_STRING
	),
"postcode"=>array
	(
	"filter"=>FILTER_SANITIZE_STRING
	),
"other"=>array
	(
	"filter"=>FILTER_SANITIZE_STRING
	),
);


$result = filter_input_array(INPUT_GET, $filters);


if (!$result["fname"])
	{
	echo("Please enter your first name.<br />");return false;
	}
elseif (!$result["lname"])
	{
	echo("Please enter your last name.<br />"); return false;
	}
elseif (!$result["email"])
	{
	echo("Email address is not valid.<br />"); return false;
	}
elseif (!$result["cemail"])
	{
	echo("Your email addresses do not match.<br />"); return false;
	}
elseif (!$result["pword"])
	{
	echo("Please ensure your password includes a number between 0-9.<br />"); return false;
	}
elseif (!$result["cpword"])
	{
	echo("Please ensure your password includes a number between 0-9.<br />"); return false;
	}
elseif (!$result["dobyear"])
	{
	echo("Users must be over 18 years old<br />"); return false;
	}	
elseif (!$result["natcountry"])
	{
	echo("Please select your nationality.<br />"); return false;
	}
elseif (!$result["rcountry"])
	{
	echo("Please select your country of residence.<br />"); return false;
	}
elseif (!$result["postcode"])
	{
	echo("Please enter your postcode.<br />"); return false;
	}
elseif (!$result["industry"])
	{
	echo("Please select your industry.<br />"); return false;
	}
else
	{
	return true;
	}


if ($fname=='enter firstname')
	{
	echo("Please enter your first name.<br />");return false;
	}
elseif ($lname=='enter surname')
	{
	echo("Please enter your last name.<br />"); return false;
	}
elseif ($email=='enter email address')
	{
	echo("Email address is not valid.<br />"); return false;
	}
elseif ($cemail=='confirm email address' OR $cemail=='!email')
	{
	echo("Your email addresses do not match.<br />"); return false;
	}
elseif ($pword='password')
	{
	echo("Please ensure your password includes a number between 0-9.<br />"); return false;
	}
elseif ($cpword=='password' OR $cpword=='!pword')
	{
	echo("Please ensure your password includes a number between 0-9.<br />"); return false;
	}
elseif ($DOByear=='please select')
	{
	echo("Users must be over 18 years old<br />"); return false;
	}	
elseif ($natcountry=='please select')
	{
	echo("Please select your nationality.<br />"); return false;
	}
elseif ($rcountry=='please select')
	{
	echo("Please select your country of residence.<br />"); return false;
	}
elseif ($postcode=='enter postcode')
	{
	echo("Please enter your postcode.<br />"); return false;
	}
elseif ($industry=='please select')
	{
	echo("Please select your industry.<br />"); return false;
	}
else
	{
	return true;
	}

function check_input($value)
{
if (get_magic_quotes_gpc())
	{
	$value=stripslashes($value);
	}

if (!is_numeric($value))
	{
	$value = "'" . mysql_real_escape_string($value) . "'";
	}
return $value;
}

$con = mysql_connect("localhost","user","password");
if (!$con)
	{
	die('Could not connect: ' . mysql_error());
	}

mysql_select_db("my_db", $con);

$sql="INSERT INTO members(fname, lname, email, cemail, pword, cpword, sex, DOBMonth, DOBDay, DOBYear, natcountry, rcountry, postcode, industry, other, date)
	VALUES
('$_POST[fname]','$_POST[lname]','$_POST[email]','$_POST[cemail]','$_POST[pword]','$_POST[cpword]','$_POST[sex]','$_POST[DoBMonth]','$_POST[DOBDay]','$_POST[DoBYear]','$_POST[sex]','$_POST[ncountry]','$_POST[postcode]','$_POST[industry]','$_POST[other]','$_GET[CURDATE]')";

if (!mysql_query($sql,$con))
	{
	die('Error: ' . mysql_error);
	}

mysql_close($con);

?>

</body>
</html>

id_ivan

where is the form?
have you checked the "name"/"id" field consistency against those you checked in $filters?

Jane_Smith

Thank you for looking at this the form is on a seperate page and is (I have cut out some of the options to save space:


<html>
<title>Sign Up</title>
<head>
</head>

<body>
	<br />

<form action="guestdetails.php" name="form" onsubmit="return check(this)" method="post">

<fieldset class="two">
	<legend>Your Information:</legend>
	<br />

<table border="0" width="100&#37;">
<tr>
<td width="50%">

<br />
	<label class="two">First name:</label>
		<input type="text" class="input" required="required" name="fname" value="enter firstname" onclick="this.value='';" onfocus="this.select()" onblur="this.value=!this.value?'enter firstname':this.value;" size="30%" />
<br />
<br />

	<label class="two">Last name:</label>
		<input type="text" class="input" required="required" name="lname" value="enter lastname" onclick="this.value='';" onfocus="this.select()" onblur="this.value=!this.value?'enter lastname':this.value;"  size="30%" />
<br />
<br />

	<label class="two">Email:</label>
		<input type="text" class="input" name="email" value="enter email address" onclick="this.value='';" onfocus="this.select()" onblur="this.value=!this.value?'enter email address':this.value;" size="30%" />
<br />
<br />


	<label class="two">Confirm Email:</label>
		<input type="text" class="input" name="cemail" value="confirm email address" onclick="this.value='';" onfocus="this.select()" onblur="this.value=!this.value?'confirm email address':this.value;" size="30%" />
<br />
<br />

	<label class="two">Password:</label>
		<input type="password" class="input" name="pword" value="password" onclick="this.value='';" onfocus="this.select()" onblur="this.value=!this.value?'password':this.value;" size="25%" />
		<p class="small">Password must be 12 characters long in the interest of protecting<br />
		 your security,	we suggest including symbols, upper and lower case and avoiding <br />
		words to help protect your security.</p>


	<label class="two">Confirm Password:</label>
		<input type="password" class="input" name="cpword" value="password" onclick="this.value='';" onfocus="this.select()" onblur="this.value=!this.value?'password':this.value;" size="25%" />
<br />
<br />
</td>
<td width="50%">

	<label class="two">Sex:</label>
<br />
	<label class="two">Male</label>
		<input type="radio" name="msex" value="male" onclick="1" {margin-left:7.5em;} />
<br />
	<label class="two">Female</label>
		<input type="radio" name="fsex" value="female" onclick="1" {margin-left:7.5em;}/> 
<br />
<br />
	<label class="two">Date of Birth:</label>
		<select name="DoBDay" class="input">
		<option value="0"
		selected"selected">Day</option>
		<option value="one">1</option>
		</select>

		<select name="DoBMonth" class="input">
		<option value="0"
		selected"selected">Month</option>
		</select>

		<select name="DoBYear" class="input">
		<option value="0"
		selected"selected">Year</option>
		</select>
<br />
<br />
	<label class="two">Nationality:</label>
		<select name="natcountry" class="input">
		<option value="please select"
		selected"selected">Please Select</option>option>
		</select>
<br />
<br />

	<label class="two">Residence Country:</label>
		<select name="rcountry" class="input">
		<option value="please select"
		selected"selected">Please Select</option>
			</select>
<br />
<br />

	<label class="two">Postcode:</label>
		<input type="text" class="input" name="postcode" value="enter postcode" onclick="this.value='';" onfocus="this.select()" onblur="this.value=!this.value?'enter postcode':this.value;" size="30%" />
<br />
<br />

	<label class="two">Industry:</label>
		<select name="industry" class="input">
			<option value="please select"
			selected"selected">Please Select</option>				<option value="all">All</option>
			</select>
<br />
<br />

	<label class="two">If other:</label>
		<input type="text" class="input" name="otherindustry" value="enter other" onclick="this.value='';" onfocus="this.select()" onblur="this.value=!this.value?'enter other':this.value;"  size="30%" />
<br />
<br />

</td>
</tr>
</table>

</fieldset>
			<input type="submit" value="Submit"/>

id_ivan

you might want to change this line

$result = filter_input_array(INPUT_GET, $filters);

become

$result = filter_input_array(INPUT_POST, $filters);

because your form method is actually said method=post

id_ivan

sorry to bump this, i cant edit my post.....

you should also simplified your code, eg,
if ($fname=='enter firstname') and if (!$result["fname"])
could be simplified using just one line
if ($fname=='enter firstname' || !$result["fname"])