PHP form validation example. Secure or not secure?

[standuncan]

Hey all, I have been using php to validate forms for a while now, but I’m wondering just how secure this script is that I use. I put the script together using snippets from several places, like what I learned in school, css-tricks, php.net, etc. Is there anything I can add, less of a captcha, to add some spam filtering or some extra validation?

function stripcleantohtml($s){

return htmlentities(trim(strip_tags(stripslashes($s))), ENT_NOQUOTES, "UTF-8");

}



if(!empty($_POST)){



$ipaddress = $_SERVER;

$date = date('d/m/Y');

$time = date('H:i:s');

$name = stripcleantohtml($_POST);

$email = stripcleantohtml($_POST);

$phone = stripcleantohtml($_POST);

$comments = stripcleantohtml($_POST);



$errors = array();



//Check the form fields

if(empty($name)){

$errors = 'Enter your name.';

}

if(empty($phone)){

$errors = 'Enter your phone number.';

}

if(empty($email)){

$errors = 'Enter your email.';

} else {

if (!ereg("^[^@]{1,64}@[^@]{1,255}$", $email)) {

$errors = 'Invalid email';

}



$email_array = explode("@", $email);

$local_array = explode(".", $email_array[0]);

for ($i = 0; $i < sizeof($local_array); $i++) {



if(!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&

'*+/=?^_`{|}~.-]{0,63})|("[^(\|")]{0,62}"))$",

$local_array[$i])) {

$errors = 'Invalid email';

}

}

if (!ereg("^[?[0-9.]+]?$", $email_array[1])) {



$domain_array = explode(".", $email_array[1]);



if (sizeof($domain_array) < 2) {

$errors = 'Invalid email';

}



for ($i = 0; $i < sizeof($domain_array); $i++) {

if(!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|

([A-Za-z0-9]+))$",



$domain_array[$i])) {

$errors = 'Invalid email';

}

}

}

}



if(!empty($errors)){

//Do nothing

} else {

$headers = "From: {$email}" . "rn";

$headers .= 'Content-type: text/html; charset=iso-8859-1' . "rn";



$emailbody = "
You have received a new message from the contact form on your website.


Name:  {$name} 


Email Address:  {$email} 


Telephone:  {$phone} 


Comments:  {$comments} 


This message was sent from the IP Address: {$ipaddress} on {$date} at {$time}
";



mail("[email protected]","Email Subject Here",$emailbody,$headers);



$success = 'Thank You For Your Submission.';



}

}

?>

[ic3d]

Seems safe to me! You could add Captcha or anything like that, but the spam you’ll receive trough this form won’t be much.

[standuncan]

I have had this implemented on a handful of sites for about 3-4 months now, but soon these sites will have Adwords accounts and will be posted on hundreds of blogs so that is why I want to make sure there won’t be much spam.

Several of the sites are tailored to a senior citizen demographic, so that is why I am strongly against using a Captcha. I tried a honeypot, but couldn’t get it to work right :/

Thank for your input.

[ic3d]

Honeypots can be really simple. For example: http://devgrow.com/simple-php-honey-pot/

Other than that, another simple technique to add is to rename your visible fields. E.g. call your emailfield phonenumber and visa versa. Robots are stupid, they will fill out an email in the phonenumber field and visa versa. If you check both of them strict, most robots would already fail.

One other simple technique is to check the browser of the visitor. If it isn’t a real browser, you won’t show a form but other contact information like a phonenumber instead. You have to keep the browserlist (not versions but engines) up-to-date though.

[standuncan]

Thanks a lot for the tips, think I’ll test some of those out probably.

Maybe a newbie question, but I don’t know much about robots. When a robot fills out a form and it does not pass validation, what happens next? Do robots keep repeating (filling the form out again and again) to try to pass validation or do they just continue moving on to another site or? Got any links about robots themselves? I can’t seem to find any.

[standuncan]

Another question, I have some “selects” in this form I need to make required to make a selection before the form submits too, and due to the demographic again I cannot just use the required HTML5 attribute. Any ideas how I can do this?

[standuncan]

Thinking out loud here, if I check if that select is empty, and I leave the first option’s value attribute empty, wouldn’t that force them to select another option with a value?

[standuncan]

Well I was able to get it doing this:

php:

if(empty($best_time_to_call)){

$errors = 'Select an option';

}

html:

Best Time To Call:



- Please Select -

Immediately

8-11am

11-2pm

2-5pm

5-9pm

Think that is decent enough?

[standuncan]

Is there a way to condense this validation? I can’t find any examples…

if(empty($phone)){

$errors = '*';

} else {

if ($phone == "Phone") {

$errors = '*';

} else {

if (strlen($phone) < 10 ) {

$errors = '*';

} else {

if (strlen($phone) > 15 ) {

$errors = '*';

} else {

if (is_numeric($phone)){

//do nothing

} else {

$errors = '*';

}

}

}

}

}

[rolf]

Sometimes it’s best to check for each flaw seperately like you’re doing now so you can provide very specific feedback to the user what is wrong. If you want it short you can for example combine the length check into 1 line. I guess it’s really up to you and how much time you have ;)

Regarding spam I have used slightly altered field names in the past and it works best without asking too much from the user (captcha stuff). Renaming something like email to female stops 99% of the spam. it just looks stupid in the code but if you have some generic function the processes all form posts it doesn’t matter (the php process function can rename the “rewritten” fields back to original names etc.)

[cssnew]

Just a newbie question here. How do you do the renaming stuff?

??? or even the id should be rename? thanks

[standuncan]

@rolf, in most circumstances I think that makes sense so you can deliver a specific error for what is wrong in each case. In this specific situation I do not have room for descriptions, so every error is an asterisk. I was just thinking it may save some load/parse time to condense the validation?

I am thinking of coming up with a different naming solution for all my forms and then I can stick with it and never get confused. I don’t care about renaming, because in the mail function I can have:

$body = "Name: $random1 n";

$body .= "Email: $random2 n";

or

$emailbody = "
Name:  {$random1} 


Email Address:  {$random2} 
";

depending on how you set your mail function up.

[Author]

Posts