Help with PHP

We may earn a small commission from affiliate links and paid advertisements. Terms

CRX-YEM

Super Moderator
Moderator
VIP
Say I'd like to chech that the info entered on a form
Code:
<td width="30%"><p class="bodytext" align="right"> Approx. Quantity: </p></td>
<td width="70%" valign="top"><input type="text" name="qty" maxlength="7" class="input">
was only a number would this do the job

Code:
  <?php
if (ereg (^\d*\.?\d*[1-9]+\d*$)|(^[1-9]+\d*\.\d*$)", $qty) {

echo true;

} else {

 echo '<p class="bodytext">Error!</p><p class="bodytext">Your message has not been sent. Please use your browser\'s refresh button to re-post the form data and try again. If this problem persists, please contact Webmaster<br>Thanks, <br></p>';
}

?>

if it's true just continue, false provide error message
 
absolutely overkill on the reg ex.

all you need is to check for digitis \d and length {0,7}
so

^\d{0,7}$

and echo true won't get you very far :p
 
but what if there are commas and periods, it wouldn't pass the reg ex you've proposed
 
qty's shouldn't have those figure in them at all.... i'd run an erreg replace on the ,'s and .'s before going to this funtion.
 
well if you ask someone for a quantity It's possible for someone to enter 1,000 as a quantity. or 1.0
but yeah a erreg replace would solve the problem and make the reg ex simpler
 
For those that might need a PHP mailing script that you don't want spammers to exploit, well this should do the trick. and FYI , this is the script that is now running on our site and it pretty much catches all the header injection exploits I could think of.

Code:
<?php
function clean($data) {
    $data = trim(stripslashes(strip_tags($data)));
    return $data;
}
$exploits = "/(content-type|bcc:|cc:|document.cookie|onclick|onload)/i";
foreach ($_POST as $key => $val) {
    $c[$key] = clean($val);

    if (preg_match($exploits, $val)) {
        exit("<p>No exploits, please!</p>");
    }
}

$show_form = true;
$error_msg = NULL;


if (isset($c['submit'])) {
    if (empty($c['name']) || empty($c['company']) || empty($c['addr1']) || empty($c['city']) || empty($c['state']) || empty($c['zip']) || empty($c['phone']) || empty($c['email']) || empty($c['id']) || empty($c['features'])) {
        $error_msg .= "Your message cannot be sent without including the basic contact information. Please use your browser's back button to return and fill out the form completely. \n";
    } elseif (strlen($c['name']) > 40) {
        $error_msg .= "The name field is limited at 15 characters. Your first name or nickname will do! \n";
    } elseif (!ereg("^[A-Za-z' -]", $c['name'])) {
        $error_msg .= "The name field must not contain special characters. \n";
    } elseif (!ereg("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,6})$",strtolower($c['email']))) {
        $error_msg .= "That is not a valid e-mail address. \n";
    }

    if ($error_msg == NULL) {
        $show_form = false;

                $subject = "  YOUR_SUBJECT HERE";
                
                $message = "This Message was sent from the Customize Part Form:\r\n\r\n";
                $message        =       "-----------------------Custom Part Request---------------\r\n";
        $message        .=      "                   Name: ". $name ."\n";
        $message        .=      "                Company: ". $company ."\n";
        $message        .=      "               Address1: ". $addr1 ."\n";
        $message        .=      "               Address2: ". $addr2 ."\n";
        $message        .=      "                   City: ". $city ."\n";
        $message        .=      "                  State: ". $state ."\n";
        $message        .=      "                    Zip: ". $zip ."\n";
        $message        .=      "                  Phone: ". $phone ."\n";
        $message        .=      "                 E-mail: ". $email ."\n";
        $message        .=      "                    Fax: ". $fax ."\r\n";
        $message        .=      "----------------------Switch Configuration--------------\r\n";
        $message        .=      "               Part Num: ". $id ."\n";
        $message        .=      "                    Qty: ". $qty ."\n";
        $message        .=      "               Features: ". $features ."\r\n";
        
        
        $message        .=      "----------------------User Agent Details-----------------\r\n";
        $message        .=      "             IP Address: {$_SERVER['REMOTE_ADDR']} \n";
        $message        .=      "                Browser: {$_SERVER['HTTP_USER_AGENT']} \n";
        $message        .=      "---------------------------------------------------------\r\n";

        if (strstr($_SERVER['SERVER_SOFTWARE'], "Win")) {
            $headers   = "From: YOUREMAIL@DOMAIN.COM \n";
            $headers  .= "Reply-To: {$c['email']}";
        } else {
            $headers   = "From: www.YOURWEBSITEHERE.COM <YOUREMAIL@DOMAIN.COM> \n";
            $headers  .= "Reply-To: {$c['email']}";
        }

        $sendto = "YOUREMAIL@DOMAIN.COM";
        
        if (mail($sendto,$subject,$message,$headers)) {
            echo ' <table width="100%" border="0" cellspacing="0" cellpadding="5">
             <tr>
              <td><p class="bodytext">Thank You! </p>
            <p class="bodytext">Your message has been sent. We will review your requirements 
                for your part and return your message as soon as possible. Thank you for 
                your time and have a great day! </p>
                  <p class="bodytext"><a href="../index.htm">Back to home page </a></p></td>
              </tr>
            </table>';
        } else {
            echo "<p>Your mail could not be sent this time.</p>";
        }
    }
}
if (!isset($c['submit']) || $show_form == true) {
    function get_data($var) {
        global $c;
        if (isset($c[$var])) {
            echo $c[$var];
        }
    }

    if ($error_msg != NULL) {
        echo "<p><strong style='color: red;'>ERROR:</strong><br />";
        echo nl2br($error_msg) . "</p>";
    }
?>
    <br><p class="bodytext" align="center">Customize Your Part </p>
        <form action="customizer.php" method="post"><p>
        
        <table border="0" cellpadding="2" cellspacing="0" width="100%" align="center">
                              <tr>
                                <td width="30%" valign="top"><p class="bodytext" align="right"> Part Number: </p></td>
                                <td width="70%" valign="top"><p class="bodytext">
                                    <?
                                        print ($_GET['id']);
                                     ?>
                                  </p></td>
                              </tr>
                              <tr>
                                <td width="30%" valign="top"><p class="bodytext" align="right"> Required Features: </p></td>
                                <td width="70%" valign="top"><textarea name="features" cols="40" rows="7" id="features"><?php get_data("features"); ?> </textarea>
                                                            
                                </td>
                              </tr>
                              <tr>
                                <td width="30%"><p class="bodytext" align="right"> Approx. Quantity: </p></td>
                                <td width="70%" valign="top"><input type="text" name="qty" size="15" id="qty" value="<?php get_data("qty"); ?>" class="input">
                                  
                                </td>
                              </tr>
                              <tr>
                                <td colspan="2" valign="top"><p class="bodytext" align="center"> <br>
                                    Please fill out the contact information below as completely as possible. <br>
                                    Doing so enables us to contact you about your specific needs on a product <br>
                                    and allows us to better serve you, the customer. <br>
                                    <font color="#FF0000">*</font> Fields are required. </p></td>
                              </tr>
                              <tr>
                                <td colspan="2" align="center"><img src="../images/hrule.gif" width="450"> </td>
                              </tr>
                              <tr>
                                <td colspan="2" align="center"><table border="0" align="center">
                                    <tr>
                                      <td width="25%" align="right"><p class="bodytext"><font color="#FF0000">*</font>Contact:</p></td>
                                      <td width="25%"><input type="text" name="name" size="15" id="name" value="<?php get_data("name"); ?>" class="input"></td>
                                      
                                      <td width="25%" align="right"><p class="bodytext"><font color="#FF0000">*</font>Company:</p></td>
                                      <td width="25%"><input type="text" name="company" size="15" id="company" value="<?php get_data("company"); ?>" class="input"></td>
                                    </tr>
                                    <tr>
                                      <td width="25%" align="right"><p class="bodytext"><font color="#FF0000">*</font>Addr1:</p></td>
                                      <td width="25%"><input type="text" name="addr1" size="15" id="addr1" value="<?php get_data("addr1"); ?>" class="input"></td>
                                      <td width="25%" align="right"><p class="bodytext">Addr2:</p></td>
                                      <td width="25%"><input type="text" name="addr2" size="15" id="addr2" value="<?php get_data("addr2"); ?>" class="input"></td>
                                    </tr>
                                    <tr>
                                      <td width="25%" align="right"><p class="bodytext"><font color="#FF0000">*</font>City:</p></td>
                                      <td width="25%"><input type="text" name="city" size="15" id="city" value="<?php get_data("city"); ?>" class="input"></td>
                                      <td width="25%" align="right"><p class="bodytext"><font color="#FF0000">*</font>State:</p></td>
                                      <td width="25%"><input type="text" name="state" size="15" id="state" value="<?php get_data("state"); ?>" class="input"></td>
                                    </tr>
                                    <tr>
                                      <td width="25%" align="right"><p class="bodytext"><font color="#FF0000">*</font>Zip:</b></p></td>
                                      <td width="25%"><input type="text" name="zip" size="15" id="zip" value="<?php get_data("zip"); ?>" class="input"></td>
                                      <td width="25%" align="right"><p class="bodytext"><font color="#FF0000">*</font>Phone:</p></td>
                                      <td width="25%"><input type="text" name="phone" size="15" id="phone" value="<?php get_data("phone"); ?>" class="input"></td>
                                    </tr>
                                    <tr>
                                      <td width="25%" align="right"><p class="bodytext"><font color="#FF0000">*</font>EMail:</b></p></td>
                                      <td width="25%"><input type="text" name="email" size="15" id="email" value="<?php get_data("email"); ?>" class="input"></td>
                                      <td width="25%" align="right"><p class="bodytext">Fax:</p></td>
                                      <td width="25%"><input type="text" name="fax" size="15" id="fax" value="<?php get_data("fax"); ?>" class="input"></td>
                                    </tr>
                                    <tr>
                                      <td colspan="4" align="center"><? print '<input type="hidden" name="id" value="' .$id. '"> '; ?>
                                        <input class="input" type="submit" name="submit" value="Submit">
                                      </td>
                                    </tr>
                                  </table></td>
                              </tr>
                              <tr>
                                <td>&nbsp;</td>
                              </tr>
                            </table>
                     </p></form>
<?php
}
?>
 
Code:
} elseif (!ereg("^[A-Za-z' -]", $c['name'])) {

should be:

Code:
    } elseif (!ereg("^[A-Za-z' -]{0,40}$", $c['name'])) {

otherwise, you are only going to test the first character of the name field.

b2ob will pass through as you have it.
 
even better might be something like this:

^[a-zA-Z]*\.?[a-zA-Z]+$

That means, it must start and end with a letter, but anything else inbetween. maybe throw the ' and \s for spaces in the middle along with a-zA-Z

reg ex'es suck :D
 
I agree reg ex's suck
and a number getting in a name field isn't really a problem, I was really just after locking down the script from exploits and abuse
 
Last edited:
Back
Top