Posted by Gordon Burditt on 06/15/05 01:00

>> I certainly hope the PHP processing page does at least enough
>> validation of its own to avoid SQL injection attacks. If I put the
>> last name O'Brien in the contact form, and it causes a SQL error,
>> you're in trouble.
>
>I edit $_POST values via addslashes() and trim(). In other forms that
>require numerical values or date/time entries, I use programming logic
>to verify info. All is server-side. Not enough?

That should be good enough. Too many people using JavaScript try
to do their input validation EXCLUSIVELY in JavaScript. But watch
out for quotes in stuff you thought was numeric. Regex to make
sure it's really numeric, plus range checking, should be enough.
How does PHP handle arithmetic operations on stuff like:

if ($month < 1 || $month > 12) { ...handle bad month error; }

where $month = "3'or 1";

>> Have you considered detecting when this happens, and logging relevant
>> things, like $_SERVER['REMOTE_ADDR'], $_SERVER['HTTP_REFERER'],
>> and $_SERVER['HTTP_USER_AGENT'] ?
>
>This was brought to my attention this morning. I added a dump of the
>$_SERVER array to the email. When I have more than a couple to look at,
>I'll try to find a thread.
>
>> Are you getting blank messages *IN SPITE OF* the check above, or
>> did you put the check in because you kept getting blank messages?
>> If you are still getting blanks in spite of the check, that's wierd.
>
>The check has been in since the beginning. That's primarilly what I
>don't understand. In the resulting email, a healthy message might read
>"first_name: John". In the errant messages, the line reads
>"first_name:". Not even a space. (adding values to the database uses

Ok, I thought you were getting *COMPLETELY BLANK* messages. You
seem to be getting field names. And I don't understand not getting
a space since your code had a colon followed by a space after the
key.

>trim(), but generating the email uses the raw post values). In the
>$key=>$val clause, it would seem that $key is filled with the names of
>my input fields but $val is null. Would $_POST have an element for a
>given input field if the field were null?

If the field is empty, you'd get an empty string (I forget whether
PHP makes a distinction between an empty string and null like SQL
does). I believe this is what you get when someone clicks on the
form without filling anything in (and JavaScript either doesn't
catch it or is turned off).

if ($_POST['first_name'] == '' && $_POST['last_name'] == '') {
... bad message, ignore it ...;
}

Gordon L. Burditt

• Next in forum: How to send an e-mail....
• Prev in forum: Re: PHP returns no error, but a blank page!
• Thread view: Re: Blank form processing: POST values lost?

[Reply to this message]