SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Member
    Join Date
    Mar 2014
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Email enquiry problem

    Hi there,

    I have programmed a simple online enquiry form with a captcha form.
    All form elements are client-side validated;
    Name required, number (regexp), email (regexp), characters not allowed in message (regexp).

    But I am still recieving the following enquiries, and am confused as to how I can stop this.

    _________________________________________________________
    A user pmjxvlo submitted the contact form:

    Name: pmjxvlo
    Email: vleijk@phcdiv.com
    Contact Number: EPTvsDBCkphwDlVEh

    Message:
    pedZAR <a href=\"http://feethehrhml.com/\">ferhthghrhejxml</a>, [link=http://spammylink.com/]spammylink[/link], [link=http://spammylink.com/]thehrhthrheh[/link], http://birhthrhehrhz.com/

    IP: 91.232.96.8
    Last edited by Mittineague; Mar 6, 2014 at 17:25. Reason: links changed to avoid promoting criminals

  2. #2
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,331
    Mentioned
    463 Post(s)
    Tagged
    8 Thread(s)
    Looks like you need better data filtering. Feel free to show us the code you are using currently.

  3. #3
    SitePoint Member
    Join Date
    Mar 2014
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ralph.m View Post
    Looks like you need better data filtering. Feel free to show us the code you are using currently.
    Clientside is jquery validation.
    HTML Code:
    <label>Name:</label><input name="name" type="text" value='<?php echo htmlentities($name) ?>' class="validate[required] text-input" />
    <label>Email:</label><input name="email" type="text" value='<?php echo htmlentities($visitor_email) ?>' class="validate[required,custom[email]] text-input"/>
    <label>Phone:</label><input name="phone" type="text" value='<?php echo htmlentities($visitor_phone) ?>' class="validate[required,custom[phone]] text-input"/>
    <label>Message:</label><textarea name="message" rows=8 cols=50 class="validate[required,custom[onlyLetterNumber]] text-area"><?php echo htmlentities($user_message) ?></textarea>
    
    Calling the relevant regexp:
                    "phone": {
                        // credit: jquery.h5validate.js / orefalo
                        "regex": /^([\+][0-9]{1,3}[\ \.\-])?([\(]{1}[0-9]{2,6}[\)])?([0-9\ \.\-\/]{3,20})((x|ext|extension)[\ ]?[0-9]{1,4})?$/,
                        "alertText": "* Invalid phone number"
                    },
                    "email": {
                        // HTML5 compatible email regex ( http://www.whatwg.org/specs/web-apps/current-work/multipage/states-of-the-type-attribute.html#    e-mail-state-%28type=email%29 )
                        "regex": /^(([^<>()[\]\\.,;:\s@\"]+(\.[^<>()[\]\\.,;:\s@\"]+)*)|(\".+\"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/,
                        "alertText": "* Invalid email address"
                    },
                    "onlyLetterNumber": {
                        "regex": /^[0-9a-zA-Z' ]+$/,
                        "alertText": "* No special characters allowed"
                    },

  4. #4
    SitePoint Member
    Join Date
    Mar 2014
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Also serverside double checks the message using the following function.

    function IsInjected($str)
    {
    $injections = array('(\n+)',
    '(\r+)',
    '(\t+)',
    '(%0A+)',
    '(%0D+)',
    '(%08+)',
    '(%09+)'
    );
    $inject = join('|', $injections);
    $inject = "/$inject/i";
    if(preg_match($inject,$str))
    {
    return true;
    }
    else
    {
    return false;
    }
    }

  5. #5
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,331
    Mentioned
    463 Post(s)
    Tagged
    8 Thread(s)
    Ultimately, JS is useless for validation, as it can simply be turned off. It can enhance the form, but is not enough on its own. The PHP $injections code is pretty light on, as it doesn't check for much. You can write complex regular expressions for fields like name and email, or you can use some PHP defaults, like

    ($_POST['name'], FILTER_SANITIZE_STRING)

    and

    ($_POST['email'],FILTER_VALIDATE_EMAIL)

  6. #6
    SitePoint Member
    Join Date
    Mar 2014
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No javascript!
    Of course, why did I not think of the obvious?

    Thanks for that, will tighten up serverside.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •