Exphor
March 6, 2014, 9:10pm
1
Hi there,
I have programmed a simple online enquiry form with a captcha form.
All form elements are client-side validated;
Name required, number (regexp), email (regexp), characters not allowed in message (regexp).
But I am still recieving the following enquiries, and am confused as to how I can stop this.
A user pmjxvlo submitted the contact form:
Name: pmjxvlo
Email: vleijk@phcdiv.com
Contact Number: EPTvsDBCkphwDlVEh
Message:
pedZAR <a href=\“http://feethehrhml.com/\\ ”>ferhthghrhejxml</a>, [link=http://spammylink.com/ ]spammylink[/link], [link=http://spammylink.com/ ]thehrhthrheh[/link], [noparse]http://birhthrhehrhz.com/[/noparse]
IP: 91.232.96.8
ralphm
March 6, 2014, 10:29pm
2
Looks like you need better data filtering. Feel free to show us the code you are using currently.
Exphor
March 6, 2014, 11:25pm
3
Clientside is jquery validation.
<label>Name:</label><input name="name" type="text" value='<?php echo htmlentities($name) ?>' class="validate[required] text-input" />
<label>Email:</label><input name="email" type="text" value='<?php echo htmlentities($visitor_email) ?>' class="validate[required,custom[email]] text-input"/>
<label>Phone:</label><input name="phone" type="text" value='<?php echo htmlentities($visitor_phone) ?>' class="validate[required,custom[phone]] text-input"/>
<label>Message:</label><textarea name="message" rows=8 cols=50 class="validate[required,custom[onlyLetterNumber]] text-area"><?php echo htmlentities($user_message) ?></textarea>
Calling the relevant regexp:
"phone": {
// credit: jquery.h5validate.js / orefalo
"regex": /^([\\+][0-9]{1,3}[\\ \\.\\-])?([\\(]{1}[0-9]{2,6}[\\)])?([0-9\\ \\.\\-\\/]{3,20})((x|ext|extension)[\\ ]?[0-9]{1,4})?$/,
"alertText": "* Invalid phone number"
},
"email": {
// HTML5 compatible email regex ( http://www.whatwg.org/specs/web-apps/current-work/multipage/states-of-the-type-attribute.html# e-mail-state-%28type=email%29 )
"regex": /^(([^<>()[\\]\\\\.,;:\\s@\\"]+(\\.[^<>()[\\]\\\\.,;:\\s@\\"]+)*)|(\\".+\\"))@((\\[[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\])|(([a-zA-Z\\-0-9]+\\.)+[a-zA-Z]{2,}))$/,
"alertText": "* Invalid email address"
},
"onlyLetterNumber": {
"regex": /^[0-9a-zA-Z' ]+$/,
"alertText": "* No special characters allowed"
},
Exphor
March 6, 2014, 11:28pm
4
Also serverside double checks the message using the following function.
function IsInjected($str)
{
$injections = array(‘(
+)’,
‘(\r+)’,
‘(\ +)’,
‘(%0A+)’,
‘(%0D+)’,
‘(%08+)’,
‘(%09+)’
);
$inject = join(‘|’, $injections);
$inject = “/$inject/i”;
if(preg_match($inject,$str))
{
return true;
}
else
{
return false;
}
}
ralphm
March 6, 2014, 11:41pm
5
Ultimately, JS is useless for validation, as it can simply be turned off. It can enhance the form, but is not enough on its own. The PHP $injections code is pretty light on, as it doesn’t check for much. You can write complex regular expressions for fields like name and email, or you can use some PHP defaults, like
($_POST[‘name’], FILTER_SANITIZE_STRING)
and
($_POST[‘email’],FILTER_VALIDATE_EMAIL)
Exphor
March 7, 2014, 12:11am
6
No javascript!
Of course, why did I not think of the obvious?
Thanks for that, will tighten up serverside.