Hello,
How are you community ? I signup now.
I need to ask question. About User Input Sanitization. About Input Validation: Email, Domain, Url, Phone, Fax, Mobile, Zip.
So can someone teach me how to do all this ? I tried but no luck.
My attempt is fruitless …
<html>
<head>
<title>
Searchengine Result Page
</title>
</head>
<body>
<form method = 'POST' action = "$_SERVER['PHP_SELF']">
<label for='find'>Find</label>
<input type='text' name='find' id='find'>
<br>
Table:
<input type='radio' name='table' id='sale'><label for='table'>Businesses On Sale</label>
<input type='radio' name='table' id='sold'><label for='table'>Businesses Sold</label>
<br>
<label for='business_name'>Business Name</label>
<input type='text' name='business_name' id='business_name'>
<label for='business_zip'>Business Zip</label>
<input type='text' name='business_zip' id='business_zip'>
<label for='business_phone'>Business Phone</label>
<input type='text' name='business_phone' id='business_phone'>
<label for='business_mobile'>Business Mobile</label>
<input type='text' name='business_mobile' id='business_mobile'>
<label for='business_fax'>Business Fax</label>
<input type='text' name='business_fax' id='business_fax'>
<label for='business_email'>Business Email</label>
<input type='text' name='business_email' id='business_email'>
<label for='business_description'>Business Description</label>
<input type='text' name='business_description' id='business_description'>
<button type='submit'>Submit!</button>
</form>
</body>
</html>
<?php
//ERROR REPORTING FOR DEVMODE ONLY.
ini_set('display_errors','1');
ini_set('display_startup_errors','1');
error_reporting(E_ALL);
//MYSQLI CONNECTION.
mysqli_report(MYSQLI_REPORT_ERROR|MYSQLI_REPORT_STRICT);
$server = 'localhost';
$user = 'root';
$password = '';
$database = 'brute';
if(!$conn = mysqli_connect("$server","$user","$password","$database"))
{
echo 'Mysqli Connection Error' .mysqli_connect_error($conn);
echo 'Mysqli Connection Error Number' .mysqli_connect_errno($conn);
}
if(!mysqli_character_set_name($conn) == 'utf8mb4')
{
echo 'Initial Character Set: ' .mysqli_character_set_name($conn);
mysqli_set_charset("$conn",'utf8mb4');
echo 'Current Character Set: ' .mysqli_character_set_name($conn);
}
//SANITIZE/VALIDATE USER INPUT
function test_input($data)
{
$data = trim($data);
$data = stripslashes($data); //Strips only Backward Slashes. Not Forward Slashes.
//$data = htmlspecialchars($data);
$data = strip_tags($data);
return $data;
}
if(!empty(trim($_POST['business_name'])))
{
$business_name = trim($_POST['business_name']);
if(!is_string($business_name))
{
die('Enter Your Busieness Name! Can only contain Alpha-numerical Characters!');
}
$business_name = filter_var($business_name, FILTER_SANITIZE_STRING);
if(!filter_var("$business_name", FILTER_VALIDATE_STRING))
{
die("Enter your valid Business Name!");
}
}
elseif(!empty(trim($_POST['business_zip'])))
{
$business_zip = trim($_POST['business_zip']);
if(!is_string($business_zip)||!is_int($business_zip))
{
die('Enter your Business Zip! Can only contain Alpha-numerical Characters!');
}
$business_zip = filter_var($business_zip, FILTER_SANITIZE_ZIP);
if(!filter_var("$business_phone", FILTER_VALIDATE_ZIP))
{
die("Enter your valid Business Zip!");
}
}
elseif(!empty(trim($_POST['business_phone'])))
{
$business_phone = trim($_POST['business_phone']);
if(!is_string($business_phone)||!is_int($business_phone))
{
die('Enter your Business Phone! Can only contain Alpha-numerical Characters!');
}
$business_phone = filter_var($business_phone, FILTER_SANITIZE_PHONE);
if(!filter_var("$business_phone", FILTER_VALIDATE_PHONE))
{
die("Enter your valid Business Land-line Phone Number!");
}
}
elseif(!empty(trim($_POST['business_mobile'])))
{
$business_mobile = trim($_POST['business_mobile']);
if(!is_string($business_mobile)||!is_int($business_mobile))
{
die('Enter your Business Zip! Can only contain Alpha-numerical Characters!');
}
$business_mobile = filter_var($business_mobile, FILTER_SANITIZE_MOBILE);
if(!filter_var("$business_mobile", FILTER_VALIDATE_MOBILE))
{
die("Enter your valid Business Mobile Phone Number!");
}
}
elseif(!empty(trim($_POST['business_fax'])))
{
$business_fax = trim($_POST['business_fax']);
if(!is_string($business_fax)||!is_int($business_fax))
{
die('Enter your Business Fax! Can only contain Alpha-numerical Characters!');
}
$business_fax = filter_var($business_fax, FILTER_SANITIZE_FAX);
if(!filter_var("$business_fax", FILTER_VALIDATE_FAX))
{
die("Enter your valid Business Land-line Fax!");
}
}
elseif(!empty(trim($_POST['business_email'])))
{
$business_email = trim($_POST['business_email']);
if(!is_string($business_email))
{
die('Enter your Business Email! Can only contain Alpha-numerical Characters!');
}
$business_email = filter_var($business_email, FILTER_SANITIZE_EMAIL);
if(!filter_var("$business_email", FILTER_VALIDATE_EMAIL))
{
die('Enter your valid Business Email!');
}
}
elseif(!empty(trim($_POST['business_domain'])))
{
$business_domain = trim($_POST['business_domain']);
if(!is_string($business_domain))
{
die('Enter your Business Domain! Can only contain Alpha-numerical Characters!');
}
$business_domain = filter_var($business_domain, FILTER_SANITIZE_DOMAIN);
if(!filter_var("$business_domain", FILTER_VALIDATE_DOMAIN))
{
die("Enter your valid business website's Domain!");
}
}
elseif(!empty(trim($_POST['business_url'])))
{
$business_url = trim($_POST['business_url']);
if(!is_string($business_url))
{
die('Enter your Business Url! Can only contain Alpha-numerical Characters!');
}
$business_url = filter_var($business_url, FILTER_SANITIZE_URL);
if(!filter_var("$business_url", FILTER_VALIDATE_URL,FILTER_FLAG_SCHEME_REQUIRED))
{
die("Enter your valid Business website's full Url!");
}
elseif(!filter_var("$business_url", FILTER_VALIDATE_URL,FILTER_FLAG_HOST_REQUIRED))
{
die("Enter your valid Business website's full Url!");
}
if(!filter_var("$business_url", FILTER_VALIDATE_URL,FILTER_FLAG_PATH_REQUIRED))
{
die("Enter your valid Business website's full Absolute Url!");
}
}
elseif(!empty(trim($_POST['business_description'])))
{
$business_zip = trim($_POST['business_description']);
if(!is_string($business_description))
{
die('Enter your Business Zip! Can only contain Alpha-numerical Characters!');
}
$business_description = filter_var($business_description, FILTER_SANITIZE_STRING);
if(!filter_var("$business_description", FILTER_VALIDATE_STRING))
{
die("Enter your Business Description!");
}
}
else
{
//SUBMIT USER INPUT TO DB
$sql = "INSERT into business_links (business_name,business_zip,business_phone,business_mobile,business_fax,business_email,business_domain,business_url,business_description) VALUES (?,?,?,?,?,?,?,?,?)";
$stmt = mysqli_stmt_init($conn);
if(mysqli_stmt_prepare($stmt,$sql))
{
mysqli_stmt_bind_param($stmt,'sssssssss',$business_name,$business_zip,$business_phone,$business_mobile,$business_fax,$business_email,$business_domain,$business_url,$business_description);
if($result = mysqli_stmt_execute($stmt))
{
echo 'Submission Success!';
echo mysqli_stmt_affected_rows($stmt);
}
else
{
//Error Messages for Production Mode only.
echo 'Submission Execution Failed!';
echo 'Error: ' .mysqli_stmt_error($stmt);
echo 'Error: ' .mysqli_stmt_errno($stmt);
echo 'Entry Count: ' .mysqli_stmt_affected_rows($stmt);
}
mysqli_stmt_close($stmt);
}
else
{
//Error Messages for Production Mode only.
echo 'Submission Preparation Failed!';
}
mysqli_close($conn);
}
?>
My issues:
1.
filter_var(“$business_name”, FILTER_VALIDATE_STRING)
filter_var($business_zip, FILTER_SANITIZE_ZIP);
filter_var(“$business_phone”, FILTER_VALIDATE_ZIP)
filter_var($business_phone, FILTER_SANITIZE_PHONE)
filter_var(“$business_phone”, FILTER_VALIDATE_PHONE)
filter_var($business_mobile, FILTER_SANITIZE_MOBILE)
filter_var(“$business_mobile”, FILTER_VALIDATE_MOBILE)
filter_var($business_fax, FILTER_SANITIZE_FAX)
filter_var(“$business_fax”, FILTER_VALIDATE_FAX)
filter_var($business_domain, FILTER_SANITIZE_DOMAIN)
filter_var(“$business_domain”, FILTER_VALIDATE_DOMAIN)
filter_var(“$business_description”, FILTER_VALIDATE_STRING)
Above functions invalid. No exist. Can you tell me of any substitutes ? I cant find none, myself. I give-up. I very tired now.
If no substitutes, then may we build our own custom functions ? I sure not know how to begin. Scratching my head.
Any sample codes welcome to get me on my way.
And, is my code ok with exception of my invented invalid php functions ?
In you opinion, can my code be much improved or little ?
Any serious mistakes on my programming ?
Is my code hacker proof ? Is my code safe ? I do not want users submitting malicious codes on my commenting section where when I display their submissions on my pages, I get my webpage html getting broken. Xss, Javascript attacks, etc.
That is my main aim for security fuss on my code. Ok ?
Thank you people for your volunteers.