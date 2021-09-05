Wow! Some excellent common sense and great advice in this thread - thank you. I have book marked it.
I have read this
https://www.php.net/manual/en/function.htmlspecialchars.php
but still don’t understand about the encoding. Why is it important?
Just use filters on values like this function for strings, you will be fine with user inputs.
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
And this for email.
$value = filter_var($email, FILTER_VALIDATE_EMAIL);
NO, NO, NO, Absolutely not! Throw that function in the trash. It is an old leftover relic from the 90’s and is always misused on top of being incorrectly written.
That is what stackoverflow guys says but it works perfectly, free to try.
I don’t care what “stackoverflow guys” says. He doesn’t know what he is talking about.
This function is being used on data INPUT. htmlspecialchars is an OUTPUT function. stripslashes is also an OUTPUT function
This function is very often used inserting data to a database. Per the manual…
stripslashes() can be used if you aren’t inserting this data into a place (such as a database) that requires escaping.
Don’t assume that just because it’s posted somewhere, it’s necessarily the best way. I post on stackoverflow, for example, doesn’t mean I know what I’m talking about.
I used this function for outputing data for years didnt have a problem.
but when inserting data need to use filters or entities etc…
htmlspecialchars — Convert special characters to HTML entities.
stripslashes – Un-quotes a quoted string.
trim — Strip whitespace (or other characters) from the beginning and end of a string.
I think if anyone pass them, then you have nothing to do
The why do you call it test_input?
You also said…
didn’t think name of function is matter does it ?
Question is about emailing which is outputing data not inserting,
Technically no, you can pretty much name a function anything you want but would you really want to name something “db_connection” that just validates an email? So yes, it does matter.
In this case it is outputting, but “everywhere” you see this function being used is on input to a database. Here are stackoverflow examples of exactly this kind of misuse.
https://stackoverflow.com/questions/43893800/how-to-validate-php-form-input-and-database-submittion
https://stackoverflow.com/questions/50072938/showing-error-in-a-php-function
https://stackoverflow.com/questions/40248747/user-cant-login-to-his-account-using-the-valid-email-and-password
Think of how often you write code and how often you read code. In general, you read way more than write. Thus, if you use a little bit of time to think of proper names while writing the code, you can save lots of time when reading the code and don’t have to stop all the time and go “huh?”.
Write your code as if the developer that will replace you is a madman with a chainsaw that knows where you live.
<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>" method="POST" enctype="text/plain">
If I encode the form as text/plain, then do I need to do any scrubbing? Will the enctype “force” the text to be plain text?
Note that this form will be online, and the Submit button will send the info to my email.
enctype has to do with how the values of the form will be sent and has nothing to do with how the form is presented to the browser by the user seeing the form. You use
htmlspecialchars when it comes to the form HTML being rendered to the user, not how the user sends form data. Two different things here.
So then
<?php echo htmlspecialchars is taking my form code, cleaning it up of hacking, and then presenting it to the user?
Get rid of all that form action junk. Leave the action out completely.
<form method="POST" enctype="text/plain">
That’s all I need there?
Is this enough for the body:
$body = validate($_POST['body']);
$body = stripslashes(trim($_POST['body']));
I’m sure I’ll recognize anything in the incoming email that isn’t a comment
This is what I have now. Running it, I get a http 500 error.
<?php
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$to = "my@email.com";
$subject= "Feedback";
$q1 = validate($_POST['q1']);
$q2 = validate($_POST['q2']);
$body = "Message: %0d%0a" . $q1 . "%0d%0a %0d%0a" . $q2;
if(mail($to, $subject, $body)){
echo "Thank you - Your feedback was sent to me. I can't wait to read it!";
}else{
echo "Sorry, something went wrong with sending your comments.";
}
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Feedback for Book</title>
</head>
<body>
<div id="wrapper">
<form class="form" method="POST" enctype="text/plain">
<h1>Feedback Form</h1>
<p>For your security, please do not include your email or other private info. If you want to email us, please use the email on the website.</p>
<p><em>Comments can only contain letters, numbers, commas, periods, and white spaces.</em></p>
<p>Question 1?</p>
<textarea name="q1"></textarea>
<p>Quedtion 2?</p>
<textarea name="q2"></textarea>
<button type="submit" name="submit">Submit</button>
</form>
</div>
</body>
Where is that
validate function defined? I don’t see it anywhere in your code and you also don’t seem to
include or
require another PHP file that might hold it.
It certainly isn’t a PHP builtin function, so it must be defined somewhere else.
OK, I thought validate was a builtin function. I’ll remove it.
Without any kind of validation the form isn’t secure.
It would already help if instead of where you now call the (non-existent)
validate function, if you call
htmlentities there instead.