Poor form Validation With PHP
<!DOCTYPE HTML>
<html>
<head>
<link href='http://fonts.googleapis.com/css?family=Lato&subset=latin,latin-ext' rel='stylesheet' type='text/css'>
<link href='http://fonts.googleapis.com/css?family=Lobster' rel='stylesheet' type='text/css'>
<title>Insecure form validation with PHP</title>
<!--Adapted from http://www.w3schools.com/php/php_form_validation.asp -->
<style>
.error {color: #FF0000;}
body {
font-family: lato, sans-serif;
margin: 0;
padding: 0;
background: #bdc3c7;
}
.container {
max-width: 900px;
background: #ecf0f1;
color: #2c3e50;
font-size: 2em;
margin: 0 auto;
padding: 1em;
}
input {
font-size: 1em;
}
input[type=submit] {
background: #3a9bdc;
color: #FFF;
border-radius: 5px;
border: none;
padding: 0.25em 0.5em;
}
input[type=text] {
border: 1px solid rgba(44, 62, 80,1.0);
border-radius: 3px;
}
h1 {
margin-top: 0;
}
h2 {
font-family: lobster, serif;
font-size: 5em;
text-align: center;
color: #c0392b;
margin-top: 0.5em;
}
.testForm {
background: rgba(44, 62, 80,1.0);
color: #fff;
border-radius: 0.5em;
padding: 0.5em 1em;
max-width: 550px;
margin: 0 auto;
}
</style>
<script src="//code.jquery.com/jquery-2.1.1.min.js"></script>
</head>
<!--
**Caution**
This is an example of an *INSECURE* way to accept data and pass it from a form to a database.
This is intended to be used as a basic and simple explanation of *some* BAD techniques.
To make your form validation and data more secure:
Consider using PHP parameters (http://blogs.msdn.com/b/sqlphp/archive/2008/09/30/how-and-why-to-use-parameterized-queries.aspx)
or by using prepared statements (http://php.net/manual/en/pdo.query.php) to sanitize your calls to the database.
Also, this example does not make a connection to a database (for simplicity's sake)
but if you intend to make a connection, consider keeping your password secure by
storing it in a separate includes file outside of the root directory (http://devzone.zend.com/888/php-security-tip-9/)
or by using a config file (http://stackoverflow.com/questions/97984/how-to-secure-database-passwords-in-php).
Security is an ever-evolving issue- be sure to check with up-to-date resources to ensure your
database security. DO NOT try to create your own system- it will only work against people who
aren't smarter than you. Rely on the prevailing best practices and it will work against people
who aren't smarter than the smartest people contributing to these practices.
-->
<body>
<div class="container">
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
if (empty($_POST["name"])) {
$nameErr = "Name is required";
} else {
$name = test_input($_POST["name"]);
// check if name only contains letters and whitespace
if (!preg_match("/^[a-zA-Z ]*$/",$name)) {
$nameErr = "Only letters and white space allowed";
//Nothing in place to prevent code from displaying
}
}
}
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
return $data;
}
?>
<h1>PHP Form Validation Example</h1>
<div class="testForm">
<form method="post" action="<?php echo $_SERVER["PHP_SELF"];?>">
Name: <input type="text" name="name" value="<?php echo $name;?>" autofocus="autofocus" autocomplete="on">
<span class="error">* <?php echo $nameErr;?></span>
<br><br>
<input type="submit" name="submit" value="Submit">
</form>
</div><!--/.testForm-->
<?php
if(isset($name)){
//nothing in place to prevent code from running
echo "<h2>Hello ".$name."!</h2>";
}
?>
</div><!--/.container-->
<script>
var height = window.innerHeight;
$('.container').css('height',height);
</script>
</body>
</html>