Form Validation

[smiley]

Hey,I am trying to code a form validation but i get a problem with the function "input_check()" on w3 website especially with the trim command. It don't trim anything.$name = test_input($_POST["name"]);function test_input($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return $;}echo $name;I am thankful about any help.

[Chikwado]

return $; }

which is wrong. Write exactly what you see on the tutorial. Don't just write one parameter and start testing. View Exampe Here Edited September 15, 2015 by Chikwado

[smiley]

Sorry that was a copy and Paste mistake.I also tried the example on w3 school but it doesn't work.The trim Command don't delete n,t,r, etc.

[dsonesuk]

Unless you specify what charaters to trim as a parameter as shown here http://php.net/manual/en/function.trim.php, trim($data) by default will only trim spaces.

[smiley]

Ah okay thanks!

[justsomeguy]

It trims more than spaces by default, it trims whitespace:

Without the second parameter, trim() will strip these characters:" " (ASCII 32 (0x20)), an ordinary space."t" (ASCII 9 (0x09)), a tab."n" (ASCII 10 (0x0A)), a new line (line feed)."r" (ASCII 13 (0x0D)), a carriage return."0" (ASCII 0 (0x00)), the NUL-byte."x0B" (ASCII 11 (0x0B)), a vertical tab.

Note that trim only trims whitespace from the beginning and end of a string. It will not remove characters from the middle (characters between any non-whitespace or non-trimmed character).

[smiley]

If i use trim on $_POST it trim only whitespaces. It ignores the rest that is my Problem.Should i use something else instead of trim for a secure validation?

[justsomeguy]

Trim has nothing to do with security. Maybe you need to show some examples of what you're trying to do and why exactly you think trim isn't working for you.

[smiley]

If i use trim on a string it strip all characters you post … for example:

 

$name = nMax Mustermann;

echo trim($name);

 

output: Max Mustermann

 

but with $_POST it strips only whitespaces … for example:

 

<input type="text" name="name" /> // nMax Mustermann

 

$name = $_POST["name"];

echo trim($name);

 

output: nMax Mustermann

 

I am trying to avoid line breaks etc.

Edited September 16, 2015 by smiley

[smiley]

I am thankful for any help, link, tutorial etc. to secure my contact form!

Edited September 16, 2015 by smiley

[dsonesuk]

What does it show BEFORE filtering when viewed using view source NOT directly from webpage itself.

[dsonesuk]

Hang on! how can you enter a newline or return character within input type text? entering 'nMax Mustermann' its just treated as text, it will probably remove slash but rest will treated as text unless you are doing it dynamically, but there again it seems to work. example below.

<!DOCTYPE html><!--To change this license header, choose License Headers in Project Properties.To change this template file, choose Tools | Templatesand open the template in the editor.--><html>    <head>        <meta charset="UTF-8">        <title></title>    </head>    <body>        <?php        $name = $name2 = "";        $name = "n" . 'MasterPlan ' . "nrt";        //$name = 'MasterPlan';        $name2 = 'nMasterPlan ';        function test_input($data) {            //$data = trim($data, 'n'); //will remove textual character            $data = trim($data);            $data = stripslashes($data);            $data = htmlspecialchars($data);            return $data;        }        if (isset($_POST["name"]) && isset($_POST["name2"])) {            $name = test_input($_POST["name"]);            $name2 = test_input($_POST["name2"]);            echo 'xxx' . $name . 'xxx<br>';            echo 'xxx' . $name2 . 'xxx<br>';        }        ?>        <form action="#" method="post">            <input name="name" type="text" value="<?php echo $name; ?>">            <input name="name2" type="text" value="<?php echo $name2; ?>">            <input type="submit">        </form>    </body></html>

[smiley]

Thanks! I will test it. ??

[Chikwado]

@smiley

Sorry that was a copy and paste mistake, I also try w3schools exampe but it does not work

what do you mean by it does not work? Example of the page are here The File and the code are here The code do not say it does not work, You failed to create it.

[smiley]

I mean with "does not work":Normally i thought that trim strips "n". But if i enter in the input field name: "Maxn" the result is "Maxn". You can also test it. It strips not completely "n" only slash and that was irritating!

Edited September 16, 2015 by smiley

[dsonesuk]

Its not perceived as line break, its treated as text string so its ignored, its not trim() removing slash its stripslashes().

 

As stated in example

 

$data = trim($data, 'n');

 

will trim/remove text string of 'n' if found its not a line break.

[smiley]

Ok, thanks for your help!

[justsomeguy]

Use a textarea instead of a regular single-line input if you want to actually type and submit real line breaks. Typing "n" does not submit a line break, it submits the text "n", which is not whitespace. In PHP you can use var_dump to print the variable to see what it is, which will show you the data type and also the length if it is a string, and it will quote the value so you can see exactly where it starts and ends.

[smiley]

would it work with str_replace instead of trim?

[justsomeguy]

If you're trying to remove the text "n" then yes, you can use str_replace.

[smiley]

Can you show me an example how to use the command right please ..

[smiley]

and have you other good Information for a secure contact form

Edited September 16, 2015 by smiley

[justsomeguy]

What happens with the information submitted in the form? If you're using submitted information in email headers like from or subject, then you need to validate any of that information to make sure that it doesn't include extra information to send to other people or insert a spam message. Checking for newlines in those values will help. If you're displaying the information on a web page then you need to sanitize it to remove HTML tags or check for malicious injection attempts, or maybe just escape everything. If it's going in a database then, like all other data from a user that you put into a database, you should use a prepared statement and add the data as parameters.

[smiley]

thanks ??