Jump to content

Form Tutorial Help


Recommended Posts

Hi there,

  I was using the https://www.w3schools.com/php/php_form_validation.asp tutorial to create a form that strips out malicious tags etc via the following. However when I receive the form the tags seem to be intact. Is what I am doing wrong and how should I correct it if so?

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">

$phone = $location = "";

    $phone = test_input($_POST["phone"]);
    $location = test_input($_POST["location"]);

    $toEmail = 'email@address.com';
    $emailSubject = 'Callback request form';
    $headers = ['From' => 'homepage', 'Reply-To' => 'noreply', 'Content-type' => 'text/html; charset=iso-8859-1'];

    $bodyParagraphs = ["Callback request number: {$phone}<br />", "Location: {$location}"];
    $body = join(PHP_EOL, $bodyParagraphs);

    if (mail($toEmail, $emailSubject, $body, $headers)) {
        echo '<p>Thank you for your interest, we will respond as soon as possible.</p>';
    } else {
        echo '<p>Something went wrong. Please try again later.</p>';

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;


Link to comment
Share on other sites

Just now, niche said:

Potentially, there are all kinds to potential security issues not covered by:

http:// https://www.w3schools.com/php/php_form_validation.asp

Everything from malicious attacks to cleaning inputs. 


PDO doesn't even cover them all.


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...