PHP and Online Forms
 |
|
Never trust user input
This is a rule that must be obeyed always. HTML forms take user input and pass it to a script and if this input is left raw it may contain anything. Programmers who rely upon HTML size attributes or JavaScript event handlers to screen or limit user input are living in a dream world. These are easily circumvented with a minimum of skill since they run on the client side, where the mischief-makers have control, and not the server side where you have control.A couple of obvious examples that spring to mind when raw data is passed to a script, are embedded Shell Commands that may wreak havoc on your server or form fields that are written directly to an email header within a script. If you give a spammer access to an email header they can write blind carbon copies to thousands of email address and insert just about any body message they choose. The result - you become the spammer because your script sent the spam and you get blacklisted.
All user input should be cleaned using PHP string functions to screen out dangerous characters and to limit size before being used by the rest of the script. As well as this, avoid if possible writing the forwarding email address in a hidden field in the form. This invites hijackers and spammers - always try to hard code the forwarding address into your script. Also, within the script check the referrer. If it hasn't come from the domain where you placed your HTML form page then it's a hijack attempt and should be stopped.
Validating user inputIt's normally desirable to validate form fields so that site visitors are encouraged to send the correct data and JavaScript is often used to check for blank fields, proper numeric input or that email syntax is correct. This is fine if you accept that the JavaScript runs client side where it may be tampered with. But nuisances often circumvent the JavaScript and use the forms to tell you about their latest porn site and the like, therefore server side validation is necessary. This means sending the user back to your form with an error message if validation fails. If this is done then you should make sure that the user finds their input as it was before they clicked the submit button and this can be done using PHP session variables. |
Using AJAX for validation
AJAX, which stands for Asynchronous JavaScript and XML, is fairly new although the XMLHttpRequest object used to exchange data asynchronously with the web server has been around for some time. It can be used to validate form input on the server side before actually submitting a form. In this instance all that's needed is to set up a JavaScript event handler like onBlur() for example to detect when the user has moved focus from the field to be validated which can then send an asynchronous request to a PHP script on the server to validate the data within the field. The script can be designed to return an error message that can be written into the innerHTML property of a <div> object next to the form field.This is neat since it validates the form as it is being filled in rather than after it is submitted. But it is not a substitute for server side validation since it suffers from the same problem as straightforward JavaScript validation in that it can be easily circumvented.
Belt and braces
If you want your site visitors to benefit from validation before a form is submitted then use AJAX, plain JavaScript or a mixture of both but don't rely on this alone. Use server side validation to screen out the nuisances and to clean dangerous characters from user input.© 2000-2008 smallbizonline website design Tel: 01501 771106 Privacy Policy Terms & Conditions
