Collecting data through $_POST

From:	99% of gargoyles look like (MR_BASTARD)	23 Feb 2009 10:23
To:	ALL	1 of 13

35801.1

Possibly a naive question. I have to collect a whole crap load of data from a form, which will then be mailed to the client. For a simple form this is just a case of:

php code:

$var1 = $_POST['fieldname1'];
$var2 = $_POST['fieldname2'];
$var3 = $_POST['fieldname3'];
 
$message = "descriptor1: " . $var1 . "\r\rdescriptor2: " . $var2 . 
"\r\rdescriptor3: " . $var3;

But since there are a lot of fields on this form, I was thinking of naming each with a 'human-readable' name, and then cycling through the submitted $_POST array as follows:

php code:

$message = '';
foreach ($_POST as $key => $value)
{
    $fieldname = str_replace('_', '  ', $key); // replace underscores with spaces
    $message .= $fieldname . ": " . $value . "\r\r";
}

Any obvious gotchas with this approach?

some things never change

0/0

Reply Quote

More

From:	Matt	23 Feb 2009 11:07
To:	99% of gargoyles look like (MR_BASTARD)	2 of 13

35801.2 In reply to 35801.1
Only addition I would make is an array specifying which fields are valid. Something like: code: $valid_fields = array('fieldname1', 'fieldname2'); $message = ''; foreach ($_POST as $key => $value) { if (in_array($key, $valid_fields)) { $fieldname = str_replace('_', ' ', $key); $message .= $fieldname . ": " . $value . "\r\r"; } } Without a list of valid fields it would be possible to spoof your form and add whatever fields I want, which probably isn't that big of a concern, but you should never ever trust user input.

0/0

Reply Quote

More

From:	99% of gargoyles look like (MR_BASTARD)	23 Feb 2009 11:29
To:	Matt	3 of 13

35801.3 In reply to 35801.2
Thanks Matt. Given that the form has 124 fields, the chances on introducing mistakes in creating the validation array are not zero. I had thought about preventing spoofing, but I'd considered a (dynamic) captcha* thingy. A random challenge/response would have the same effect, I think, or have I missed something? * But not one of those image things that you can never read and that some socially-maladjusted individuals are developing bots to read automatically anyway. some things never change

0/0

Reply Quote

More

From:	Matt	23 Feb 2009 11:36
To:	99% of gargoyles look like (MR_BASTARD)	4 of 13

35801.4 In reply to 35801.3
If you're going to use a Captcha, try reCaptcha.net. It's really easy to implement and quite user friendly

0/0

Reply Quote

More

From:	99% of gargoyles look like (MR_BASTARD)	23 Feb 2009 11:42
To:	Matt	5 of 13

35801.5 In reply to 35801.4
Hey that looks really beazer, thanks Matt! :D some things never change

0/0

Reply Quote

More

From:	99% of gargoyles look like (MR_BASTARD)	18 Apr 2009 18:45
To:	Matt	6 of 13

35801.6 In reply to 35801.2
Matt Just a thought, but as a check to ensure that someone isn't using your script to process their own form, would it be worth adding the following in place of an array of acceptable field names: php code: if ($_SERVER['HTTP_REFERRER'] != dirname($_SERVER['PHP_SELF']) . '/myform.html') die(); ...rest of code Or is HTTP_REFERRER too poorly supported by browsers? bastard by name, bastard by nature

0/0

Reply Quote

More

From:	Peter (BOUGHTONP)	18 Apr 2009 18:48
To:	99% of gargoyles look like (MR_BASTARD)	7 of 13

35801.7 In reply to 35801.6
The CGI HTTP_REFERER (sic) variable (which PHP's $_SERVER['HTTP_REFERRER'] refers to) is not actually a server value, but provided by the client, making it completely untrustworthy. `3.1415P265E589T932E846R64338`

0/0

Reply Quote

More

From:	99% of gargoyles look like (MR_BASTARD)	18 Apr 2009 18:51
To:	Peter (BOUGHTONP)	8 of 13

35801.8 In reply to 35801.7

Ahhh, I figured as much, but it was worth a try.

bastard by name, bastard by nature

0/0

Reply Quote

More

From:	Peter (BOUGHTONP)	18 Apr 2009 18:56
To:	99% of gargoyles look like (MR_BASTARD)	9 of 13

35801.9 In reply to 35801.8
I should probably also mention, even if you had clients you could trust, some ISPs and AV software will blank out the value, making it useless anyway. Only time I've ever used it is on 404 pages that say something like "please inform the author of the <a href="#CGI.HTTP_REFERER#">referring page</a> they have a broken link." (Surrounded by a check for if it's supplied, of course) `3.1415P265E589T932E846R64338`

0/0

Reply Quote

More

From:	Matt	18 Apr 2009 21:38
To:	99% of gargoyles look like (MR_BASTARD)	10 of 13

35801.10 In reply to 35801.6

As Pete said the Referer is really only useful for logging as it's client side and shouldn't be trusted. In fact it's incredibly easy to spoof the referer with any of the modern browsers.

You could have a look at using PHP's built in sessions as a crude way to test that the user submitted the form from your website. Basically what you'd do is initialise a session and when the user loads the form, putting some unique values into it, say a randomly generated hash, their IP address and browser user-agent string and then when the form is submitted retrieve those values from the session and check them against the new data received from the client. If they don't validate, send them back to the form.

It won't be totally secure, but it will help prevent other websites from submitting data to your form directly.

Something like this would work:

php code:

<?php
 
// Our array of valid field names
 
$valid_post_fields = array('name', 'email', 'subject', 'message');
 
// Initialise the session.
 
session_start();
 
// Browser user-agent string
 
if (isset($_SERVER['HTTP_USER_AGENT'])) {
    $http_user_agent = trim($_SERVER['HTTP_USER_AGENT']);
}else {
    $http_user_agent = '';
}
 
// Client IP Address.
 
if (isset($_SERVER['REMOTE_ADDR'])) {
    $remote_addr = $_SERVER['REMOTE_ADDR'];
}else {
    $remote_addr = '';
}
 
// Get the session ID
 
$session_id = session_id();
 
// Check for form post
 
if (isset($_POST['submit'])) {
 
    // Generate the hash.
 
    $check_hash = md5($http_user_agent. $remote_addr. $session_id);
 
    // Validate the session
 
    if (isset($_SESSION['hash']) && $_SESSION['hash'] == $check_hash) {
 
        // Get the post data and validate the fields.
 
        $message = '';
 
        foreach ($_POST as $key => $value) {
 
            if (in_array($key, $valid_post_fields)) {
 
                $message.= $fieldname . ": ". $value. "\r\r";
            }
        }    
 
        // Send the email
 
        mail('me@mydomain.com', 'Email form doohicky', $message);
    }
 
    // Once you're done sending the email, generate a new session ID
 
    session_regenerate_id();
 
    // Finally redirect them somewhere, so the session is reset.
 
    header('Location: form.php');
    exit;
}
 
// Save the hash to the session
 
$_SESSION['hash'] = md5($http_user_agent. $remote_addr. $session_id);
 
// Put the code here to display the form and don't forget to update
// the valid_post_fields array for each field you add.
 
?>

doohicky

0/0

Reply Quote

More

From:	99% of gargoyles look like (MR_BASTARD)	19 Apr 2009 18:26
To:	Matt	11 of 13

35801.11 In reply to 35801.10
Thank you, kind sir, that makes a lot of sense. The one question I have is, is $_POST['submit'] a fictional variable? I've examined the $_POST array in the past and never seen that. bastard by name, bastard by nature

0/0

Reply Quote

More

From:	Peter (BOUGHTONP)	19 Apr 2009 18:41
To:	99% of gargoyles look like (MR_BASTARD)	12 of 13

35801.12 In reply to 35801.11
It's what you get by giving a name (of "submit") to your submit button - since pretty much all forms have a submit button, it's a simple/consistent way to say "has the form been submitted". `3.1415P265E589T932E846R64338`

0/0

Reply Quote

More

From:	99% of gargoyles look like (MR_BASTARD)	21 Apr 2009 10:41
To:	Peter (BOUGHTONP)	13 of 13

35801.13 In reply to 35801.12
Aha! Brilliant!! I never name my submit buttons, perhaps I should start. I'll take a leaf out of the Ikea catalogue and start calling them Björn, Benny, Agnetha, .... bastard by name, bastard by nature

0/0

Reply Quote

More