Form Processor - ereg

[rlhanson]

Is there a shortcut way of letting your form proceesor know that if ANY fields besides the email contain html or script tags that it should die?

Here's the code I have (from John-Marc) to keep it out of the comments text area:

PHP Code:

if (ereg('[http\\:\\/\\/]*[www\\.]*[A-Za-z0-9_-]+\\.[A-Za-z0-9]+', $_POST['comments'])) 
{
header("Location: error.php");
exit;
} 


[jmarcv]

Good morning dangerous!

Actually, that code is to look for url's in comments.
To check all, you need to loop through the POST array like so:

PHP Code:

 
while (list($varname,$value) = each($_POST)) {

if (ereg('[http\\:\\/\\/]*[www\\.]*[A-Za-z0-9_-]+\\.[A-Za-z0-9]+', $value)) {
  header("Location: error.php");
  exit;
 }  
} 


To check for ANY html, the easiest is to strip it out and compare sizes before and after.

PHP Code:

while (list($varname,$value) = each($_POST)) {
$aftervalue=strip_tags($value);
if (strlen($aftervalue)!=strlen($value)) {
 echo "$varname has code in it";
  header("Location: error.php");
  exit;
 }  
} 


PHP: strip_tags - Manual

Hope that helps.

[rlhanson]

Good morning to you also

That is exactly what I looking for as far as an example - I didn't know what to search for on the php.net site.

I'm going to try it out! I have a (what used to be a 6-page document) form for a client and I wanted to get a little lazy instead of having to put an ereg statement for every value.

Thanks so much for the response. I hope I can get this figured out. lol

[jmarcv]

I am sure you can get it figured out!

[rlhanson]

John-Marc,
How do I implement the code and still allow for an email address to be entered?

I need some sort of else statement right?

[jmarcv]

You should try it. Since an email addy is not html code, it passes through fine.

[rlhanson]

Thanks for your response. I actually had tried both examples and wasn't getting the results I anticipated so thought I would ask about the email address before going any farther.

When I place this:

PHP Code:

while (list($varname,$value) = each($_POST)) {
 
if (ereg('[http\\:\\/\\/]*[www\\.]*[A-Za-z0-9_-]+\\.[A-Za-z0-9]+', $value)) {
  header("Location: error.php");
  exit;
 }  
} 


I get the error page regardless of what I type in (html or no html).

With the other example, it processes regardless of what I type in (html or no html).

I used a form wizard to shortcut which has some add slashes and 'what not' - I'm going to try using my other form processor and see if I can't narrow things down a bit.

Thanks as always!!

[rlhanson]

I just tried out the wizard at: phpFormGenerator - create professional web forms in minutes

which is pretty cool as you can have the captcha function and break long forms into pages.

I like it!!

[jmarcv]

The first was to strip URL's and the second was for HTML code.
Well if phpFormGenerator does that for you then all the better. If not and we need to revisit, let us no.

[rlhanson]

I honestly haven't tested it to see if it allows the html code yet, but it's a super long form, and requires input in each section and finishes up with the captcha. What I'm hoping for is that it's too much of a pain to send a bunch of spam. lol

I'll let you know - as usual!