I am creating a Guestbook in PHP, each IP will only be able to post once.
Except for that it will require name and message before sending, and also CAPTCH validation. Somehow my code does ignore the Captcha validation as long as something is written in the input, regardless of what.
I have tried to save the captch in session, and validate the input for the captcha but it doesnt help.
Code to generate the captcha:
function generateCaptchaString($length = 5) {
$captchaString = substr(str_shuffle(str_repeat($x='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHJKLMNOPQRSTUVWXYZ', ceil($length/strlen($x)) )),1,$length);
$_SESSION["captchaString"] = $captchaString;
return $captchaString;
}
Code to input name, message and captcha:
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST"
id="guestform">
<fieldset>
<legend>Skriv i gästboken</legend>
<label>Från: </label>
<input type="text" placeholder="Skriv ditt namn"
name="name">
<br>
<label for="text">Inlägg</label>
<textarea id="text" name="message"
rows="10" cols="50"
placeholder="Skriva meddelande här"></textarea>
<br>
<label>Captcha: <span class="red" id="captchastring"><?php
echo generateCaptchaString(); ?></span></label>
<input type="text" placeholder="Skriva captcha här"
name="captcha" id="captchainput" required>
<button type="submit" id="submit">Skicka</button>
</fieldset>
</form>
Code in the POST-function that will check for validation.
if( ! isset($_POST['captcha']) || empty($_POST['captcha']) ||
$_POST['captcha'] != $_SESSION['captcha']) {
$error .= "<p class=\"message-error\">" . $messages['math_invalid'] . "
</p>";
}
In your generateCaptchaString() function, you store the captcha string in $_SESSION["captchaString"].
But in the POST-validation code, you read it as: $_SESSION['captcha']
Change that into $_SESSION["captchaString"] as well.
Also, are you sure the URL to go to when submitting the form is $_SERVER['PHP_SELF'] (which may be another .php script that includes or requires this one) rather than $_SERVER['REQUEST_URI'] which is the same URL you're currently visiting.
Also, if the POST check code is in (or included by) the same file that also contains or includes the form, is it possible that generateCaptchaString() gets called again (to create the form again) thus overwriting any previous captchaString stored there?
Related
I working on two pages, a first one which has a form with three fields: name, email and message). This page will send these data to a second page, that will validate if those fields meet the criteria.
If on the second page, any of those fields does not meet the criteria, I want to redirect to the first page (or a third php one), fill the form with previous information and tell the user to correct the fields properly.
I'm strugling to send the data form the second page to the first (or third) one. Does anyone knows a good way to do it?
Here's my code:
First page - contato.html
<form action="validate.php" method="POST" name="emailform">
<div class="form-group">
<input type="text" id="name" name="nome" placeholder="Type your name">
</div>
<div class="form-group">
<input type="text" id="email" name="email" placeholder="type your#email.com here">
</div>
<div class="form-group">
<textarea class="form-control" cols="30" rows="10" maxlength="300" id="message" name="mensagem" placeholder="Leave your message." ></textarea>
</div>
<div class="form-group">
<input type="submit" name="submit" value="Send message" onclick="alert('Thank you!')" ></form>
Second Page - validate.php
if(isset($_POST['nome'])) $nome = $_POST['nome'];
if(isset($_POST['email'])) $email_visitante = $_POST['email'];
if(isset($_POST['mensagem'])) $mensagem = $_POST['mensagem'];
// if does not meet the criteria, redirect to contato.html and update the form with the info
if(empty($nome)){
Header("location:contato.html");
}
if(empty($email_visitante)){
Header("location:contato.html");
}
if(empty($mensagem)){
Header("location:contato.html");
}
// check for letters and space only
if (!preg_match("/^[a-zA-Z ]*$/",$nome)) {
Header("location:contato.html");
}
// check if e-mail address is well-formed
if (!filter_var($email_visitante, FILTER_VALIDATE_EMAIL)) {
Header("location:contato.php");
}
Does anyone knows how to do it? Either sending to a third page or redirecting to the first one (and fill the form in again)
You have to use sessions and store data there in one page and access in another, here is a small usage
<?php
// page 1
session_start();
// Set session variables
$_SESSION["nome"] = $nome;
$_SESSION["email"] = $email_visitante;
$_SESSION["mensagem"] = $mensagem;
<?php
// page 2|3|N - any other page
session_start();
// Get session variables
$nome = $_SESSION["nome"];
$email_visitante = $_SESSION["email"];
$mensagem = $_SESSION["mensagem"];
Part of your problem is that upon any failed validation you are using a redirect. Alternatively you can display an error message to the user: suggesting they need to correct their input by going back a page (browser back).
When forms get longer users need some hand holding with error correction. Their errors need to be clearly indicated with a message alongside as to how they can fix it.
Avoiding using the 'browser back' method above it's common to have the form send to its own url. I've included an example below.
By doing this you can repopulate the form with posted values upon error and add error feedback. You must be careful to escape user input in this situation.
I've added a generic error feedback notice. Which isn't that helpful in its current form. You could improve upon this by adjusting the validation code to return an array of error notices and use that within your form for more targeted error feedback. You could also add - all fields are required - text to help the user.
Upon successful validation that's when to redirect the user to a confirmation page. This can prevent form resubmissions.
Your name regex pattern in its current form will not allow hyphens or apostrophes. I haven't changed it below. Do bear this in mind. "Michael O'leary" would be faced with an error and likely not understand why. You need to be careful when using strict rules for user input. Also this will reject some unicode.
You also need to escape user input appropriately. Note that you may be satisfied that the name and email after validation follows a particular pattern, but becareful of raw user input. The message text is passed on raw after validation.
<?php
$nome = $_POST['nome'] ?? null;
$email_visitante = $_POST['email'] ?? null;
$mensagem = $_POST['mensagem'] ?? null;
$feedback = null;
if(isset($_POST['submit'])) {
if(validate($nome, $email_visitante, $mensagem) !== false) {
process($nome, $email_visitante, $mensagem);
// Redirect to success/thankyou/confirmation page.
header('location:success.html');
exit;
}
// This is a generic message, could this be more helpful?
$feedback = 'Your form has errors. Please correct them.';
}
form($nome, $email_visitante, $mensagem, $feedback);
function process($nome, $email_visitante, $mensagem) {
// do something with your values.
}
function validate($nome, $email_visitante, $mensagem) {
if(empty($nome)) {
return false;
}
if(empty($email_visitante)){
return false;
}
if(empty($mensagem)){
return false;
}
if (!preg_match("/^[a-zA-Z ]*$/",$nome)) {
return false;
}
if (!filter_var($email_visitante, FILTER_VALIDATE_EMAIL)) {
return false;
}
return true;
}
function form($nome = null, $email_visitante = null, $mensagem = null, $feedback = null) {
?>
<?= $feedback ?>
<form action='' method='POST' name='emailform'>
<div class='form-group'>
<label for='name'>Your name:</label>
<input type='text' id='name' name='nome' value='<?= htmlspecialchars($nome) ?>'>
</div>
<div class='form-group'>
<label for='email'>Your email address:</label>
<input type='text' id='email' name='email' value='<?= htmlspecialchars($email_visitante) ?>'>
</div>
<div class='form-group'>
<label for='message'>Your message:</label>
<textarea class='form-control' cols='30' rows='10' maxlength='300' id='message' name='mensagem'><?= htmlspecialchars($mensagem) ?></textarea>
</div>
<div class='form-group'>
<input type='submit' name='submit' value='Send message'>
</div>
</form>
<?php
}
How can I refresh a page with a form on submission pending the outcome of the submitted data and display a result.
e.g I have a page with a form:
<form action="" method="post">
<input type="name" value="" name="name" placeholder="Your Name" />
<input type="button" name="submit" value="submit form "/>
</form>
The engine that handles the form is external, but required in the page:
require_once 'form_engine.php';
form_engine.php checks the input,
$success = "true";
$errorMessage = " ";
$name = $_POST['name'];
if ( $name == '') {
$errorMessage = 'Please enter your name';
$success = false;
}
else (if $success = true) {
// do something with the data
}
The form page contains the result:
<form action="" method="post">
<input type="name" value="" name="name" placeholder="Your Name" />
<input type="button" name="submit" value="submit form "/>
</form>
<p><?php echo $errorMessage; ?></p>
Will the error message get displayed after the form is submitted incorrectly? Or do I have to use a session to store it?
You need something like this:
if (!isset($_POST['name']))
instead of
if ( $name == 'name')
UPDATE
Try this, it should give you the idea:
<?php
$errorMessage = false;
if (isset($_POST['submit'])) {
if (!isset($_POST['name']) || $_POST['name']=='') {
$errorMessage = 'Please enter your name';
}
else {
// do something with the data
echo "Success!!";
}
}
?>
<form method="post">
<input type="name" value="" name="name" placeholder="Your Name" />
<input type="submit" name="submit" />
</form>
<p><?php if ($errorMessage) echo $errorMessage; ?></p>
Note: leaving out the action attribute will just submit the form to the current page
Note 2: The PHP here could very well be stored in another page. Using require() is the same as putting the code directly into the page.
You can use redirect on php side:
header('Location: www.mysite.com/index.php');
You seem to be a little confused in terms of the exact process that occurs in terms of rendering a page, as do some of those commenting. You do not need to use sessions to solve this problem. There is no need to store anything server-side between page requests because the user's browser with retain everything that you need, at least for this situation. My guess is the others took you mentioning an "external engine" and thought that the form would be submitting away to a different site/page.
form loops
Below is a diagram showing a typical form request loop:
You do not have to do this, as coding is as much about personal preference to anything else, but typically people will design their form to submit back to the same URI that generated it — as you seem to be doing in your example, by leaving the action attribute blank. By doing this, as long as you embed everything you wish to pass back to the server side within the form — each time the user submits — that information will be resent and be available in PHP.
Obviously you need to be wary of what information might constitute as sensitive, as this data should only ever be written into markup if your requests are protected by HTTPS/SSL. You should also filter/escape any user input to prevent markup injection into your site. You can prevent many problems by using htmlentities, however this can cause issues depending on the values you are trying to capture from the user. Because you are using double quoted HTML attributes (the right way to do them ;) I have not set the ENT_QUOTES option.
back to the point
So in the above loop the user will be shown the form for the first time, and after any subsequent submit, which means that each time your PHP notices that there is an error you can just add your message into the page flow. The trick with this kind of system is what exactly do you do once the form is fully complete. To get out of the loop most people will use a header location call:
<?php
require_once 'form_engine.php';
$name = !empty($_POST['name']) ? trim($_POST['name']) : '';
$name = htmlentities($name);
if ( $success ) {
header('location: next-step.php');
exit;
}
?>
<form action="" method="post">
<input type="name" value="<?php echo $name; ?>" name="name" placeholder="Your Name" />
<input type="button" name="submit" value="submit form "/>
</form>
<?php
if ( $errorMessage ) {
echo "<p>$errorMessage</p>";
}
?>
form engine repairs
You should also rectify your form_engine.php as per my comments above and Shekhar Joshi's answer, although I would keep the header code outside of your engine logic, and leave that decision to the code that requires in the engine — as the above does.
may be, you are looking for this! the header() method.
$success = true;
$errorMessage = " ";
$name = $_POST['name'];
if(isset($_POST['name'])) {
if ( $_POST['name'] == '') {
$errorMessage = 'Please enter your name';
$success = false;
header('Location: www.something.com/some.php');
}
else if ($success == true) {
// do something with the data
}
}
My issue: I'm trying to make this form both email the form data and redirect to download page using php script (i.e.: One click = 2 actions). I searched the boards and didn't really find anything similar to what I am trying to do. I had tried several options code wise, but it won't send the email at all. What am I doing wrong?
code:
form:
<form id="myform">
<form method="get" action="action/php">
<fieldset><center>
<h3>DOWNLOAD DVD</h3>
<p> Enter your full name and email and then press Download DVD. </p>
<p><br>
<label>Enter Your Name *</label>
<input type="text" name="name" pattern="[a-zA-Z ]{5,}" maxlength="30" />
</p>
<p>
<label>Enter Your Email *</label>
<input type="email" name="email" required />
</p>
<button type="submit" id="submit-myform"; class="submit" value="Submit" name="myform_submit">Download DVD</button>
<button type="reset">Reset</button>
</fieldset>
</form>
php:
<?PHP
if(isset($_POST['myform_submit']) && $_POST['myform_submit'] == "Submit"){
echo "http://www.website.com";
}else {
mail( "info#website.com", "Landing Page Download",
$name, "From: $email" );
}
?>
Again ... The download content comes up nicely. But the email will not send.
I think you've got your if statement mixed up. Currently it's saying if the form is submitted, then print a URL to the screen, otherwise send an email but from what you've said you want to redirect and send an email. Try this:
if(isset($_POST['myform_submit'])) {
$send = mail( "info#website.com", "Landing Page Download", $_POST['name'], "From: " . $_POST['email'] );
if($send) {
header("Location: http://www.website.com");
} else {
echo 'Error sending email!';
}
}
Problem number 2 is you have nested forms. Not sure why you're doing this, but it's against HTML spec and will probably cause your form data not to get sent as it should. Remove the outer form. Here's line 3 of the HTML3(old!) spec:
Note you are not allowed to nest FORM elements!
Problem number 3, you're setting your form method as GET and then trying to access POST variables. Problem 3.5, your action is action/php - thats not a filename (unless you have an index.php file inside a folder called php, inside a folder called action). Change all this to:
<form method="post" id="myform" action="action.php">
Note: header("Location: [url]") sends a redirect header to your browser, so you are redirected to the target URL. If you simply want to display the URL (like in your question) then continue to just echo it.
I have a website where any visitor can subscribe to receive the newsletter.I encountered the problem of having my resubmitted when everytime when i refreshed the page.I solved it by applying the PRG concept. Now a user never submits the same form twice, i have just one problem : i have designed the form in such a way that when the is succesfully/or fails a message is display under the input fields. Unfortunatly now that i have the PRG concept applied i never get any message displayed . What to do ?
index.php - where i have the divs containing the submit form and the message display
<div id="newsletter" >
<form id="abonat" name="abonat" action="formular.php" method="post" onsubmit="return golire()" autocomplete="on" >
<span>Subscribe</span>
<input type="text" id="nume" name="nume" placeholder="Name" required />
<input type="email" id="email" name="email" placeholder="Email" autocomplete="off" required/>
<input type="submit" value="Subscribe" class="button" style="width:26%;float:left;" />
</form>
</div>
<div id="mesaj_newsletter">
<span><?php if (isset($mesaj)) echo $mesaj; ?> </span>
</div>
formular.php - where the validation takes place,and the message is decided
include('conect.php');
function validEmail($email){
//code that verifies if it is a valid email adress
}
if( (isset($_POST['email']))&&(isset($_POST['nume'])) ){
$nume=mysql_real_escape_string($_POST['nume']);
$email=mysql_real_escape_string($_POST['email']);
$z=1;
if(validEmail($email)==TRUE){
$result=mysql_query("SELECT * FROM abonat");
while($data=mysql_fetch_row($result)){
if(($data[1]==$email)||($data[2]==$nume))
$z=0;
}
if($z==1){
mysql_query("INSERT INTO abonat(email,nume) VALUES ('$email','$nume')");
$mesaj="Your email has been registered";
}
else $mesaj="You are already registered";
}
else $mesaj="You have not entered a valid email adress";
}
mysql_close($con);
header('Location:index.php');
?>
Try setting a cookie called e.g. $_COOKIE['status_message'] with 60 second timeout.
set_cookie('status_message','This is our message',(time()+60));
Then when the page is refreshed, check to see if the cookie has any data;
if(isset($_COOKIE['status_message'])){
echo $_COOKIE['status_message'];
set_cookie('status_message','',(time()-3600));
}
This will echo out any populated message and destroy the cookie.
Put your $mesag in query string like this
header("Location:index.php?msg=$mesag");
then use $_GET['msg'] on index.php and get value there and display it.
I want to submit this form through PHP. with validation for required field and validation for phone number and email field also
<form action="" method="" id="get-protected">
<div class="row requiredRow">
<label for="txt_FirstName">
First Name</label>
<input id="txt_FirstName" type="text" class="required" title="First Name. This is a required field" />
</div>
<div class="row">
<label for="txt_LastName">
Last Name</label>
<input id="txt_LastName" type="text" title="First Name. This is a required field" />
</div>
<div class="row">
<label for="txt_Phone">
Phone</label>
<input id="txt_Phone" type="text" title="First Name. This is a required field" />
</div>
<div class="row requiredRow">
<label for="txt_Email">
Email</label>
<input id="txt_Email" type="text" class="required" title="Email. This is a required field" />
</div>
<div class="row">
<input type="submit" value="" class="button" />
</div>
</form>
In your method attribute inside your form, you need to declare either post or get.
Since your action attribute is "" it will submit to the page itself rather than redirecting to another page, so you can have your code that checks for validation in the same PHP file. First validation that is often checked is if the variable has a value by using isset:
if(isset($_POST['txt_Phone'])) { ... }
This just checks that the Phone number field does not contain empty data. I strongly suggest you perform other validation checks on the POST array so you do not have any users posting malicious code.
You can use functions like htmlspecialchars to prevent user-supplied text depending on what you plan to do with the values
Here are some references to help you along the way in the order they should be viewed.
Form Validation using PHP - PHP and MySQL Tutorial
PHP Advance Form Validation Tutorial
PHP Tutorial Part 2: Form Validation
Your form tag needs a target in the action field and a method in the method field (either GET or POST). So make the action your PHP script.
<form name="input" action="form_submit.php" method="get">
As for field validation, you will either have to parse that inside of the PHP and return a response or use Javascript in the browser to check on the fly.
Here is the shcema of such a script:
if ($_SERVER['REQUEST_METHOD']=='POST') {
//data validation:
$err="";
if (valid_phone($_POST['phone'])) $err="Wrong phone no";
if (!$err) {
//record data:
$sql="...";
query($sql);
Header("Location: ".$_SERVER['REQUEST_URI']); //redirect and exit
exit;
}
}
?>
<html>
<head></head>
<body>
<? if ($err) ?> <font color=red><b><?=$err?></b></font>
<form method="POST" id="get-protected">
here goes your form
Okay, firstly, I like to set the form action to <?=$_SERVER['REQUEST_URI']?> to submit it back to the current page, but leaving it as you have it will work fine too.
Secondly, you need to give all your <input>s a name attribute. This is the variable name that PHP will see.
When your users get an error (something doesn't validate correctly) you don't want all the data they entered to disappear. That means you have to set the value attributes of each input to what they had previously entered. Thus, your form starts to look like this:
<form action="<?=$_SERVER['REQUEST_URI']?>" method="" id="get-protected">
<div class="row requiredRow">
<label for="txt_FirstName">
First Name</label>
<input id="txt_FirstName" type="text" class="required" title="First Name. This is a required field" name="first_name" value="<?=htmlspecialchars($_POST['first_name'])?>" />
</div>
...
<div class="row">
<input type="submit" name="submit" value="" class="button" />
</div>
</form>
If you didn't know <?= is a basically a shortcut for <?php echo but it will only work if your server has short tags enabled. Some people prefer to type it out the long way (in case they want to switch servers later, or for future-compatibility, or because they're nutbars), but I say screw them, I'm lazy.
This page that has the form on it, has to saved with a .php extension (well, technically it doesn't have to, but that's another story). Then you need to handle you form validation. You have to code that up yourself. It might look something like this (put it above your form somewhere)
<?php
if($_POST['submit']) {
$errors = array()
if(empty($_POST['first_name'])) $errors[] = 'please enter your first name';
if(empty($errors)) {
// save the data to database or do whatever you want with it
header('redirect:succcess.php');
} else {
foreach($errors as $e) {
echo $e;
}
}
}
?>
It's been a while since I've coded in PHP so forgive me if there are syntax errors. That's the jist of it anyway, I'm sure you can find validation libraries out there if you Google. Might take some of the grunt work out of trying to validate email addresses and such.
Using Javascript you can do the validation for this form.For each condition you can use return true and return false,based on the condition.Then you can submit the value.
Using action attribute in form tag the values will be submitted to that file.