?web form tutorial

Status
Not open for further replies.
A

afroman

Baseband Member
Messages
61
I need good tutorial (with step by step proces) about setting up web forms. I need help with this, cause I want to set some useful forms like: direct e-mail form, anquete (questions for users) and so on...
 
HTML? Or do you want to use some sort of scripting language along side? 'cos, HTML email forms... in a word... suck.
 
forms? what is there to know? www.hotscripts.com << tons of scripts. Download the one you want and use it. I use some email script, its called emailer.php i think. I just made another php file, included the emailer.php file and then into the new php file, i inserted some font and other options. WORKS PERFECTLY. NO MYSQL needed.
 
Thanx - I found "contactus" - as I understand it is for sending mail from web, it is nice and exactly what I need, but I can't install it - so can anyone please explane me step by step how to do it - is there something I should know and it isn't in the "read me file". Really I am beginner at this!
 
For a start, that's way too complicated.

<?php

if(isset($_POST['submit']))
{
$to = "youremail@whatever.com";
$subject = $_POST['subject'];
$message = $_POST['message'];
mail($to,$subject,$message);
echo "Message sent";
} else {
?>
<form method="POST" action="index.php">
Subject: <input type="text" name="subject">

Message:

<textarea name="message">


<input type="submit" name="submit" value="Send">
</form>
<?
}
?>
 
Heh. All you'll ever really need is:

PHP: 
if (ereg('[^A-Za-z0-9]', $input))
{  
echo "The input supplied contains non-alphanumerical characters";
exit;
}

^ for when you only want letters and numbers

PHP: 
addslashes($input)

^ When entering a variable value into an SQL query

PHP: 
stripslashes($output)

^ When displaying it on a page

... that's all there really is to it. Dunno why some people go way over the top with billions of security checks. If you don't want non-alphanumerical, then don't allow it. If you are using PHP with SQL, add and strip slashes. And always make sure what the user requests is actually available. That's really all you need :S If you DO want to allow non-alphanumerical, just remember to disallow HTML special characters:

PHP: 
str_replace("&#", "&", $input)

.. or a variant of that.
 
Terencentanio said:
Heh. All you'll ever really need is:
...
^ for when you only want letters and numbers
...
^ When entering a variable value into an SQL query
...
^ When displaying it on a page

... that's all there really is to it. Dunno why some people go way over the top with billions of security checks. If you don't want non-alphanumerical, then don't allow it. If you are using PHP with SQL, add and strip slashes. And always make sure what the user requests is actually available. That's really all you need :S If you DO want to allow non-alphanumerical, just remember to disallow HTML special characters:
...
.. or a variant of that.
Click to expand...

There are plenty of situations when a little more is required. For example, what if you are checking file names? You may want to allow file names with a-z, 0-9, and other characters such as ., /, -, etc... Many people also neglect to properly decode their data before checking.

What if you check input as sent by the browser? %3B may slip past some checks, but what about when that gets decoded to ; later in your code?

90% of the time what you have mentioned above is enough, but there are always cases when finer control is needed.
 
Indeedly. You can add to ereg to make it allow _ and - for file names.

I don't think %3B would be decoded. It's usually only 'decoded' when displayed on a page. For example, %20 would remain as %20 in the code, but when it's displayed on a page, it becomes a space. I've never really tried. Lemme go check and I'll come back.

- teh edited:

Hehe. %20 taken from a variable is entered as a space. %20 taken as text is entered as %20.

Oddjobness. Will have to look at how to stop that via another method other than filtering out "%" and disallowing everything other than letters and numbers.
 
Odd things happen from time to time. Someone can check the value of a user-supplied variable, and call urldecode on it as some point after that. My only real points are flexability is a good thing to have, and the security process shouldn't be over-simplified. People rely too much on one aspect of security to cover them (classic firewall problem) and neglect security at other points.
 
Status
Not open for further replies.

Similar threads

T
Seeking Help to Close a Web Development Company and Start an SEO Company
Replies
2
Views
992
JayMbeet
JayMbeet
Captain Xarzu
How do I ensure I properly get text alerts on my Android phone?
Replies
2
Views
881
Joe C
Joe C
R
Help for my homelab
Replies
1
Views
590
PP Mguire
PP Mguire
S
Would it benefit me joining Discord chat groups?
Replies
0
Views
890
Scissorman
S
CloudniumSupport
Deciding on the right hosting provider:
Replies
1
Views
570
brownelsa1318
B
Back
Top Bottom