ContactForm, Clean up text submitted

halojoy · Post by **halojoy** » Fri Jun 10, 2005 10:30 pm

.
ContactForm, How to Clean up text submitted?
Will write me a ContactForm.
The form part is no problem, and what to do with submitted message.
I will save message to a plain text file: 'contactmsg.txt'

It is the part in between I am not sure how to do.
The stripping of unwanted characters and code.
I just want to allow plain text.

Any hints or examples for me?

halojoy

Archived topic from Iceteks, old topic ID:3395, old post ID:27382

Red Squirrel · Post by **Red Squirrel** » Sat Jun 11, 2005 12:22 am

This can become tricky, and is very important as it can be a security issue. well in a text file not so bad, but if it's going in a DB you definatly want to do an addslashes() to the data and get rid of some other evil characters like the one on the ~ key if you press it without shift. This board blocks it off completely. Well really it should escape it and still display, but it was a quick fix to avoid an vulnubility someone pointed out and I never got around to making it better.

Archived topic from Iceteks, old topic ID:3395, old post ID:27384

halojoy · Post by **halojoy** » Sat Jun 11, 2005 12:35 am

addslashes() - yes I have seen that used frequently in form processing

I will just save (append) to a plain file messages.txt
not to a Database

I will do a search for examples on net, with Google
there are plenty 'simple php contact form' versions out there
mostly with send mail function, but also some for flat text file storage

I find it stupid to send mail, when I have my personal webserver apache
in my own computer, here in my own room

why send Contact form message across atlantic to hotmail.com or whereever
much easier I just open this text file: messages.txt
with my NEdit (notepad in Linux)

Why settle for an 50MB Mail account Inbox?
When I have 50GB ( 50.000MB ) of my own !!!!

Archived topic from Iceteks, old topic ID:3395, old post ID:27385

halojoy · Post by **halojoy** » Sat Jun 11, 2005 1:55 am

Code: Select all

// if POST submitted ===================
$comments= stripslashes("$_POST[comments]");
$comments= htmlspecialchars($comments);
if(empty($comments)) problem("Please enter comments!");
addEntry ( $comments );

//======================================
function addEntry ( $comments ){
$delimiter= "	";
$newline= "
";   //Linux="
"; Windows="
"; Mac="
";
$datemsg= date ("Y-m-d");

$comments= str_replace("
","
",$comments);
$comments= str_replace("
","
",$comments);
$comments= str_replace("
","
",$comments);
if($settings['filter']) $comments= filter_bad_words($comments);

$addline= "$name$delimiter$email$delimiter$url$delimiter$comments$delimiter$datemsg$newline";

$fp= @fopen("messages.txt","rb") or problem("Can't read file! CHMOD file to 666 (rw-rw-rw)!");
$data= @fread($fp,filesize("messages.txt"));
fclose($fp);

$addline .= $data;

$fp= fopen("messages.txt","wb") or problem("Can't write to file! CHMOD file to 666 (rw-rw-rw)!");
fputs($fp,$addline);
fclose($fp);
}[code]
This model was used in a flat file guestbook I downloaded.

 :joker: [b]Is this okay, or do I need to add anything to this model?[/b] 

[color=#888888][size=85]Archived topic from Iceteks,  old topic ID:3395, old post ID:27386[/size][/color]

halojoy · Post by **halojoy** » Sat Jun 11, 2005 6:31 am

I managed to rewrite that guestbook script into a ContactMe script.
Saves submitted contact messages in a plain textfile.
index.php checks out IP-number.
If it is my (127.0.0.1 in this case) redirects to showmsg.php, so I can read all contact messages.
If is other IP-number, redirects to contact-form.php, so they can contact me.

Here is shot of both pages:

Archived topic from Iceteks, old topic ID:3395, old post ID:27387

Red Squirrel · Post by **Red Squirrel** » Sat Jun 11, 2005 11:44 am

Looks ok to me. If you want to really play safe you can do stripslashes() and replace quotes and slashes with their html name. ex: " etc... A problem in php is the magic quotes setting, on some servers it's on on some it's off. When it's on, it automaticly does an addslashes() to $_POST data, but when it's off, it does not. so that can really screw things up. It's probably the hardest thing to deal with when treating user submitted data. So the way I go about it is do a stripslashes() so you make sure it's not " \ etc then you can replace the quotes with their html values as they'll apear ok when displayed, and if you ever switch to mysql you'll be safe from the most common sql injections.

Archived topic from Iceteks, old topic ID:3395, old post ID:27390

halojoy · Post by **halojoy** » Sat Jun 11, 2005 12:22 pm

Yes, that seems like the way to do it.
My private apache server has magic quotes on.
But if I want to share this script and be sure it work alright, it should have stripslashes.
This script I have rewritten, first thing does stripslashes.

Code: Select all

if(isset($_POST['submit'])){
$name=htmlspecialchars(stripslashes($_POST['name']));
if(empty($name))problem('Please enter your name!','1');
$from=htmlspecialchars(stripslashes($_POST['from']));
$a=check_mail_url();$email=$a['email'];$url=$a['url'];
$comments= htmlspecialchars(stripslashes($_POST['comments']));
if(empty($comments)) problem('Please enter comments!','1');
$remote=$_SERVER['REMOTE_ADDR'];

addEntry($name,$from,$email,$url,$comments,$remote);
exit();
/////////////////////////////////////////////////////////////
function addEntry($name,$from,$email,$url,$comments,$remote){
/* This part will help prevent multiple submissions */
session_start();if (isset($_SESSION['add']))problem('You may only submit once per session!

Thank you');
global $settings;
$delimiter="	";
$added=date("Y-m-d @ H:i");
$comments=str_replace("
","
",$comments);
$comments=str_replace("
","
",$comments);
$comments=str_replace("
","
",$comments);
$addline="$name$delimiter$from$delimiter$email$delimiter$url$delimiter$comments$delimiter$added$delimiter$remote$settings[newline]";

$fp = @fopen($settings['logfile'],'rb') or problem('Cant read log file! CHMOD file to 666 (rw-rw-rw)');
$links = @fread($fp,filesize($settings['logfile']));
fclose($fp);
$addline .= $links;
$fp = fopen($settings['logfile'],'wb') or problem('Cant write to log file! CHMOD file to 666 (rw-rw-rw)');
fputs($fp,$addline);
fclose($fp);
$_SESSION['add']=1;
?>
<p> </p>
<p><b>Your message was successfully added!</b></p>
<p>Thank you</p>
<p> </p>
<?php
printDownHTML();
exit();
}[code]
[b]1.[/b] stripslashes();
[b]2.[/b] htmlspecialchars();
[b]3a.[/b] str_replace("
","
",$str); [b]3b.[/b] str_replace("
","
",$str); [b]3c.[/b] str_replace("
","
",$str);
One nice feature with this script is, using a SESSION variable [b]to avoid submitting same stuff twice[/b].
This is not unusually to happen. Every time you refresh, you submit a new post.
It also adds latest contact post on top.

halojoy 

[color=#888888][size=85]Archived topic from Iceteks,  old topic ID:3395, old post ID:27391[/size][/color]

halojoy · Post by **halojoy** » Sat Jun 11, 2005 5:34 pm

.
Did some magic quotes, stripslashes, addslashes research.
This first code was found in includes/common.php of an application.
Will always be run in very beginning of most any page.

Code: Select all

// set magic_quotes_runtime off
set_magic_quotes_runtime(0);
// if magic_quotes_gpc strip slashes from GET POST COOKIE
if (get_magic_quotes_gpc()){
	function stripslashes_array($array){
  return is_array($array) ? array_map('stripslashes_array',$array) : stripslashes($array);
	}
	$_GET= stripslashes_array($_GET);
	$_POST= stripslashes_array($_POST);
	$_COOKIE= stripslashes_array($_COOKIE);
}[code]

This other very similiar code and info was found in a forum topic discussing [b]magic_quotes_gpc[/b][code]// This will make code independent of php/server setting
// To use magic quote or not is up to you
// If you use magic quotes, echo $text; should be echo stripslashes($text);
///////////////////////////
// If you don't need magic quote: 
function stripslashes_array(&$arr) { 
foreach (array_keys($arr) as $k) { 
$arr[$k] = stripslashes($arr[$k]);} 
} 
if (magic_quote_gpc()) { 
stripslashes_array($_GET); 
stripslashes_array($_POST); 
stripslashes_array($_REQUEST); 
stripslashes_array($_COOKIE); 
} 
set_magic_quote_runtime(0); 
//////////////////
// For those need magic quote: 
function addslashes_array(&$arr) { 
foreach (array_keys($arr) as $k) { 
$arr[$k] = stripslashes($arr[$k]);}
}
if (!magic_quote_gpc()) { 
addslashes_array($_GET); 
addslashes_array($_POST); 
addslashes_array($_REQUEST); 
addslashes_array($_COOKIE); 
} 
set_magic_quote_runtime(0);[code]

[color=#006060][b][b]Bottomline:[/b]
This magic quotes thing is dependent of php/server setting.
Is also so important, that most any submitted data
should be fixed to have correct format. With or without slashes.
Such a function could be run in a general include common script,
before any data from GET POST COOKIE is processed and used.
halojoy [/b][/color]  

[color=#888888][size=85]Archived topic from Iceteks,  old topic ID:3395, old post ID:27398[/size][/color]

Cold Drink · Post by **Cold Drink** » Sun Jun 12, 2005 1:02 am

If you are viewing a plain text file (served to you with the http text/plain type) and its just stored on disk, you don't really need to escape anything since it won't be re-displaed. If you are using it in a guest book way then that is different.

It all depends on application.

Archived topic from Iceteks, old topic ID:3395, old post ID:27402

halojoy · Post by **halojoy** » Sun Jun 12, 2005 6:02 am

Yes,
That is of course true.
Sometimes it is not necessary and we can keep it very simple.

But we want to write code, that would work generally.
So called good practice.

Suppose I write this contact form, first as a single module. Working alone.
does not need any stripslashes or addslashes operation of data.
Later I need a contact form for another application, that displays data differently.
I want to use it, istead of write a new contact form for each and every application.

It is good to learn to write php scripts with code that is generally working, in most any situation,
and run on most any system. Linux, Mac or windows.
And using a format for data submitted, that would work well with most any database.
At least we should try to use only one data format for each application , with or without slashes.
Data should be consistent.

When we erite our own scripts, submitting our own data, we have total control.
However is situations, where data comes from an outside source.
One such case is when someone other using some other system is submitting data using forms.
It is good practice to take some meassures to fix data, before storing or displaying it.
This can also be essential for keeping a good safety.
Red Squirrel mentioned SQL Injection.
I do not know what that is, but I know it is no good.

halojoy

Archived topic from Iceteks, old topic ID:3395, old post ID:27403

Cold Drink · Post by **Cold Drink** » Sun Jun 12, 2005 12:50 pm

Yes this is all true. However efficency is also a good thing to keep in mind. Anyway, if addslashes() + htmlenteties() + strip_tags() + new line processing isn't enough, you could allways go through the file character by charcter and replace everything that isn't a-z 0-9 with an HTML entity, of course that would be horribly wasteful in terms of file size.

You really shouldn't rely on magic quotes being there and bindly callign stripslashes(). Yes its on for your private server but settings change and you'll be suprised at how many problems magic quotes causes. I know you have some detecting code there, but I still say its a bad idea to change the magic quotes setting from a script. Why? Debugging. Between the programmer and server admin at lot of digging has to be done to figure out what te value of magic quote is at any given part of the script. Using seperate functions, say, quote_incoming() or strip_incoming() could be created that will check for the value of magic quotes at run time and either skip or perform stripping or escaping depending. Doing this and avoiding using the $_* variables directly seems to be the most clear way of managing these issues.

Archived topic from Iceteks, old topic ID:3395, old post ID:27408

halojoy · Post by **halojoy** » Sun Jun 12, 2005 1:01 pm

Okay,
I will do that.
Thanks.

Archived topic from Iceteks, old topic ID:3395, old post ID:27409

halojoy · Post by **halojoy** » Sun Jun 12, 2005 7:09 pm

Very good article on magic quote problem
Magic Quotes and Add Slashes in PHP
Made me turn
magic_quotes_gpc = Off
in my php.ini -> This is also default recommended setting of php.net

With htmlentities() function you have some optional parameters.
So you can decide how to deal with single and double quotes.
From php manual:

Example of use:
$string = htmlentities ( $string, ENT_COMPAT , "UTF-8" );

All characters which have HTML character entity equivalents are translated into these entities.

The optional second "quote_style" parameter lets you define
what will be done with 'single' and "double" quotes. Default being ENT_COMPAT.
ENT_COMPAT Will convert double-quotes and leave single-quotes alone.
ENT_QUOTES Will convert both double and single quotes.
ENT_NOQUOTES Will leave both double and single quotes unconverted.

Optional third argument "charset" define swhich character set used in conversion.
Presently, the ISO-8859-1 character set is used as the default.

I think I finally have understood how to deal with GET POST COOKIE inputs.
And I have changed my contactform script according to this. Works perfectly!
Last thing I had to add, is to first of all make $string = trim ( $_POST[ 'input'] );
This will remove any leading and trailing spaces or linefeeds of input.
(There are also PHP trim functions for removing only leading or only trailing)

Thanks for all thoughts and advices.
/halojoy

Archived topic from Iceteks, old topic ID:3395, old post ID:27414