Additions:
{{redirect page="DevPhp"}}
Deletions:
The code below illustrates input handling of a post-driven comment form. These are the basic steps involved:
1) Normalize the input (i.e. strips slashes if necessary)
1) Sanitize the input to eliminate any security vulnerabilities
1) Validate input to make sure it fulfills form's requirements (in this case, checking for a valid email address)
1) Trigger contigent operations if the input is valid (here, an email gets send to the site contact)
1) Provide appropriate feedback
The sanitize_string function wraps [[http://www.phpclasses.org/browse/package/2189.html this class]]. See also the [[http://api.drupal.org/api/4.6/file/modules/filter.module Drupal filter.module API]] for insight into filtering input.
For the full script frame, refer to the [[http://klenwell.googlecode.com/svn/trunk/templates/php/scriptframe.blank.php klenwell script frame template]]
%%(php)
// *** CONTROLLER (Handles requests and sets triggers)
/*____________________________________________________________________________*/
// ** Default
$_SHOW['form'] = 1;
// ** GET-triggered Requests
// ** POST-triggered Requests
if ( $_POST['submit_inquiry'] ) $_TRIGGER['validate_form'] = 1;
// ** COOKIE-triggered Requests
/*============================================================================*/
// *** EVENTS (Trigger-controlled events)
/*____________________________________________________________________________*/
// Validate Form
if ( $_TRIGGER['validate_form'] )
{
// normalize input
if ( get_magic_quotes_gpc() )
{
$_POST = strip_magic_quotes($_POST);
}
// sanitize Input
$_INPUT['name'] = sanitize_string($_POST['name']);
$_INPUT['email'] = sanitize_string($_POST['email']);
$_INPUT['company'] = sanitize_string($_POST['company']);
$_INPUT['phone'] = sanitize_string($_POST['phone']);
$_INPUT['comments'] = sanitize_string($_POST['comments']);
// email valid
$_REPORT['email'] = validate_email($_INPUT['email']);
if ( !$_REPORT['email']['is_valid'] )
{
$_HTML['form_feedback'] = "<p>{$_REPORT['EMAIL']['prompt']}</p>";
}
else
{
$_FLAG['valid_email'] = 1;
}
// is valid
if ( $_FLAG['valid_email'] )
{
// Simple anti-spam measure
if ( substr_count($_INPUT['comments'], 'http://') < 3 )
{
$_TRIGGER['mail_inquiry'] = 1;
}
else
{
$_TRIGGER['mail_inquiry'] = 0;
$_HTML['form_feedback'] = "<p>to avoid spam, we don't accepts messages with <b>more than two links</b> in them. please resubmit your message without the links.</p>";
}
}
// not valid
else
{
$_TRIGGER['mail_inquiry'] = 0;
}
}
// Email Form
if ( $_TRIGGER['mail_inquiry'] )
{
$_TEXT['email'] = <<<TEXT
Name: {$_INPUT['name']}
Email: {$_INPUT['email']}
Company: {$_INPUT['company']}
Phone: {$_INPUT['phone']}
Comments:
{$_INPUT['comments']}
TEXT;
// message data
$stamp = date('Y m d \a\t g:ia');
$subject = "inquiry submitted on $stamp";
// mail sent
if ( send_mail($PROJECT['contact_email'], $PROJECT['contact_email'], $subject, $_TEXT['email']) )
{
$_HTML['form_feedback'] = "<p>Your message was delivered. We will respond shortly. Thank you.</p>";
}
// mail failed
else
{
$_HTML['form_feedback'] = "<p>Sorry, we were unable to send your message. You can email us directly at <a href=\"mailto:{$PROJECT['contact_email']}\">{$PROJECT['contact_email']}</a></p>";
}
}
/*============================================================================*/
// *** OUTPUT (Set page head, dynamic HTML, blocks, and stacks for template)
/*____________________________________________________________________________*/
// ** Dynamic HTML
// Form
if ( $_SHOW['form'] )
{
$_HTML['contact_form'] = <<<HTML
<div id="contact_form_parent">
<div id="contact_form">
<h4>submit an inquiry</h4>
<div id="form_feedback">{$_HTML['form_feedback']}</div>
<form method="post" action="{$_SERVER['PHP_SELF']}">
<p><label><b>name*</b></label><input type="text" name="name" value="" maxlength="32" size="12" /></p>
<p><label><b>email*</b></label><input type="text" name="email" value="" maxlength="64" size="16" /></p>
<p><label>company</label><input type="text" name="company" value="" maxlength="32" size="12" /></p>
<p><label>phone</label><input type="text" name="phone" value="" maxlength="32" size="12" /></p>
<textarea name="comments" onfocus="this.value='';" rows="4" cols="30" >comments or questions</textarea><br />
<input type="submit" name="submit_inquiry" value="submit inquiry" />
</form>
</div>
</div>
HTML;
}
%%
Additions:
1) Validate input to make sure it fulfills form's requirements (in this case, checking for a valid email address)
1) Trigger contigent operations if the input is valid (here, an email gets send to the site contact)
1) Trigger contigent operations if the input is valid (here, an email gets send to the site contact)
Deletions:
1) Trigger any contigent operations if the input is valid (here, an email gets send to the site contact)
Deletions:
$_COOKIE = strip_magic_quotes($_COOKIE);
$_REQUEST = array_merge($_GET, $_POST, $_COOKIE);
Additions:
The sanitize_string function wraps [[http://www.phpclasses.org/browse/package/2189.html this class]]. See also the [[http://api.drupal.org/api/4.6/file/modules/filter.module Drupal filter.module API]] for insight into filtering input.
Deletions:
Additions:
The sanitize_string function wraps [[http://www.phpclasses.org/browse/package/2189.html this class]]. See also the [[http://api.drupal.org/api/4.6/file/modules/filter.module Drupal filter.module API]]
For the full script frame, refer to the [[http://klenwell.googlecode.com/svn/trunk/templates/php/scriptframe.blank.php klenwell script frame template]]
For the full script frame, refer to the [[http://klenwell.googlecode.com/svn/trunk/templates/php/scriptframe.blank.php klenwell script frame template]]
Deletions:
Additions:
The sanitize_string function wraps [[http://www.phpclasses.org/browse/package/2189.html this class]]
