[PHP] Webform still firing blanks...

Associate
Joined
21 May 2003
Posts
1,365
I've got a form handler that emails form input to various people - I thought i'd managed to prevent empty fields from being submitted by using the following condition:
Code:
// check for required fields
if (trim($_POST['firstName']) != "" && trim($_POST['lastName']) != "" && trim($_POST['homePhone']) != "")
{
  // email the form
}
else
{
  // inform the user required fields are missing and send them back to the form
}

But we're still getting blank input coming through... any ideas?
 
could try using an isset() on the form variables like so.
Failing that you could trying compairing them to Null as well as ""

Code:
$firstName = trim($_POST['firstName']);
$lastName = trim($_POST['lastName']);
$phoneNumber = trim($_POST['homePhone']);

if($firstName != "" && $lastName != "" && $phoneNumber != "")
{
  // email the form
}
else
{
  // inform the user required fields are missing and send them back to the form
}
 
Last edited:
LazyManc said:
I've got a form handler that emails form input to various people - I thought i'd managed to prevent empty fields from being submitted by using the following condition:
Code:
// check for required fields
if (trim($_POST['firstName']) != "" && trim($_POST['lastName']) != "" && trim($_POST['homePhone']) != "")
{
  // email the form
}
else
{
  // inform the user required fields are missing and send them back to the form
}

But we're still getting blank input coming through... any ideas?

Isn't the header exploit or whatever it is still possible in that code?
 
What's the point in checking if a variable is set, when you've explicitly set it 2 lines above that?

Just do

Code:
if(empty($firstName) || empty($lastName) || empty($phoneNumber))
{
    // error
}
else
{
    // no error
}
 
robmiller said:
What's the point in checking if a variable is set, when you've explicitly set it 2 lines above that?

yeah spotted that shortly after, just trying to jugle watching 24 reading a flash book and typing and, when I started syping I went one way and decided to go with setting the variable firsts insted of using the Post variables within the if statement.

Usualy though I'd just feed the variables into an associative array and pass the array to a premade function I did for checking form variables. Just saves me rewriting it each time :) problem is you don't get practice doing it that way.
 
Ok, finally worked out what it was....

the code was basically:

check for empty required fields
if empty, inform user
if not empty, strip tags, send email, insert into database

So of course if someone was being naughty and putting html into the fields then it would show as not empty but then get stripped before being sent or inserted.

Now I just strip tags before I do the empty check.
 
If it's just a mail, then you don't need to strip HTML tags unless you're explicitly sending the email as HTML - ie, sending

MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1

or whatever in the additional_headers argument.
 
Back
Top Bottom