Bummer! This is just a preview. You need to be signed in with a Basic account to view the entire video.
Start a free Basic trial
to watch this video
When you put a form on the Internet, you need to make sure that the information submitted is valid and not malicious. In this video, we will set up validation for our suggest form. We will also discuss how to prevent various attacks spammers might use to hijack our form.
-
0:00
We still need to add the code that sends us an email whenever a visitor
-
0:03
fills out our suggest form.
-
0:04
We skipped over that earlier since it was a bit complicated,
-
0:08
but I think that we are ready for that now.
-
0:11
We need to do some validation on the values from the form first.
-
0:14
And then we'll use a third party library to handle the sending.
-
0:17
Remember that suggest.php handles all three steps of
-
0:22
the suggest form process, displaying the form, handling the submission, and
-
0:27
displaying the thank you message.
-
0:29
This code here at the top checks if the REQUEST_METHOD is POST,
-
0:33
which tells us when the form has been submitted.
-
0:36
Right now, a visitor to our site could leave all three fields blank and
-
0:40
submit the form.
-
0:42
We don't want emails without an address to reply to or without any sort of message.
-
0:47
So let's make sure that the name, email address, and details fields have values.
-
0:51
First, we'll write a conditional that checks that the name variable has a value.
-
0:56
We'll put this validation right here.
-
0:59
After we load the values from the post array into our working variables, but
-
1:03
before we generate the email body and send the email.
-
1:05
If the name variable equals an empty string,
-
1:10
let's echo out an error message.
-
1:26
When we encounter a blank value, let's exit so
-
1:28
none of the other code in this file gets processed.
-
1:35
This will catch the case where the name is left blank entirely.
-
1:38
But what if someone types just a space or a tab?
-
1:40
That's kind of like leaving it blank.
-
1:42
So we probably don't want to allow that either.
-
1:45
We can use a trim function like we did in our array category function.
-
1:49
There are three trim functions in php.
-
1:53
ltrim for left trim, rtrim for right trim, and just trim to trim both right and left.
-
2:00
For our right category function, we used the ltrim function.
-
2:03
So we were only trimming characters from the beginning of the string.
-
2:07
We also specified the string that we wanted to trim.
-
2:10
Instead of just trimming white space, by default, each of these trim functions will
-
2:14
trim white space off the beginning and the end of a piece of text.
-
2:19
The white space includes spaces, tabs, and hard returns.
-
2:23
It leaves us spaces between the words.
-
2:25
It just removes them from either the beginning or the end, or both.
-
2:30
If you don't want a blank value in a variable, it's always a good idea to trim
-
2:33
the variable to make sure that it really does have a value.
-
2:37
We could add that trim function here in our conditional, just like this.
-
2:42
That would make our conditional work like we want, but
-
2:45
it would leave the name variable unchanged.
-
2:47
This function returns a trim value, but
-
2:49
it doesn't actually change the original variable.
-
2:53
We'd usually be better off trimming the name variable itself earlier in our code,
-
2:57
so that throughout the rest of the code, we will have a trimmed value.
-
3:07
We'll add the trim to the top of the page.
-
3:11
We also need to trim our email.
-
3:19
And our details variables.
-
3:24
We next want to make sure that the email address has a value.
-
3:28
We can add another conditional just like this one.
-
3:30
But let's try something else.
-
3:32
Let's modify this conditional to check that both variables have a value.
-
3:37
If either one of them is blank, we want to display an error message.
-
3:41
If the name is blank or if the email address is blank, we can add an or
-
3:45
to our conditional to check for that.
-
3:50
We could also use the double pipes.
-
3:55
Again, check the teacher's notes for more information about comparison operators.
-
3:59
We'll add email.
-
4:04
Double equals an empty string.
-
4:07
Let's also check the details variable for a value in this conditional.
-
4:20
We'll add these to the end of our message.
-
4:30
And now we're ready to take a look at the suggest form in the browser.
-
4:38
Let's submit it with blank values.
-
4:41
We display this error now and
-
4:42
stop the form from processing before we try to send an email.
-
4:46
There are two core principles you'll often hear about when dealing with values that
-
4:50
come from outside your code, filter input and escape output.
-
4:55
These principles often work hand in hand.
-
4:58
PHP has a built-in function to help us address these issues right away.
-
5:02
Instead of accepting the form fields directly from our _POST array,
-
5:06
we can use a function called filter_input that filters the input as we're applying
-
5:10
it to our variable.
-
5:11
Let's start taking control.
-
5:14
We'll start by filtering the user input with our filter input function.
-
5:18
We want to keep the trim function, but within the trim function,
-
5:21
instead of using the _POST, we're going to call the function filter_input.
-
5:29
The first argument is the type of input.
-
5:32
So we use INPUT_POST.
-
5:36
The second argument is the name of the variable, our first line being name.
-
5:44
The third argument is our filter.
-
5:47
For our name field, we don't want to allow any tags or
-
5:52
code, so we'll use FILTER_SANITIZE_STRING.
-
5:57
Let's copy and paste this code for the rest of our input values.
-
6:07
For email, we'll change to use the email field.
-
6:13
And we'll use FILTER_SANITIZE_EMAIL instead of string.
-
6:18
For details, we'll change to use details, and
-
6:23
we're going to allow a little more input, even tags.
-
6:27
But we wanna make sure that they use special characters
-
6:29
instead of straight html.
-
6:32
So for details,
-
6:33
we use FILTER_SANITIZE_SPECIAL_CHARS, or chars for short.
-
6:42
This will take any HTML and convert it to special characters.
-
6:46
Great! We've addressed our most harmful attack.
-
6:49
Now, let's take a look at the first attack, the less serious but
-
6:51
pretty annoying comment spam attack.
-
6:55
There are a number of different ways to address this first hack.
-
6:58
I recommend a technique known as a spam honey pot field.
-
7:01
It's not perfect, but it's pretty effective, and
-
7:03
it doesn't degrade the user experience.
-
7:06
Most of these evil robots fill out every field in a form,
-
7:09
just in case they are required, and this technique takes advantage of that.
-
7:13
We need to scroll down and add a new field to our form.
-
7:17
One we don't want our visitors to fill out.
-
7:26
Give it a name and a label that makes it look like a real field,
-
7:29
something like address.
-
7:41
But then we're going to hide this with CSS.
-
7:47
We use style="display:none".
-
7:54
When a visitor to our site views it in a visual browser,
-
7:57
they won't be able to see that field and they'll leave it blank.
-
8:00
But these evil robots don't use a browser.
-
8:02
They simply scrape the html and look for input fields.
-
8:05
They usually don't realize that this field is invisible,
-
8:08
and they'll fill it in with a value.
-
8:11
Back at the top of the form, after our two other checks,
-
8:14
we can check if this field has a value, that is, if it's not blank.
-
8:21
If ($_POST["address"].
-
8:29
Does not equal.
-
8:33
A blank value.
-
8:38
Then we'll assume that an evil robot is filling out this form and
-
8:40
stop executing the file.
-
8:42
echo "Bad form input";, exit.
-
8:52
It's unlikely but
-
8:53
it is possible that the CSS won't load, or our visitor is using a screen reader.
-
8:58
A legitimate visitor to your site might see this field.
-
9:00
Just in case, it's a good idea to display a note with a field.
-
9:04
Most legitimate users won't see this, but
-
9:06
it's a good idea to have it there just in case.
-
9:14
Please leave this field blank.
-
9:20
That was quite a bit of work, but
-
9:22
I felt good about the amount of validation on our form.
-
9:24
Let's now move on and get the third party library in place.
You need to sign up for Treehouse in order to download course files.
Sign up