3 Minutes to a Contact Form on your Website

Developer Support »

Validation for Phone numbers (See more user questions)

Hi

Thank you very much for the comprehensive feedback. Don't worry about me,
I'm just a bit touchy at times!

Yes, I think that should do the trick with your form fields and the error
display. Please let me know how it goes.

Good point about the support section. After I got your last email, the same
thing occured to me, so again, good to get your feedback.

Just a point about running <script> in your form, mailciously. It would
only affect the computer it was run on, it wouldn't affect your website or
your system. Therefore, it's a pretty pointless thing to do, and probably
wouldn't happen, but it just looks a little bit "insecure". The
htmlspecialchars() will prevent it.

Best wishes.

Charles Sweeney
https://formtoemail.com
The world's easiest feedback script!

----- Original Message -----
Sent: Monday, September 14, 2009 2:22 PM
Subject: RE: Validation for Phone numbers

Hi Charles,

Please forgive me. I might have expressed their concerns wrongly.
They are not programmers, neither am I, and therefore wouldn't know to tell
you how to program or code.
They are certainly paranoid about security and being responsible for a
financial institution's network might not be an easy task. It certainly
makes them jump with any little thing.
The miss on the first security scan is partially my fault. I wasn't aware
that Webinspect only follows links on the public pages and that form was
initially created to be a sort of "hidden" page where the address was to be
given to a few people only. Because it wasn't linked to any public page the
scan didn't catch the issue with the <script> being allowed otherwise I
would have added to the list of blocked words then.
So I have done what you mentioned and added <script> to the list of blocked
words and added the (htmlspecialchars($formfieldname)) to all fields as well
as the validation display:

foreach($_SESSION['formtoemail_form_errors'] as $form_error_value){print
"<b>" . stripslashes(htmlspecialchars($form_error_value)) . "</b><br>";}

I am going to be testing it in dev and hopefully be able to have them do
another scan today. I will keep you posted. Maybe that can be added to the
FAQ as added security configuration for us non-programmers.

Please know that it wasn't my intention to tell you how to code your script
as I am sure it is a tried and true script hence my push to buy the pro
version to be used on our sites. I was really panicky because when security
ran the scan they were really adamant that the site couldn't go up until the
issues were fixed. Once Clients gave the go ahead to postpone the production
I sort of calmed down a little. I am sorry I passed the impression I was
trying to teach you how to do it. It was truly not my intention.

Thank you,

-----Original Message-----
Sent: Friday, September 11, 2009 6:06 PM
Subject: Re: Validation for Phone numbers

Hi

The code you used is based on the sample code I give on my site. I cannot
possibly give code that suits every customer in every sitution. I cannot,
in sample code, write chapter and verse on the subject. It is provided as
example code. On my sister-site http://formtoemailremote.com/ I give this
(different) example for pre-populating:

stripslashes(urldecode($_POST[$key]))

...it is written as such because the script that posts to that page uses
this (note the use of htmlspecialchars):

urlencode(htmlspecialchars($value))

...so you can tell your security people that I don't need lessons on the use
of htmlspecialchars(), thanks all the same!

Using my script, the ONLY values that will get posted into your fields, are
values sent from the script. You can configure the script to block any
value you like, so NO security issues about what the script is posting to
your form. You have FULL control over what appears there. So for example,
you could put <script> in the list of words to block in the word block
configuration. That means that <script> can NEVER get posted to the script,
which means that it would NEVER end up in the session array that is used to
pre-populate your form, and therefore could NEVER end up in a form field.

If you particularly want to use htmlspecialchars() on the values that
pre-populate your form, instead of using this:

print stripslashes($name);

...use this:

print stripslashes(htmlspecialchars($name));

Hopefully keep your security people happy!

Best wishes.

Charles Sweeney
https://formtoemail.com
The world's easiest feedback script!

----- Original Message -----
Sent: Friday, September 11, 2009 7:54 PM
Subject: RE: Validation for Phone numbers

Hi Charles,

In regard to the vulnerability I mentioned before. I have the details and it
seems to be a valid critical vulnerability.
I just talked to one of the people in charge of the scans and he said he was
able to run a script by inputting the code directly on the fields.
I have the spreadsheet with the details of the scan and I have attached it
for your review.
He said that all you need to add is encoding for htmlspecialchars to the
code.
I am sending you the attached vulnerability http request and response from
the server.
The whole reason this issue was not picked up by the scan the last time was
because the form wasn't linked from any page on the site and now it is so it
picked it up right away.
This is actually critical and we had a huge site going to production
tomorrow which we might need to halt due to the problem.
I appreciate any help with fixing the vulnerability as we might still be
able to go to production if we can get clearance with a new code.

Thank you,

-----Original Message-----
Sent: Friday, September 11, 2009 2:03 PM
Subject: Re: Validation for Phone numbers

Hi

Sure you can! Want me to show you how???

Here goes:

Add this line of code to your script:

if(!is_numeric($_REQUEST['phone'])){$errors[] = "Phone number may contain
numbers only";}

Change 'phone' for the name of the form field. You can also change the
error message to suit.

There are a number of places in the script where you can put this line, so
long as it goes after:

$errors = array();

...and before:

// Display any errors and exit if errors exist.

You might as well put it right after:

$errors = array();

Just make a copy of the line for the fax input.

Any questions, just let me know.

Best wishes.

Charles Sweeney
https://formtoemail.com
The world's easiest feedback script!

----- Original Message -----
Sent: Friday, September 11, 2009 6:37 PM
Subject: Validation for Phone numbers

HI Charles,

Can we add extra validation to only allow numbers in the phone and fax
fields?

Thank you,