Exiting from a PHP Form Validator
Also see:
- Security Levels and PHP
- Security Levels from JavaScript and PHP Input Filtering
- Security Levels from Captchas and PHP Input Filtering
Below are some code blocks to illustrate some points about exiting a form validator. The first block avoids all JavaScript and simply exits the user if the Google reCAPTCHA has not been clicked on the form on the HTML page. If using a PHP message (inside the PHP exit() function) rather than a JavaScript alert, it is polite to end it with Press Back button since it won't go back to the HTML page automatically. Why not use a PHP function to return to the previous page?
We wouldn't use the set $_SERVER referrer as that can be manipulated and thus not trusted. And we didn't want the hassle of using sessions. Sessions are NOT a good way of returning to the last page. If the user has two tabs open at the same time, the session variable will be overwritten by either tab. We also wanted to avoid the unreliability and vulnerability of using the header("Location: index.php") function. And the $_SERVER['HTTP_REFERER'] is unreliable and it's a pretty bad idea overall as the header can be hijacked. And storing the previous page in a query string may start opening up XSS holes. So let the visitor hit the back button which is both secure and easy.
1. $captcha=$_POST['g-recaptcha-response'];
if(!$captcha){exit("Please check the captcha form. Press Back button.");}
$response=file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret='yoursecretcaptchakey'&response=".$captcha."&remoteip=".$_SERVER['REMOTE_ADDR']);
if($response.success==false)
{exit("Fill fields, please. Press Back button.");}
The second code block uses JavaScript for the message and both JavaScript and PHP for the exit. Since PHP scripts tend to run until there are errors, server problems, end of script commands (?>), or a die() or exit() function, a JavaScript window.location command in the middle of a PHP script may not really exit the user from the PHP script until the whole script runs or a die() or exit() is encountered, at which point it recalls the JavaScript command and goes to the desired page. The effect of this in an email form validator is that even though you did not want the email to get sent, it gets sent anyway (in a cleaned up form, since any good script will have stripped all the undesirable characters out of it at the beginning of the script) if you're trying to exit solely using JavaScript. The email will still get sent unless your window.location function is followed by a PHP exit() function, in which case no mail will get sent since the rest of the PHP script will not run. You'll get the desired result by using a code block like the one below.
2. $Name=$_POST['Name'];$T=$Name;cleanit($T);$Name=$T;
if (strlen($Name)<5){
echo '<script language="javascript">alert("Please enter your full real name. It will be kept private.");window.location = "index.html#input";</script>';exit();}
The third code block shows the end of a script, which should automatically exit, so the addition of the exit() function is simply a good habit to get into to ensure your code does what you want it to. Note the JavaScript alert before the PHP exit. This is a very viable method for clean exits with good user-friendly messages.
3. $to = "ourwebsite@site.info";
$subject = "ourwebsite email";
$message = $N."\nPHONE: ".$H."\nFAX: ".$F."\nEMAIL: ".$E."\nMESSAGE: ".$A;
$headers = "From: ".$E;
$mail_sent = mail($to, $subject, $message, $headers);
if($mail_sent){echo '<SCRIPT LANGUAGE="JavaScript">alert("Message sent!");</script>';}
echo '<SCRIPT LANGUAGE="JavaScript">window.location = "index.html";</script>';exit();}
?>
To sum up, there are several different ways to exit a PHP validator that gets posted HTML form input:
- PHP only — The most secure method as long as you exit with the PHP exit() function. This is less user-friendly than the JavaScript and PHP together method, which is almost as secure. The user will need to hit a Back button, which may feel like the webmaster must be a bit amateurish.
- PHP only exiting with such things as $_SERVER['HTTP_REFERER'] — We've discussed above all the things that may go wrong with this method and the others mentioned above. JavaScript and HTML are both built to conveniently and securely send the user to other web pages, but PHP is simply not.
- JavaScript only — This is an unreliable exit method in a PHP script, since the PHP script tends to run until it hits the end or a PHP exit() or die() function, and then if you're lucky it may recall where JavaScript wanted it to go.
- JavaScript and PHP together — This is best for user and programmer alike. This is a very viable method for clean, safe exits with good user-friendly messages.