Load bad_link.php in the ch06 folder into a browser. It contains a single link to form.php in the same folder; but the link in the underlying HTML has been deliberately malformed to simulate an XSS attack.

Dismiss the JavaScript alert, if necessary, and right-click to view the page source. Line 10 should look similar to this:

The malformed link in bad_link.php has injected a snippet of JavaScript into the page immediately after the opening <form> tag. In this instance, it’s a harmless JavaScript alert; but in a real XSS attack, it could try to steal cookies or other personal information. Such an attack would be silent, leaving the user unaware of what has happened unless they notice the script in the browser address bar.

This has happened because form.php uses $_SERVER['PHP_SELF'] to generate the value of the action attribute. The malformed link inserts the page location in the action attribute, closes the opening form tag, and then injects the <script> tag, which is executed immediately as the page loads.

A simple, but effective, way to neutralize this type of XSS attack is to pass $_SERVER['PHP_SELF'] to the htmlentities() function like this:

This converts the angle brackets of the <script> tags to their HTML entity equivalents, preventing the script from being executed. Although it works, it leaves the malformed URL in the browser address bar, which could lead users to question the security of your site. I think a better solution is to redirect users to an error page when XSS is detected.

Use $currentPage as the value of the action attribute in the opening form tag:

Save form.php, return to bad_link.php, and click the link again. This time you should be taken directly to missing.php.

Load form.php directly in the browser. It should load and work as expected.

The finished version is in form_end.php in the ch06 folder. The file called bad_link_end.php links to the finished version if you just want to test the script.

This foreach loop processes the $_POST array by stripping out leading and trailing whitespace from text fields and assigning the field’s contents to a variable with a simplified name. As a result, $_POST['email'] becomes $email, and so on. It also checks if required fields are left blank, and adds them to the $missing array, setting the related variable to an empty string.

The $_POST array is an associative array, so the loop assigns the key and value of the current element to $key and $value, respectively. The loop begins by checking that the current value isn’t an array, using the is_array() function with the logical Not operator (!). If it isn’t, the trim() function strips leading and trailing whitespace and reassigns it to $value. Removing leading and trailing whitespace prevents anyone from pressing the space bar several times to avoid filling in a required field.

Save processmail.php. You’ll add more code to it later, but let’s turn now to the main body of contact.php. The action attribute in the opening form tag is empty. For local testing purposes, just set its value to the name of the current page:

This checks $missing and $errors, which you initialized as empty arrays in step 1. As explained in “The truth according to PHP” in Chapter 4, an empty array is treated as false, so the paragraph inside the conditional statement isn’t displayed when the page first loads. However, if a required field hasn’t been filled in when the form is submitted, its name is added to the $missing array. An array with at least one element is treated as true. The || means “or,” so this warning paragraph will be displayed if a required field is left blank or if an error is discovered. (The $errors array comes into play in PHP Solution 6-4.)

To make sure it works so far, save contact.php and load it normally in a browser (don’t click the Refresh button). The warning message is not displayed. Click Send message without filling in any of the fields. You should now see the message about missing items, as shown in the following screenshot.

The condition uses the in_array() function to check if the $missing array contains the value name. If it does, the <span> is displayed. $missing is defined as an empty array at the top of the script, so the span won’t be displayed when the page first loads.

The PHP code is the same except for the value you are looking for in the $missing array. It’s the same as the name attribute for the form element.

Save contact.php and test the page again, first by entering nothing into any of the fields. The form labels should look like Figure 6-5.

Add email to the $required array in the code block at the top of comments.php, like this:

Click Send message again without filling in any fields. This time, you’ll see a warning message alongside each label.

Type your name in the Name field. In the Email and Comments fields, just press the spacebar several times, then click Send message. The warning message alongside the Name field disappears, but the other two warning messages remain. The code in processmail.php strips whitespace from text fields, so it rejects attempts to bypass required fields by entering a series of spaces.

If you have any problems, compare your code with contact_03.php and includes/processmail_01.php in the ch06 folder.

The $name variable contains the original user input, which was transmitted through the $_POST array. The foreach loop that you created in processmail.php in PHP Solution 6-2 processes the $_POST array and assigns each element to a variable with the same name. This allows you to access $_POST['name'] simply as $name.

So, why do we need the htmlentities() function? As the function name suggests, it converts certain characters to their equivalent HTML character entities. The one you’re concerned with here is the double quote. Let’s say Eric “Slowhand” Clapton decides to send feedback through the form. If you use $name on its own, Figure 6-6 shows what happens when a required field is omitted and you don’t use htmlentities().

Passing the content of the $_POST array element to the htmlentities(), however, converts the double quotes in the middle of the string to &quot;. And, as Figure 6-7 shows, the content is no longer truncated.

What’s cool about this is that the character entity &quot; is converted back to double quotes when the form is resubmitted. As a result, there’s no need for further conversion before the email can be sent.

Edit the email field the same way, using $email instead of $name.

It’s important to position the opening and closing PHP tags right up against the <textarea> tags. If you don’t, you’ll get unwanted whitespace inside the text area.

Save contact.php and test the page in a browser. If any required fields are omitted, the form displays the original content along with any error messages.

You can check your code with contact_04.php in the ch06 folder.

The string assigned to $pattern will be used to perform a case-insensitive search for any of the following: a space, carriage return, newline feed, “Content-Type:”, “Bcc:”, or “Cc:”. It’s written in a format called Perl-compatible regular expression (PCRE ). The search pattern is enclosed in a pair of forward slashes, and the i after the final slash makes the pattern case-insensitive.

The preg_match() function compares the regular expression passed as the first argument against the value in the second argument, in this case, the value from the email field. It returns true if it finds a match. So, if any of the suspect content is found, $suspect will be true. But if there’s no match, it will be false.

This processes the variables in the $_POST array only if $suspect is not true.

Don’t forget the extra curly brace to close the conditional statement.

This sets a new condition that takes priority over the original warning message by being considered first. It checks if the $_POST array contains any elements—in other words, the form has been submitted—and if $suspect is true. The warning is deliberately neutral in tone. There’s no point in provoking attackers.

Save contact.php and test the form by typing any of the suspect content in the email field. You should see the new warning message, but your input won’t be preserved.

You can check your code against contact_05.php and includes/processmail_02.php in the ch06 folder.

The purpose of validating the email address is to make sure it’s in a valid format, but the field might be empty because you decide not to make it required or because the user simply ignored it. If the field is required but empty, it will be added to the $missing array, and the warning you added in PHP Solution 6-2 will be displayed. If the field isn’t empty, but the input is invalid, you need to display a different message.

This begins by checking that no suspect content has been found and that the email field isn’t empty. Both conditions are preceded by the logical Not operator, so they return true if $suspect and empty($email) are both false. The foreach loop you added in PHP Solution 6-2 assigns all expected elements in the $_POST array to simpler variables, so $email contains the same value as $_POST['email'].

The next line uses filter_input() to validate the email address. The first argument is a PHP constant, INPUT_POST, which specifies that the value must be in the $_POST array. The second argument is the name of the element you want to test. The final argument is another PHP constant that specifies you want to check that the element conforms to the valid format for an email.

The filter_input() function returns the value being tested if it’s valid. Otherwise, it returns false. So, if the value submitted by the user looks like a valid email address, $validemail contains the address. If the format is invalid, $validemail is false. The FILTER_VALIDATE_EMAIL constant accepts only a single email address, so any attempt to insert multiple email addresses will be rejected.

This adds an elseif clause to the first conditional statement and displays a different warning if the email address fails validation.

Save contact.php and test the form by leaving all fields blank and clicking Send message. You’ll see the original error message. Test it again by entering a value that isn’t an email address in the Email field or by entering two email addresses. You should see the invalid message.

You can check your code with contact_06.php and includes/processmail_03.php in the ch06 folder.

Add the following code at the bottom of the script in processmail.php:

This initializes a variable to redirect to a thank you page after the mail has been sent. It needs to be set to false until you know the mail() function has succeeded.

This block of code begins by checking that $suspect, $missing, and $errors are all false. If they are, it builds the message body by looping through the $expected array, storing the result in $message as a series of label/value pairs.

On the next pass, $$item creates a variable called $email, and so on.

This checks that the form has been submitted and the mail is ready to send. It then displays the values in $message and $headers. Both values are passed to htmlentities() to ensure they display correctly in the browser.

Save contact.php, and test the form by entering your name, email address, and a brief comment. When you click Send message, you should see the message body and headers displayed at the bottom of the page, as shown in Figure 6-8.

Assuming the message body and headers display correctly at the bottom of the page, you’re ready to add the code to send the email. If necessary, check your code against contact_07.php and includes/processmail_04.php in the ch06 folder.

In processmail.php, add the code to send the mail. Locate the following line:

This passes the destination address, subject line, message body, and headers to the mail() function, which returns true if it succeeds in handing the email to the web server’s mail transport agent (MTA). If it fails, $mailSent is set to false, and the conditional statement adds an element to the $errors array, allowing you to preserve the user’s input when the form is redisplayed.

You need to test this on your remote server, so replace www.example.com with your own domain name. This checks if $mailSent is true. If it is, the header() function redirects to thank_you.php, a page acknowledging the message has been sent. The exit command on the following line ensures the script is terminated after the page has been redirected.

There’s a copy of thank_you.php in the ch06 folder.

The original and new conditions have been wrapped in parentheses, so each pair is considered separately. The warning about the message not being sent is displayed if the form has been submitted and suspect phrases have been found, or if the form has been submitted and $errors['mailfail'] has been set.

Delete the code block (including the <pre> tags) that displays the message body and headers at the bottom of contact.php.

Testing this locally is likely to result in the thank you page being shown, but the email never arriving. This is because most testing environments don’t have an MTA. Even if you set one up, most mail servers reject mail from unrecognized sources. Upload contact.php and all related files, including processmail.php and thank_you.php, to your remote server and test the contact form there. Don’t forget that processmail.php needs to be in a subfolder called includes.

You can check your code with contact_08.php and includes/processmail_05.php in the ch06 folder.

Each check box shares the same name attribute, which ends with an empty pair of square brackets, so the data is treated as an array. If you omit the brackets, $_POST['interests'] contains the value of only the first check box selected. Also, $_POST['interests'] won’t exist if no check box has been selected. You’ll fix that in the next step.

The count() function returns the number of elements in an array, so this creates $errors['interests'] if fewer than two check boxes have been selected. You might be wondering why I have used a variable instead of the number like this:

This certainly works and it involves less typing, but $minCheckboxes can be reused in the error message. Storing the number in a variable means this condition and the error message always remain in sync.

The value attribute is not required in the <option> tag, but if you leave it out, the form uses the text between the opening and closing tags as the selected value. Therefore, it’s necessary to set the value attribute explicitly to an empty string. Otherwise, “Select one” is transmitted as the selected value.

To make a multiple-choice list required and to set a minimum number of choices, use the same technique used for a check-box group in PHP Solution 6-8.

The PHP block inside the <input> element inserts the checked attribute only if the $_POST array contains values and $errors['terms'] hasn’t been set. This ensures that the check box is not selected when the page first loads. It also remains unchecked if the user submitted the form without confirming acceptance of the terms.

The second PHP block displays an error message alongside the label if $errors['terms'] has been set.

You need to create $errors['terms'] only if the check box is required. For an optional check box, just set the value to an empty string if it’s not included in the $_POST array.