PHP Input validation

[Rockonmetal]

Ok, I was wondering if PHP can do this...
I have a form and there is a hidden input with a secret number to prevent people from submitting fakes.
I was wondering if PHP can read a file take the numbers in the file and check to see if the hidden input and the file are the same, if they are then allow the rest of the script to check * or to let the user upload files, if they are not the same then the form upload doesn't show...
Here is the script for both pages...
*NOTE THE HIDDEN NUMBER IS THE FIRST FORM ELEMENT*
HTML:

HTML Code:

<html>
<head>
<script type="text/javascript" src="script.js" /></script>
<style type="text/css">
.input{
background: url(input.png) no-repeat;
width: 184px;
color: #000000;
font-family: Tahoma;
height: 24px;
border: none;
padding: 4px 4px 4px 4px;
font-size: 12px;
}
.textarea{
background: url(textarea.png) no-repeat;
border: none;
width: 250px;
height: 200px;
padding: 3px 3px 3px 3px;
overflow: hidden;
font-family: Tahoma;
font-size: 11px;
}
.progress{
	width: 50px;
	height: 24px;
	color: white;
	font-size: 12px;
	font-family: Tahoma;
	background: #000000 url(loader.gif) x-repeat;
	overflow: hidden;
	padding-left: 5px;
	
	
}

</style>

<script type="text/JavaScript" src="textprogress.js"></script>
</style>
</head>
<body>
<form action="uploader.php" method="post">
<input type="hidden" name="3p42r3ad3a4than32" value="329r8g" /> 
<div class="pureadd">
<br>
<br>Your Name:
<br><input type="text" name="Name" class="input" />
<br>Your Email:
<br><input type="text" name="Email" class="input"/>
<br>
<script type="text/javascript">
var d = new Date()
document.write("<input type='hidden' value='"+Date()+"' name='time' />")
</script>
<br>
<br>Agree To Terms of Service
<br><input type="checkbox" name="TermsOfService" value="Agreed" /> Yes I Agree To the Terms of Service
<br>

File Description:
<br>
<textarea rows="5" cols="40" name="description" id="maxcharfield" onKeyDown="textCounter(this,'progressbar1',200)" onKeyUp="textCounter(this,'progressbar1',200)" 

onFocus="textCounter(this,'progressbar1',200)" class="textarea"></textarea><br />
<div id="progressbar1" class="progress"></div>

<input type="submit" class="input">


</div>
</form>
</body>
</html>

Here is the php page uploader.php

PHP Code:

<?php
$filename = 'data.html';
$input1 = $_SERVER['REMOTE_ADDR'];
$input2 = $_POST["Name"]; 
$input3 = $_POST["Email"];
$input4 = $_POST["time"];
$input5 = $_POST["3p42r3ad3a4than32"];
$input6 = $_POST["Description"]; 
$data = "<table border='1'><tr><td>User IP Address:</td><td>$input1</td></tr><tr><td>Name:</td><td>$input2</td></tr><tr><td>Email 

Address:<td>$input3</td></tr><tr><td>Date Submitted:</td><td>$input4</td></tr><tr><td>Description</td><td><textarea cols='50' 

rows='5'>$input6</textarea></td></tr></table>";


if (is_writable($filename)) {
    if (!$handle = fopen($filename, 'a')) {
         echo "Cannot open file ($filename)";
         exit;
    }

    // Write $somecontent to our opened file.
    if (fwrite($handle, $data) === FALSE) {
        echo "Cannot write to file ($filename)";
        exit;
    }

    echo "Success your information has been submitted!  Now please submit your files...";

    fclose($handle);

} else {
    echo "The file $filename is not writable";
}

?>
<?php
$upload_dir = "submitions/";
$num_files = 2;
//the file size in bytes.
$size_bytes =20480000; //51200 bytes = 50KB.
//Extensions you want files uploaded limited to.
$limitedext = array(".gif",".jpg",".jpeg",".png",".bmp",".mov",".mpg",".mpeg");


   //check if the directory exists or not.
   if (!is_dir("$upload_dir")) {
      die ("Error: The directory <b>($upload_dir)</b> doesn't exist because we are in the process of the weekly upload.");
   }
   //check if the directory is writable.
   if (!is_writeable("$upload_dir")){
      die ("Error: The directory <b>($upload_dir)</b> is NOT writable, Please click contact and then contact technical support to tell them this problem.");
   }


//if the form has been submitted, then do the upload process
//infact, if you clicked on (Upload Now!) button.
if (isset($_POST['upload_form'])){

       echo "<h3>Upload results:</h3>";

       //do a loop for uploading files based on ($num_files) number of files.
       for ($i = 1; $i <= $num_files; $i++) {

           //define variables to hold the values.
           $new_file = $_FILES['file'.$i];
           $file_name = $new_file['name'];
           //to remove spaces from file name we have to replace it with "_".
           $file_name = str_replace(' ', '_', $file_name);
           $file_tmp = $new_file['tmp_name'];
           $file_size = $new_file['size'];

           #-----------------------------------------------------------#
           # this code will check if the files was selected or not.    #
           #-----------------------------------------------------------#

           if (!is_uploaded_file($file_tmp)) {
              //print error message and file number.
              echo "File $i: Not selected.<br>";
           }else{

                 $ext = strrchr($file_name,'.');
                 if (!in_array(strtolower($ext),$limitedext)) {
                    echo "File $i: ($file_name) Wrong file extension. <br>";
                 }else{


                       if ($file_size > $size_bytes){
                           echo "File $i: ($file_name) Faild to upload. File must be <b>". $size_bytes / 1024 ."</b> KB. <br>";
                       }else{
                     

                             if(file_exists($upload_dir.$file_name)){
                                 echo "File $i: ($file_name) already exists.<br>";
                             }else{
                            
                                   if (move_uploaded_file($file_tmp,$upload_dir.$file_name)) {
                                       echo "File $i: ($file_name) Uploaded.<br>";
                                   }else{
                                        echo "File $i: Faild to upload.<br>";
                                   }#end of (move_uploaded_file).

                             }#end of (file_exists).

                       }#end of (file_size).

                 }#end of (limitedext).

           }#end of (!is_uploaded_file).

       }#end of (for loop).
       # print back button.
       echo "»<a href=\"$_SERVER[PHP_SELF]\">back</a>";
////////////////////////////////////////////////////////////////////////////////
//else if the form didn't submitted then show it.
}else{
    echo " <h3>Select files to upload!.</h3>
           Max file size = ". $size_bytes / 1024 ." KB";
    echo " <form method=\"post\" action=\"$_SERVER[PHP_SELF]\" enctype=\"multipart/form-data\">";
           // show the file input field based on($num_files).
           for ($i = 1; $i <= $num_files; $i++) {
               echo "File $i: <input type=\"file\" name=\"file". $i ."\"><br>";
           }
    echo " <input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"$size_bytes\">
           <input type=\"submit\" name=\"upload_form\" value=\"Upload Now!\">
           </form>";
}
?>
</body>
</html>

I wrote the first <? php ?> tag but not the second... That I simply editted by following directions... but it works... I just need it to validate...

Thanks!

I think it would be something like

PHP Code:

if $input5 value = 3p42r3ad3a4than32
else echo "YOUR REQUEST IS INVALID WE WILL BLOCK YOU FROM OUR SITE!"; 


but i don't know how to do that.

[boogyman]

Ok, I was wondering if PHP can do this...
I have a form and there is a hidden input with a secret number to prevent people from submitting fakes.

<input type="hidden" name="3p42r3ad3a4than32" value="329r8g" />

i hope you arent tracking that thru type="hidden", because that wont prevent people from submitting fakes. that isnt viewable to the eye in the display page, but it will be there int he source... and dont try to block the source because if someone wanted to find it, they would only need to disable javascript to view the source / many other means.

I was wondering if PHP can read a file take the numbers in the file and check to see if the hidden input and the file are the same, if they are then allow the rest of the script to check * or to let the user upload files, if they are not the same then the form upload doesn't show...

yes its possible.. that can be done either thru a session variable or thru other means.

[PHP]<?php
$filename = 'data.html';
$input1 = $_SERVER['REMOTE_ADDR'];
$input2 = $_POST["Name"];
$input3 = $_POST["Email"];
$input4 = $_POST["time"];
$input5 = $_POST["3p42r3ad3a4than32"];
$input6 = $_POST["Description"];

you might want to perform some other validation on that... like trim the edges and remove harmful tags... look up htmlspecialchars, htmlentities, strip_tags....

I wrote the first <? php ?> tag but not the second... That I simply editted by following directions... but it works... I just need it to validate...

Thanks!

I think it would be something like

PHP Code:

if $input5 value = 3p42r3ad3a4than32
else echo "YOUR REQUEST IS INVALID WE WILL BLOCK YOU FROM OUR SITE!"; 


like i said before i think storing the uniqueid as a session variable would be the best, then and that lil tag you have is easy

PHP Code:

if($input5 = "3p42r3ad3a4than32"){
 echo "YOUR REQUEST IS INVALID WE WILL BLOCK YOU FROM OUR SITE!";
} 


however I wouldnt' just print that out, i would store it to a variable, then print out the site with an error box containing that message / any other messages.

sounds to me like you might have tried to bite off more than u can chew... if this is a school project, i just helped you with something you probably should have read about.

[Twey]

That's ==, or preferably ===, not =.