Resticting categories in forms.

  Awestruck 10:38 15 May 2009

I use HTML forms with a PHP handler to obtain emailed feedback. Some retarded low lives use these to email gobbeldygook and dodgy links. How can I restrict what is entered ? For instance I wish to restrict some text entries to numbers only. And to prevent web addresses being entered in textareas. I know how to check that an email address has the correct syntax but that is the extent of my abilty to insist on certain entry formats.

  Kemistri 14:38 15 May 2009

There are quite a lot of ways to do that kind of validation. A bit too much to go into here in any detail, particularly without knowing anything about your script or your level of knowledge. I'll give you a couple of code snippets to start you off.

If you have elseif arrays, you could try adding these:

elseif (strlen($_POST['phone']) > 12) {
$error_msg .= "The Phone number is limited to 12 digits including spaces. \n";

That's a string length check. Example given for a field called "phone".

elseif (!ereg("^[0-9 -]*$", $_POST['phone'])) {
$error_msg .= "The Phone number must contain only numbers and spaces. \n";

That checks for numerics.

Those are basic examples of how an if/elseif array works. There are other ways of doing more complex and sophisticated validation and this is not the only kind of validation check that you should perform, but I provided it because it's a common method that you might recognise. Basic but reasonably serviceable.

The second query has multiple answers too, and the same caveat applies. Probably the simplest method is to build a bad words array and include snippets of whatever you want to block. For expediency, I'll assume that you know how to structure an array with multiple entries in it. If you don't please ask.

Add this within PHP tags:

$badStrings = array("", "", "");
foreach($_POST as $k => $v){
foreach($badStrings as $v2){
if(strpos($v, $v2) !== false){
header("HTTP/1.0 403 Forbidden");
foreach($_GET as $k => $v){
foreach($badStrings as $v2){
if(strpos($v, $v2) !== false){
header("HTTP/1.0 403 Forbidden");

That's a cludgy old system that has been around for years, but it deals with bad words quite effectively (unless you want to give an error message, but that's a different matter altogether). Note the apparent repetition: that's for POST and GET requests because even though you will only use one, spammers and hackers routinely copy your HTML form to their server and change the request method to try to bypass validation. You can check for the right referrer of course, but referrers can be spoofed or not sent at all, so requiring a specific referrer is not very practical.

These are the simple answers, not necessarily as complete or as powerful as I would like, but there is a word limit! Hope that helps.

  Kemistri 18:48 15 May 2009

Captchas should not be used unless you're happy to harm usability. A website's users don't care whether the guy who built it can't use effective server-side validation until his reliance on a Captcha prevents them from using the form. Then they go elsewhere. Making the captcha obscure enough to defeat image analysis (which is now quite common) makes it impossible for humans to consistently and reliably decipher it. Besides that, anyone with images off or a reliance on assistive software is stuffed. Some developers try to account for this by providing an audible iteration of the word, but that has obvious limitations as well, not least that assistive software does not make use of Javascript (which most read-out-aloud systems use). Captchas are a lazy half-answer with major flaws.

  Kemistri 22:39 15 May 2009

Yeah, you do. That's what server-side validation is for and it's so effective (when done properly), why would you do anything else?

You may have read Craig Buckler's recent opinion about the flaws of Captchas, or the various articles on the most popular UX blogs (UX Mag, etc.), and noticed that they support my view.

  Kemistri 12:59 16 May 2009

Stop it with this attitude fourm member. I have really had enough of it. I have told you that before and it has not ceased.

Take a look at my post of yesterday at 2:38, in which I have gone well out of my way to take time out to post code snippets and advice that answers the OP's two queries as well as is possible without even seeing his script.

You completely failed to do anything like that - he asked specifically about server-side validation and you suggested a client-side "solution" that does not answer his questions and isn't even even good advice.

  Awestruck 16:19 16 May 2009

Hello Kemistri
Thank you for your helpful tips. I have set up a test page on one of my websites to try out your suggestions. No doubt I will be asking you for some more help if my attempts fail.
Best wishes

  Awestruck 22:24 18 May 2009

Hello Kemistri

I have succesfully dealt with the field size and numeric entries. I must now tackle the difficult bit.

Spammers can be semi-human morons or robots. I can think of 3 types of spammer as follows:-

1. Some spammers are just vandals entering gobbledegook but not entering hyperlinks, in which case nothing can (or need) be done. My clients will just delete emails containing gobbledegook with no hyperlinks.

2. If the spammer with criminal intent uses his own copy of my original form he will unfortunately be alerted about the changed handler because the original handler page will not be available. To prevent him being alerted, I will upload the new handler but leave the old handler in the folder. I will change the old handler’s subject to ***SPAM***. Then set a filter in O.E. to delete ***SPAM*** emails from the server.

3. If a spammer with criminal intent uses my current form with the new handler, the new handler will force him to enter restricted items only. It will be necessary to prohibit hyperlinks links being entered in the Address and Message fields.

The only “badword” in this case will be http:// therefore an array will not be necessary. I would now like to experiment with your suggestion for preventing the entering of http://

Please would you advise me regarding the best code for this. Does it go in the form or into the handler?
Regards Awestruck

  HighTower 09:11 27 May 2009

If you're in a hurry to get this done then the Webassist Validation Toolkit extension for Dreamweaver can handle most validation tasks including blocking http:// (or anything you specify) in fields. It's a good timesaver. Not free I'm afraid, but very handy!

click here

  HighTower 09:43 27 May 2009

I'm also now in full agreement with Kemistri that good validation will beat most spammers. I've been through most of my web forms in the last week and removed Captcha and anti-spam questions and replaced this with validation.

So far so good, it's doing the job just as effectively as the Captcha system but without the hassle! I'll let you know long term how it compares.

  Awestruck 10:18 27 May 2009

Many thanks High Tower (interesting pseudonym)

I looked at Webassist but it is too expensive for me. I am very keen to learn more PHP coding especially validation of forms. I have now incuded validation siccessfully for all the form components except the message text area. I spotted this bit of code:
$pattern = '/\b(https?|ftp|file)://[[email protected]#/%?=~_|!:,.;]*[[email protected]#/%=~_|]/';
$data = preg_replace($pattern,',$formData);
I think it would be useful for the message area but I do not know how it should be incorporated into my PHP form handler.
I use this sort of filter:
if(!is_numeric($felix))&&(!empty($felix))||(!is_numeric($nico))&&(!empty($nico))) {
header( "Location: $qtyerrorurl" );
exit ;
if (empty($username1) || empty($useremail) || empty($useraddrs) || empty($phone)) {
header( "Location: $errorurl" );
exit ;
if (!is_numeric($phone)){
header ("Location: $errorphoneurl");
exit ;
if ( ereg( "[\r\n]", $username1 ) || ereg( "[\r\n]", $useremail ) ) {
header( "Location: $errorurl" );
exit ;
Regards Awestruck

  Awestruck 16:36 27 May 2009

Hello High Tower

Further to my previous response, I tried the following code for the text area called $message and it failed to allow even genuine entries.

if (preg_match("/http/",$message)); {
header ("Location: $errorurl");
exit ;
Where am I going wrong?
Regards Awestruck

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Samsung Galaxy A8 review: Hands-on

Majority of illustrators don’t earn enough to live from, new survey shows

iPhone X problems

Word gratuit : comment télécharger le logiciel de Microsoft ?