Forums

Hello there
i am really frustrated as not being developer, and very little knowledge of php i really don't understand the server side form validation method

can anybody please help me with these questions i have about chronoform?

1. i don't know if chronoform verify by default all the form data on submit ?
2. can we just use default validation script? is it enough for the website security, form security?
3. if i use the standard fields like name, email, subject, etc is there any information how to verify those standerd field on server side with php ?
4. i found http://www.regular-expressions.info/ website there is so much stuff about my problem, but i am totally lost with that, if i use their expressions is it going to work with chronoform ??

i will like to have a very simple tutorials or explanation with if in my form there is text input labeled "Name:" what php code should i put to do a server side verification ?

please help

Hi Deva,

First **you** need to decide what you need to validate. No-one else can do that for you!!

[list=1]

No

Probably but see my comment above

No, if you want server side validation you need to code it yourself (or have someone do it for you)

Probably not unless you embed it into your code.

[/list:o]

If you want to validate a 'name' field it's probably enough to make it required. Go to the Validation tab, set Validation to On and put the field name in the Required box.

Bob

Hello Bob
thanks for your reply

if need i will do it by myself

yet can you please clear some doubts / question i have ? Please!

i have always heard that the from are not secure and the website can get hacked through them

so in that case chronoform is it secure ? for those exploit ?

i have no php knowledge as said earlier and i am really worry about my website security

i bought the professional chronoform component just for that thinking i relay on some one expert in php

i am using only the default function of chronoform do i have to worry in that case ?

i am sure everything is already taken care of with chronoform for security problem

yet as i read through forum there is still need for server side validation in that case why not include it directly in chronoform so people like me can realx in their mind with question like these ?

here is my code example

<div class="form_item">
<div class="form_element cf_textbox">
<label class="cf_label">Name :</label>
<input class="cf_inputbox required" maxlength="150" size="30" id="text_4" name="text_4" type="text">
</div><div class="clear"> </div>
</div>

what i need to put for server side verification ? to valid "name" field ? can you please provide the example

i have mootool validation set "on"
do i need to also have server side validation ?

sorry for lots of question but i really appreciate help with all this, at least please clear my mind with all this 😢

thanks

Hi Deva,

ChronoForms itself is neither secure nor insecure. You need to use validation and security checks to make sure that the data that is input is checked. Using the Joomla JRequest::getVar() syntax to read submitted data will help a lot.

Better safe than sorry!

Bob

Hi Deva,

No exploits are known in Chronoforms at the moment, if you will not use any PHP code in your form then you didn't add any risks to this, however if you will use any kind of PHP code then you need to do it the very secure way or you are under some risk.

if you are going to use the form to send or store some critical data then you must make sure your website and the form is secured by https and your database is secure too if you will store any potential data!

Regards,
Max

thanks both of you for reply

as per max said & if i understood it well

here is what i learn (that also gave me peace of mind)

i have very simple form made through the chrono from wizard where i collect the classic information like name, url, email etc. i have not used or added any php code myself to that form, i have disabled the load css/js file but activated the mootool validation on client site... my form collect the information and simply send it to the give email address....add to database is also disabled.....

in that case i dont need any server side verification as chronoform will handle everything , am i right?

also i learn i will need to have server side verification only if i use some php code in my form, am i right?

if so things are more clear for me now thanks again

please answer these question ..🙂

Hi Deva,

in that case i dont need any server side verification as chronoform will handle everything , am i right?

verification is to make sure that the data posted by the form are as you expect, you can use either mootools or serverside validation, the server side one is more secure but will need you to write a small piece of code in order for it to work!

also i learn i will need to have server side verification only if i use some php code in my form, am i right?

no, this has nothing to do with your PHP, look at my answer above.

Regards
Max

Hello again

sorry for not replying before but i did search on google and i am more clear with this stuff

i understood that there is no built in server side validation in chronoform, the javascript or mootool validation is only for client side validation, i can understand also this way everyone can do his own validation with custom php script using regular expressions i hope this time i am right ....

i misunderstood before, i thought that chronoform do handle the standard form input like , alpha numeric, email, urls, message box ?
this is not the case

i found also that if i disable javascript on IE or firefox there is no validation at all, so in that case i will need to add validation before data send to the given email...

i still ask is it possible for you to add built in server side validation with regular expressions in next version, lets say as you did with java script

1. i make my form i give the client side validation
2. i go to validation tab then i activate the serverside validation i choose my field and say this is alpha, this is alpha numeric, this is url,
this way my form can have both validation methods active and

i am giving the idea, yet i don't know if it that easy as i am saying

or another way
just to add some kind of tutorial which can give us an idea how to add some regularly used inputs validation with php to our forms
like how to validate name, urls, email, etc..

thanks

Hi Deva,

I think most of what you have written is correct. I also think that it is unlikely that Max will add server side validation in future versions - there is the capability for you to do it for yourself - and there are many more things that you might choose to do serverside to validate and process your results.

That said, Googling 'php form validation' will find you plenty of example scripts to look at.

Bob

Hi Deva,

and you have a "server side validation" box there, as Bob said, when you find some useful piece of PHP that does the validation, you need to copy and paste it in the "server side" box of Chronoforms and it will run on form submit and if the case was not validated then the form will return and show the error!

Regards,
Max

Hello there again

i am still learning on server side validation going through each and every possible post of this forum and through google

any way i will not continue posting here, as everything much clear for me how it works (still i dont know how to use it with chronoform)

what i suggest for the next release of chronoform is following ( max i am sure you already know this 😶 )

Sanitize and Validate Data with PHP Filters

Most people tend to think of data validation as an immensely tedious process where one either:

* Compares the data they want to validate against every possible combination they can think of.
* Tries to find a golden Regular Expression that will match every possible combination.
* A combination of the two.

There are obvious problems with the above listed:

* It's absolutely time consuming.
* There is a very high chance of error.

Fortunately, beginning with version 5.2, PHP has included a great function called filter_var that takes away the pain of data validation.

filter_var In Action

filter_var will do, both, sanitize and validate data. What's the difference between the two?

* Sanitizing will remove any illegal character from the data.
* Validating will determine if the data is in proper form.

Note: why sanitize and not just validate? It's possible the user accidentally typed in a wrong character or maybe it was from a bad copy and paste. By sanitizing the data, you take the responsibility of hunting for the mistake off of the user.
How to use filter_var

Using filter_var is incredibly easy. It's simply a PHP function that takes two pieces of data:

* The variable you want to check
* The type of check to use

For example, the below code will remove all HTML tags from a string:

 1. $string = "<h1>Hello, World!</h1>";  
   2. $new_string = filter_var($string, FILTER_SANITIZE_STRING);  
   3. // $new_string is now "Hello, World!"

$string = "<h1>Hello, World!</h1>";
$new_string = filter_var($string, FILTER_SANITIZE_STRING);
// $new_string is now "Hello, World!"

Here's another example -- this time more difficult. The below code will ensure the value of the variable is a valid IP address:
view plaincopy to clipboardprint?

1. $ip = "127.0.0.1";  
   2. $valid_ip = filter_var($ip, FILTER_VALIDATE_IP);  
   3. // $valid_ip is TRUE 
   4.   
   5. $ip = "127.0.1.1.1.1";  
   6. $valid_ip = filter_var($ip, FILTER_VALIDATE_IP);  
   7. // $valid_ip is FALSE

$ip = "127.0.0.1";
$valid_ip = filter_var($ip, FILTER_VALIDATE_IP);
// $valid_ip is TRUE

$ip = "127.0.1.1.1.1";
$valid_ip = filter_var($ip, FILTER_VALIDATE_IP);
// $valid_ip is FALSE

That's how simple it is to use filter_var. For a complete list of all the rules you can check against, see the end of this tutorial.

Sanitizing Example

Below is a quick example of sanitizing input from two fields: an email field and a home page field. This example will remove any characters that should not occur in either type of data.

1. <?php  
   2.     if (isset($_POST['email'])) {  
   3.         echo filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);  
   4.         echo "<br/><br/>";  
   5.     }  
   6.   
   7.     if (isset($_POST['homepage'])) {  
   8.         echo filter_var($_POST['homepage'], FILTER_SANITIZE_URL);  
   9.         echo "<br/><br/>";  
  10.     }  
  11. ?>  
  12.   
  13. <form name="form1" method="post" action="form-sanitize.php">  
  14.     Email Address: <br/>  
  15.     <input type="text" name="email" value="<?php echo $_POST['email']; ?>" size="50"/> <br/><br/>  
  16.     Home Page: <br/>  
  17.     <input type="text" name="homepage" value="<?php echo $_POST['homepage']; ?>" size="50" /> <br/>  
  18.     <br/>  
  19.     <input type="submit" />  
  20. </form>  

continue reading on arrow-right http://nettuts.com/tutorials/php/sanitize-and-validate-data-with-php-filters/

this is just to help you max and also to help myself and other chronoform user, i & others will really appreciate if you include something like this as built in form validation in next release 🙂

learning all this stuff really hard part for people like me, i am working on my project and really wanted to relay on one component like chronoform, rsform

i have used rsform in past it do have built in server side validation (only alpha & alphanum) that can be enough with some simple forms..

i really liked the chronoform and if you add the validation method it will be the best form component out there 😀

i will leave the validation for my site for a while as i have not finished my project yet, may be in one month i will pm you to have a look 🙂

thanks for your understanding 😀

Hi Deva,

I'm really not sure what you are asking or saying here.

As you wrote, var_filter() is only available in PHP 5.2 and yet the Joomla 1.5 minimum requirement is PHP 4.3.1. So Max and other extension writers have to be very careful using features that may break extensions for users who don't have PHP 5.2.

Also there is already some filtering like this already built into Joomla 1.5. Using the JRequest::getString() and JRequest::getInt() methods will do the validation that you are saying that RSForm has. With these you can do numeric and alphanumeric validation in the ServerSide validation box in one line.

if ( JRequest::getInt('some_number', '', 'post) == "") return "Please enter a number"; 

These functions will also strip html tags and do some, though not all, of the filtering that is offered by var_filter().

If you ask questions here that are *specific* - "How do I validate an IP address?" - then we can try to answer them. Broad questions - "How do I validate results from my forms?" - are next to impossible to answer in any useful way without writing a book first.

If we can give the answer in two minutes then you are much more likely to get a quick and useful reply than if it takes two hours or two days to research and write.

Bob

Hi Deva,

Thanks for the PHP function info, I want to add that the current built in server side validation method in Chronoforms gives you the ability to run all your examples by a simple copy and paste and adding some "return" line, there is an example beside the box in the "validation" tab, I made it like this because its very hard to cover every possibility of validation!

Regards,
Max

Hello all,

Regarding server-side validation, I found this script, which seems interesting.
I'm no PHP expert to evaluate if it's really a good script, or even safe, and how difficult it would be to implement this in chronoforms, but it seemed ok as well as extensible.

Having this class will make it easier to implement the server-side validation in chronoforms.

What do you think?

How could I use this in chronoforms?
Do you recommend it?

Hi Ramon,

it looks good, but the current server side validation is open for more than just a simple validation, you can stop the form if some value is not identical to another one in the database for example, but the one used at the link is still good one and can be applied easily, I will copy the post to the suggestions forums and check it on time!

Cheers
Max