Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Request for testing and feedback

Find holes in my php form parser



2:23 am on Jan 9, 2007 (gmt 0)

10+ Year Member

Hi all -
I have been busy learning php these past few months and now would like some help and/or feedback.

I know everyone and their dog has a form script but as a learning project, I created a parser that has made it really simple to implement forms. (My next step is to turn it into a class.)

It takes input that looks like this:

// Masks
$mask['text'] = " name ¦ type ¦ desc ¦ label ¦ regex ";
$mask['textarea'] = " name ¦ type ¦ desc ¦ rows ¦ cols ";
$mask['radio'] = " name ¦ type ¦ desc ¦ label ¦ reqd ";

// Specs

$item[1] = " client name ¦ text ¦ Name ¦ Your name ¦ fullname ";
$item[2] = " message ¦ textarea ¦ Message ¦ 20 ¦ 30 ";
$item[3] = " time¦radio¦Preferred time¦Please state preferred time, if any ¦false";
$choicelist[3] = " morning¦afternoon¦evening ";


name becomes the variable name in the $_POST array (spaces are closed up so 'client name' becomes 'clientname')
type is one of text, textarea, select, checkbox, radio
desc is used to describe the data in the email message
label is displayed next to the form input - like brief instructions
. . . and so on

and uses it to create the html to display the form, validate the input, display error messages in the form and display a copy of the sent message when done.

I have implemented these forms on a couple of sites but I am somewhat isolated and I would like someone to try to 'break' them so I can know how robust (or not) they are.

Is this forum an appropriate place to ask for this kind of feedback? If you are willing to take a look at them, please reply so I can give you the link to my site. If you want a copy of the code to use yourself, I will give it away but not until it has been 'stress tested'.

Any/all feedback much appreciated.




2:59 am on Jan 9, 2007 (gmt 0)

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 5+ Year Member

Not exactly sure what you mean by "stress testing" with something like this. Generally we do not do the grunt work because it is part of the poster's learning process if they do it themselves; it seems to be ok, though. :)

If you are doing this strictly for educational purposes than you should go ahead and make it into a class if you want, and then try out different methods to see how the results respond to those changes.

However, if you have already passed the educational stage then you would be better off using a pre-made solution available at some of the script repositories such as sourceforge.net or phpclasses.org.

Best of luck!


3:29 am on Jan 9, 2007 (gmt 0)

10+ Year Member

Thanks for the feedback.

I don't mean to ask anyone to do 'grunt' work.

I guess I'm just nervous - I have run a fair bit of test stuff through the forms - and I made sure that none of the email injection strings like the ones at [securephpwiki.com ]
would get through.

And I have an error handler and an error log file. . . time will tell I guess!


[edited by: CDNQuilter at 3:31 am (utc) on Jan. 9, 2007]


3:38 am on Jan 9, 2007 (gmt 0)

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 5+ Year Member

We have a great thread in our library [webmasterworld.com]: Combatting Webform Hijack [webmasterworld.com]. Maybe it can offer you some insight. You may find some other threads of interest in there, too ;)

Featured Threads

Hot Threads This Week

Hot Threads This Month