PDA

View Full Version : What does this code do - getting blank emails



mcolton
09-25-2009, 01:07 PM
I have many forms that use the php code below (found on the web somewhere). In my html code, all the fields have validation so users CANNOT send emails with blank fields. I think I'm betting these emails with blank fields from bots looking at the .php files and somehow sending blank emails.

What does the "preg_match" code do. Is there a better way to do this. Is there a way to stop the blank emails. What does the "header" line do.
Thanks for ANY help.


if (preg_match(' /[\r\n,;\'"]/ ', $_POST['email'])) {
exit('Invalid Email Address');
}
else {
mail($to,$subject,$message,$headers);
mail($to2,$subject,$message2,$headers);
header("Location: http://www.lotatennis.com");
}

prasanthmj
09-25-2009, 02:26 PM
Client side validation is not sufficient.

Server side validation is required.
A basic PHP validation goes like this


if(empty($_POST['email'])))
{
exit('Email is required');
}


preg_match in your code is searching for certain characters(\n\r) in the input, in an attempt to prevent email injection.
The header() function redirects to the home page

The following pages might be helpful:
PHP Form to email (http://www.html-form-guide.com/email-form/php-form-to-email.html)

Server side PHP form validation (http://www.html-form-guide.com/php-form/php-form-validation.html)

PHP form processing (http://www.html-form-guide.com/php-form/php-form-processing.html)

mcolton
09-25-2009, 03:53 PM
So you think I should replace the "preg_match" line with:
if(empty($_POST['email'])))

BTW, that line has 2 left parentheses and 3 right ones.

forum_amnesiac
09-26-2009, 06:27 AM
No you need to keep the preg_match line to reduce the risk of email injection.

There should only be 2 right parentheses on the 'empty'.

Both of these are server side validation, the 'empty' is checking that there is something in the email field although it doen't particularly care what.

You could add this to your code to check that it is a valid email address:

$email=trim($_POST['email']);
if (!preg_match('/\b[A-Z0-9._%+-]+@(?:[A-Z0-9-]+\.)+[A-Z]{2,4}\b/im', $email')) {
exit(' Valid Email address is required');
}

mcolton
09-27-2009, 11:39 AM
Sorry amnesiac I'm confused. Should I use your "preg_match" code instead of the one I originally had.
Does that take care of empty email addresses also.
Is there 1 or more ' missing.

forum_amnesiac
09-28-2009, 06:05 AM
The preg_match that I added validates that $email is in a valid email format, it is not a replacement for the original.

The original preg_match is there to reduce the risk of email injection, if this is not a term you know than look it up with your search engine.

This is what the validation should look like in your PHP:


$email=trim($_POST['email']);

if (preg_match(' /[\r\n,;\'"]/ ', $email)) {
exit('Invalid Email Address');

} else if (!preg_match('/\b[A-Z0-9._%+-]+@(?:[A-Z0-9-]+\.)+[A-Z]{2,4}\b/im', $email)) {
exit(' Valid Email address format required');

} else {

mail($to,$subject,$message,$headers);
mail($to2,$subject,$message2,$headers);
header("Location: http://www.lotatennis.com");
}



There is no need to do the empty() test, an empty value in $email will not pass the email format test.

Sorry about the problem with the ', this code should now have the correct number of them

dr-yassine
09-28-2009, 09:13 AM
merci

mcolton
09-28-2009, 11:05 AM
Sorry guys. It didn't work. I uploaded it and filled out a form. I hit submit and got the
"Valid Email address format required" message. The email was my correct email.

traq
09-28-2009, 11:19 PM
A suggestion/question: is it better to use a preg_match instead of the php email filter?


$validEmail = filter_var($email, FILTER_VALIDATE_EMAIL)

forum_amnesiac
09-29-2009, 07:26 AM
mcolton - what was the email address that you used, I use this routine myself and it definitely works.

I can send you some code to test the routine if you want

traq - I use preg_match out of habit and also because the PHP Filter_Validate_Email used to be vulnerable to email injection, although I believe that is now sorted. Old habits died hard!

mcolton
09-29-2009, 11:30 AM
martyc@windstream.net
I put your code online again and tested it again and got the same results. My original code still works.

Also my html validation (below) allows my email address



if (!(/^\w+([\.-]?\w+)*@\w+([\.-]?\w+)*(\.\w{2,3})+$/.test(email))) {
msg += '- Invalid Email Address: ' + email + '\n';
}

forum_amnesiac
09-29-2009, 12:31 PM
If you try this test code you will see that your email address also passes the preg_match test that I posted.

Perhaps there is omething else going on when you post the form field values to your PHP.

Doing server side validation is a bit more secure than client side.


<?php
$email="martyc@windstream.net";
$test="true";
if (!preg_match('/\b[A-Z0-9._%+-]+@(?:[A-Z0-9-]+\.)+[A-Z]{2,4}\b/im', $email)) {
$test="false";
}
echo "test= ".$test." - ".$email."<br>";

if (preg_match(' /[\r\n,;\'"]/ ', $email)) {
exit('Invalid Email Address');

} else if (!preg_match('/\b[A-Z0-9._%+-]+@(?:[A-Z0-9-]+\.)+[A-Z]{2,4}\b/im', $email)) {
exit(' Valid Email address format required');

} else {

echo "email passed";
/*mail($to,$subject,$message,$headers);
mail($to2,$subject,$message2,$headers);
header("Location: http://www.lotatennis.com");*/
}
?>

I have put the preg_match in twice just for testing purposes, the second echo proves if the email address passes

mcolton
09-30-2009, 12:07 PM
YAYYYYYYYYYYY. I found the problem. It was the following line.

$email=trim($_POST['email']);

My original POST fieldname is xemail. I changed email to xemail and it worked. Hopefully I won't get any more blank emails. Thanks for your help. But is there something else I can look at if I DO get some more blank emails.