What does this code do - getting blank emails

[mcolton]

I have many forms that use the php code below (found on the web somewhere). In my html code, all the fields have validation so users CANNOT send emails with blank fields. I think I'm betting these emails with blank fields from bots looking at the .php files and somehow sending blank emails.

What does the "preg_match" code do. Is there a better way to do this. Is there a way to stop the blank emails. What does the "header" line do.
Thanks for ANY help.

PHP Code:

if (preg_match(' /[\r\n,;\'"]/ ', $_POST['email'])) {
  exit('Invalid Email Address');
}
else {
mail($to,$subject,$message,$headers);
mail($to2,$subject,$message2,$headers);
header("Location: http://www.lotatennis.com");
} 


[prasanthmj]

Client side validation is not sufficient.

Server side validation is required.
A basic PHP validation goes like this

PHP Code:

if(empty($_POST['email'])))
{
   exit('Email is required');
} 


preg_match in your code is searching for certain characters(\n\r) in the input, in an attempt to prevent email injection.
The header() function redirects to the home page

The following pages might be helpful:
PHP Form to email

Server side PHP form validation

PHP form processing

[mcolton]

So you think I should replace the "preg_match" line with:
if(empty($_POST['email'])))

BTW, that line has 2 left parentheses and 3 right ones.

[forum_amnesiac]

No you need to keep the preg_match line to reduce the risk of email injection.

There should only be 2 right parentheses on the 'empty'.

Both of these are server side validation, the 'empty' is checking that there is something in the email field although it doen't particularly care what.

You could add this to your code to check that it is a valid email address:

PHP Code:

$email=trim($_POST['email']);
if (!preg_match('/\b[A-Z0-9._%+-]+@(?:[A-Z0-9-]+\.)+[A-Z]{2,4}\b/im', $email')) {
   exit(' Valid Email address is required'); 
} 


[mcolton]

Sorry amnesiac I'm confused. Should I use your "preg_match" code instead of the one I originally had.
Does that take care of empty email addresses also.
Is there 1 or more ' missing.

[forum_amnesiac]

The preg_match that I added validates that $email is in a valid email format, it is not a replacement for the original.

The original preg_match is there to reduce the risk of email injection, if this is not a term you know than look it up with your search engine.

This is what the validation should look like in your PHP:

PHP Code:

$email=trim($_POST['email']);

if (preg_match(' /[\r\n,;\'"]/ ', $email)) {
  exit('Invalid Email Address');

} else if (!preg_match('/\b[A-Z0-9._%+-]+@(?:[A-Z0-9-]+\.)+[A-Z]{2,4}\b/im', $email)) {
   exit(' Valid Email address format required'); 

} else {

mail($to,$subject,$message,$headers);
mail($to2,$subject,$message2,$headers);
header("Location: http://www.lotatennis.com");
} 


There is no need to do the empty() test, an empty value in $email will not pass the email format test.

Sorry about the problem with the ', this code should now have the correct number of them

[dr-yassine]

merci

[mcolton]

Sorry guys. It didn't work. I uploaded it and filled out a form. I hit submit and got the
"Valid Email address format required" message. The email was my correct email.

[traq]

A suggestion/question: is it better to use a preg_match instead of the php email filter?

PHP Code:

$validEmail = filter_var($email, FILTER_VALIDATE_EMAIL) 


[forum_amnesiac]

mcolton - what was the email address that you used, I use this routine myself and it definitely works.

I can send you some code to test the routine if you want

traq - I use preg_match out of habit and also because the PHP Filter_Validate_Email used to be vulnerable to email injection, although I believe that is now sorted. Old habits died hard!