Bottyz Posted September 6, 2010 Share Posted September 6, 2010 Hi all, A friend of mine has recently implemented the following code on his website but it doesn't check to see if any of the fields are empty. Can anyone provide pointers as to where the best place to validate user input would be? <?php $notindomain_errorpage = "errors.php"; $server_errorpage = "errors.php"; $invalidaddress_errorpage = "errors.php"; $successpage = "thankyou.php"; $recipient="user@user.com"; $subject="Web site feedback"; // Set the server variables for older (PHP4,3 etc) systems if (!isset($_SERVER)){ $_POST = &$HTTP_POST_VARS; $_SERVER = &$HTTP_SERVER_VARS; } $servername = $_SERVER['SERVER_NAME']; if ($_SERVER['REQUEST_METHOD']=="POST") { if (strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'])>7 || !strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'])) { header( "Location: ".$notindomain_errorpage ); exit; } else { $msg="The following information was submitted from a form on ".$servername.":\n\n"; foreach($_POST as $key => $val) { //filter out any form items called send or reset //image based submit and reset buttons will be in the format // send_x: 13 // send_y: 10 $myKeySlice = substr("$key",0,4); if ($myKeySlice != "send" && $myKeySlice != "rese"){ if ($key == "subject" || $key == "email" || $key == "name"){ //Prevent injection attacks by stripping tags and newlines from the data //Do this only on data that makes it into the e-mail header as newlines in a message body should still be valid $key = strip_tags($key); $val = strip_tags($val); if (eregi("\r",$key) || eregi("\n",$key)){ header( "Location: ".$notindomain_errorpage ); exit; } if (eregi("\r",$val) || eregi("\n",$val)){ header( "Location: ".$notindomain_errorpage ); exit; } } //replace any underscores in the input names (PHP puts these in!) with spaces $key = str_replace("_"," ",$key); //if the form item is called "subject" then set this as the subject line of the mail if ($key == "subject"){ $subject=$val; } else { if (is_array($val)){ $msg.="Item: $key\n"; foreach($val as $v) $msg.="ÊÊÊ$v\n"; } else { $msg.="$key: $val\n"; } } } } //set up the default headers $headers = ""; //get the senders name (if specified) if ($_POST["name"]) { $name = $_POST["name"]; } else { $name = ""; } //get the senders email address (if specified) if (isset($_POST["email"])) { $email = $_POST["email"]; if (!preg_match('/^[a-zA-Z0-9_\.-]+@[a-zA-Z0-9-\.]+\.[a-zA-Z]+(\.[a-zA-Z]+)?$/', $email)){ header( "Location: ".$invalidaddress_errorpage ); exit; } } else { $email = "website@website.co.uk"; //clear the name so we don't end up with username @ webmaster's address! $name = ""; } $headers .= "From: $name <$email>\r\n"; //add the correct headers for plain text //see: http://www.webmasterworld.com/php/3949990.htm $headers .= "MIME-Version: 1.0\n"; $headers .= "Content-type: text/plain; charset=\"ISO-8859-1\"\n"; $headers .= "Content-transfer-encoding: 7bit\n"; $headers .= "Reply-To: $email\r\n"."Return-Path: $email"; error_reporting(0); if (mail($recipient, $subject, $msg, $headers)){// header( "Location: ".$successpage ); } else { header( "Location: ".$server_errorpage ); } } } else { header( "Location: ".$server_errorpage ); } ?> I'm thinking it should be somewhere around the foreach($_POST line? But i'm not familiar with arrays. Can anyone help please? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.