Simple email form - avoiding email injection

[StewartS]

Hi there, I'm a PHP novice and need a little help!  I am doing a simple feedback form (see code below).

 

What I'd like to do is prevent injection of the form.  I understand that the ereg() function is used to do this, but I'm unsure exactly where this should go.  Help!

 

<?php
  $email = $_REQUEST['email'] ;
  $message = $_REQUEST['message'] ;
  $name = $_REQUEST['name'] ;
  
  if (!isset($_REQUEST['email'])) {
  	header( "Location: http://www.example.com/thankyou.html" );
}
elseif (empty($email) || empty($message)) {
	header( "Location: http://www.example.com/error.html" );
}
else {
	mail( "mail@example.com", "Subject Heading", $message, $email, "From: $email" );
	header( "Location: http://www.example.com/thankyou.html" );
}
?>

 

<form method="post" action="sendmail.php">
  Email:<br /><input name="email" type="text" style="width: 256px;" /><br /><br />
  Message:<br /><input name="message" type="text" style="width: 256px;" /><br /><br />
  Name:<br /><input name="name" type="text" style="width: 256px;" /><br /><br />  
  <input type="submit" />
</form>

 

Best Regards,

Stewart

[Fadion]

By google searching you'll surely have more answers then in this forum. It is a common issue so why bother. Take a look at this guide.

 

EDIT: By the way, use $_POST instead of $_REQUEST

[DarkWater]

What do you mean by injection of the form...?  That could mean a hundred different things depending on what you're thinking about.  Also, ereg() is used for POSIX Extended regular expressions and doesn't have to necessarily be used for validation.  Actually, I'd suggest using preg_match() rather than ereg() because POSIX is removed from PHP6 and PCRE cannot be removed from PHP5.3 or higher, so to keep forward compatability, use preg_match().  Phew, that was a mouthful.

[Fadion]

What do you mean by injection of the form...?  That could mean a hundred different things depending on what you're thinking about.

 

It actually means this

[DarkWater]

What do you mean by injection of the form...?  That could mean a hundred different things depending on what you're thinking about.

 

It actually means this

 

That's what I figured he meant, but I wanted to clarify, because ironically enough, posters on this forum usually don't actually mean what they say in the first post. xD

[Fadion]

That's what I figured he meant, but I wanted to clarify, because ironically enough, posters on this forum usually don't actually mean what they say in the first post. xD

 

True but, if we were to talk about quantum physics in a science forum, most of our talk wouldn't mean what we said. So let's respect members new to php 

[thesaleboat]

Darkwater would you take a look at my post from yesterday n see if you can help me at all...  :-X

[Fadion]

Darkwater would you take a look at my post from yesterday n see if you can help me at all...  :-X

 

What has that to do with the topic? Have you heard of private messages? 

[DarkWater]

Darkwater would you take a look at my post from yesterday n see if you can help me at all...  :-X

 

What has that to do with the topic? Have you heard of private messages? 

 

Lol, I had 278 private messages and it didn't say anything like "Inbox full" until I get back from vacation, where it said "Your inbox is 2780% full".  I'm like "What...?".  xD  I just cleared it out the other day.

 

Wait, that was off topic.  On topic:

@Thread starter:  Your mail() call also seems wrong.  Why is the $email variable the 4th parameter to the function?  That should be where all the headers go. What were you trying do accomplish?

mail( "mail@example.com", "Subject Heading", $message, $email, "From: $email" );

[thesaleboat]

hahah i was wondering why yours didnt work... oh man off topic again sorry to that one guy  :-X