begeiste Posted October 10, 2007 Share Posted October 10, 2007 Hi, Not sure why I have added if (ereg('^[a-zA-Z0-9_.-]+@[a-zA-Z0-9-]+.[a-zA-Z0-9-.]+$', user still can add a bunch of invalid texts which still be able to added into database? Here are the scripts: <?php //set up a couple of functions function doDB(){ global $conn; //connect to server and select database; you may need it $conn = mysql_connect('localhost','root','root') or die (mysql_error()); mysql_select_db('photos') or die (mysql_error()); } function emailChecker($email){ global $conn, $check_result; //check that email is not already in list $check = "select id from subscribers where email = '$email'"; $check_result = mysql_query($check, $conn) or die(mysql_error()); } function valid_email($email) { // check an email address is possibly valid if (ereg('^[a-zA-Z0-9_.-]+@[a-zA-Z0-9-]+.[a-zA-Z0-9-.]+$', $email)) return true; else return false; } //determine if they need to see the form or not if($_POST[op] !="ds"){ //they do, so create form block $display_block = " <form method=POST action=\"$_SERVER[php_SELF]\" class='rmessage'> <p><b>Your email address:</b><br> <input type=text name=\"email\" size=40 maxlength=150> <p><b>Action:</><br> <input type=radio name=\"action\" value=\"sub\" checked>Subscribe <input type=radio name=\"action\" value=\"unsub\">Unsubscribe <input type=\"hidden\" name=\"op\" value=\"ds\"> <p><input type=submit name=\"submit\" value=\"Submit Form\"></p> </form>"; }else if(($_POST[op] == "ds") && ($_POST[action] == "sub")){ //trying to subscribe; validate email address if($_POST[email] == ""){ header("Location: manage.php"); exit; } //connect to database doDB(); //check that email is in list emailChecker($_POST[email]); //get number of results and do action if(mysql_num_rows($check_result) < 1){ //add record $sql = "insert into subscribers values('','$_POST[email]')"; $result = mysql_query($sql) or die (mysql_error()); $display_block = "<div style='background-color:#FFFFCC; width:50%; margin-left:auto; margin-right:auto; font-family:Arial, Helvetica, sans-serif; font-size:12px; padding-top:20px; padding-left:10px; padding-right:10px;padding-bottom:10px; border:solid 1px #000;'>Thanks for signing up!<br><br><a href='manage.php'>Subscribe it</a><br><a href='/index.php'>Go back HOME</a></div>"; }else { //print failure message $display_block = "<div style='background-color:#FFFFCC; width:50%; margin-left:auto; margin-right:auto; font-family:Arial, Helvetica, sans-serif; font-size:12px; padding-top:20px; padding-left:10px; padding-right:10px; padding-bottom:10px; border:solid 1px #000;'>You're already subscribed!<br><br><a href='manage.php'>Subscribe it</a><br><a href='/index.php'>Go back HOME</a></div>"; } }else if(($_POST[op] == "ds") && ($_POST[action] == "unsub")){ //trying to unsubscribe; variable email address if($_POST[email] == ""){ header("Location: manage.php"); exit; } //connect to database doDB(); //check that email is in list emailChecker($_POST[email]); //get number of results and do action if(mysql_num_rows($check_result) < 1){ //print failure message $display_block = " <div style='background-color:#FFFFCC; width:50%; margin-left:auto; margin-right:auto; font-family:Arial, Helvetica, sans-serif; font-size:12px; border:solid 1px #000; padding-top:20px; padding-left:10px; padding-right:10px;padding-bottom:10px;'>Couldn't find your address!<br>No action was taken.<br><br><a href='manage.php'>Subscribe it</a><br><a href='/index.php'>Go back HOME</a></div>"; }else{ //unsubscribe the address $id = mysql_result($check_result, 0, "id"); $sql = "delete from subscribers where id ='$id'"; $result = mysql_query($sql) or die(mysql_error()); $display_block = "<div style='background-color:#FFFFCC; width:50%; margin-left:auto; margin-right:auto; font-family:Arial, Helvetica, sans-serif; font-size:12px; border:solid 1px #000; padding-top:20px; padding-left:10px; padding-right:10px;padding-bottom:10px;'>You're unsubscribed!<br><br><a href='manage.php'>Subscribe it</a><br><a href='/index.php'>Go back HOME</a></div>"; } } ?> <html> <head> <title>Subscribe/Unsubscribe</title> <style> h1{font-family:Arial, Helvetica, sans-serif; font-size:16px; background-color:#FF9900; height:40px; padding:10px 0 0 10px;} body {background-color: #666666;} .top{height:60px; background-color:#FFCC33; width:50%; margin-left:auto; margin-right:auto; padding:10px; border-top:solid 1px #000;border-left:solid 1px #000;border-right:solid 1px #000;} .rmessage{background-color:#FFFFCC; width:50%; margin-left:auto; margin-right:auto; font-family:Arial, Helvetica, sans-serif; font-size:12px; padding:10px; border:solid 1px #000;} </style> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"></head> <body> <div class="top"><h1>Subscribe/Unsubscribe</h1><div style="font-family:Arial, Helvetica, sans-serif; font-size:10px; color:#666666; padding-top:5px;">We'll send you our News Letter frequently</div></div> <?php echo "$display_block"; ?> </body> </html> Quote Link to comment Share on other sites More sharing options...
MadTechie Posted October 10, 2007 Share Posted October 10, 2007 may help if you used the function!!! ie emailChecker($_POST[email]); if (!valid_email($_POST['email'])) { die("Bad email"); } Quote Link to comment Share on other sites More sharing options...
Aureole Posted October 10, 2007 Share Posted October 10, 2007 Use this I think it works better... <?php function valid_email($email) { if (!ereg("^[^@]{1,64}@[^@]{1,255}$", $email)) { return false; } $email_array = explode("@", $email); $local_array = explode(".", $email_array[0]); for ($i = 0; $i < sizeof($local_array); $i++) { if (!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$", $local_array[$i])) { return false; } } if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) { $domain_array = explode(".", $email_array[1]); if (sizeof($domain_array) < 2) { return false; } for ($i = 0; $i < sizeof($domain_array); $i++) { if (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$", $domain_array[$i])) { return false; } } } return true; } ?> Quote Link to comment Share on other sites More sharing options...
MadTechie Posted October 10, 2007 Share Posted October 10, 2007 sorry Aureole, but i have to disagree.. Simple check i use, you could check the domain exists but i hardly see the point! i use member email activation!! if (eregi('^[A-Z0-9._%+-]+@([A-Z0-9-]+\.)+[A-Z]{2,4}$', $email)) { # valid email } else { # invalid email } Quote Link to comment Share on other sites More sharing options...
Aureole Posted October 10, 2007 Share Posted October 10, 2007 I wouldn't know, I didn't write the code I posted; I was just told it was the best way of doing it. I use E-mail validation too so should I use your method? Quote Link to comment Share on other sites More sharing options...
MadTechie Posted October 10, 2007 Share Posted October 10, 2007 IF the one you posted is surposed to be a RFC 2822 Standard you could use if(eregi("(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(??:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(??:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])",$email)) { //email found } else { # email failed } but this is NOT recommended! to use it, will it valid the email yes.. personally i think your just using up more processing power then needed and have more areas of problems.. the one i use is simple and, true is doesn't check for max 64 chars etc... but if someone was going to fake an email mail.. it would probably be formatted correcltly (on atleast their 3rd attempt) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.