Help validating and santizing inputs

General PHP Help
#1

Hello, This is my first attempt at a working php script. I’m trying to simply gather input and email data from an .html5 web contact form. Specially first name, last name, email, telephone and the message. I have been able to get the .php script and .html form communicating, gathering the input and then sending / forwarding the data to an external email, then confirming the message was sent to the user with a browser prompt then redirecting back to the site’s home page. I’m using a basic .html5 form with tags that require input in the fields. However I’m aware the data needs validation and sanitizing for security. I’ve read most of what I can find about this and found some default .php validation and sanitizing functions but have been spinning on implementing them. Help, suggestions, input, code etc. would be very helpful. Thank you :slight_smile:

Note: $email2 = ‘[email protected]’ is my workaround to pass the site email server as the sender due to DMARC rejection that occurred with code that placed the form users email into the from header which obviously wasn’t originating from the hosts server. Is there a better way? Thank You :slight_smile:

[php]

<?php $first = $_POST['first']; $last = $_POST ['last']; $email = $_POST['email']; $email2 = '[email protected]'; $message = $_POST['message']; $phone = $_POST['phone']; $formcontent=" First: $first \n Last: $last \n Email: $email \n Phone: $phone \n Message: $message"; $recipient ="[email protected]"; $subject = "Contact Form"; $mailheader ="From: $email2 \r\n"; mail($recipient, $subject, $formcontent) or die("Error!"); echo ""; ?>

[/php]

#2

Here’s a working solution, If any other non-php Guru needs to know how to do this. Hope it saves someone some time. Thanks Guys!

[php]<?php

// Check required fields first
if (isset($_POST[‘first’], $_POST[‘email’], $_POST[‘message’])) {

$first = htmlspecialchars(stripslashes(trim($_POST['first'])));
$last = htmlspecialchars(stripslashes(trim($_POST['last'])));
$email = htmlspecialchars(stripslashes(trim($_POST['email'])));
$email2 = '[email protected]';
$message = htmlspecialchars(stripslashes(trim($_POST['message'])));
$phone = htmlspecialchars(stripslashes(trim($_POST['phone'])));
if (ctype_alpha(str_replace(' ', '', $first)) === false) {
  	echo 'Your first name must contain letters and spaces only. Please use your browsers back arrow and make the necessary changes.';
	return false;
}
if (ctype_alpha(str_replace(' ', '', $last)) === false) {
  	echo 'Your last name must contain letters and spaces only.  Please use your browsers back arrow and make the necessary changes';
	return false;
}
if(filter_var($email, FILTER_VALIDATE_EMAIL) === false) {
	echo "Your email is not in a valid format.  Please use your browsers back arrow and make the necessary changes.";
	return false;
}
if (!preg_match("/^[0-9]{3}-[0-9]{3}-[0-9]{4}+$/", $phone)) {
	echo "Your phone number is not in a valid format, the correct format is 000-000-0000. Please use your browsers back arrow and make the necessary changes.";
	return false;
}
$formcontent=" First: $first \n Last: $last \n Email: $email \n Phone: $phone \n Message: $message";
$recipient ="[email protected]";
$subject = "Contact Form";
$mailheader ="From: $email2 \r\n";
mail($recipient, $subject, $formcontent) or die("Error!");
echo "<script>
alert('Your message has been sent!'); 
window.history.go(-2);
</script>";

} else {
echo “Please enter all required fields.”;
}

?>[/php]

#3

The might be a legit reason for a person to have a number in his/her name or even a special character (some foreign names have them), for John Smith 2nd that comes off the top of my head. The only thing I do is use the trim function to ensure people aren’t trying to cheat by entering spaces like the following:

[php]function checkContent($data) {
/* This makes sure user just didn’t type spaces in an attempt to make the form valid /
foreach ($data as $key => $value) {
$data[$key] = isset($value) ? trim($value) : ‘’;
}
/ If there are empty field(s) then set the error array to
* true otherwise it should be false.
*/
if (in_array("", $data, true)) {
return TRUE;
} else {
return FALSE;
}
}[/php]

Sponsor our Newsletter | Privacy Policy | Terms of Service