We Keep Coding

How to prevent a script from running when email does not pass filter_var

I'm trying to make the emails pass validation by using filter_var. However, I am not sure how to prevent the script from processing the form data to my database if the email is not valid.
I have
$email = $_POST['email'];
$email = filter_var($email, FILTER_SANITIZE_EMAIL);
if (!filter_var($email, FILTER_VALIDATE_EMAIL) === false) {
echo("$email is a valid email address");
} else {
echo("$email is not a valid email address");
exit();
}
the email obviously comes from what was entered in by the user and is in the $_POST variable. The script DOES show the email as valid or invalid, however it STILL processes the script and places the form data into my database. I thought that putting "exit()" would be the solution to this, or the proper way to handle when it's not valid. It simply opens a new page where the echo print shows.
What am I missing or doing wrong? Ideally I would like the form field to highlight and give the user some indication that they've entered in an incorrectly formatted email address (although I know that is a different topic and somewhat a bells and whistles type of thing), but I certainly do not want to allow the script to process the data into my database.

The answer lies in where the validation code was placed. Instead of placing it RIGHT AFTER the posted variables and before the SQL insertion code, I put it at the very end of the script. So the posted data went into the database before they can be validated.
So now, I have (which works)
$name = $_POST['name'];
$email = $_POST['email'];
$email = filter_var($email, FILTER_SANITIZE_EMAIL);
if (filter_var($email, FILTER_VALIDATE_EMAIL) === false) {
echo("$email is not a valid email address");
exit();
} else {
$msg_to_user = '<br /><br /><h4>Thanks ' . $name . ', we will send you news when appropriate. Take care!</font></h4>';
$name = "";
$email = "";
}
// THE SQL SELECT STATEMENT TO ENSURE NO DUPLICATE EMAIL AND THEN THE INSERT STATEMENT TO PUT THE DATA IN THE DATABASE COMES AFTER THE CODE ABOVE

php mail not sending "invalid email address"

im getting the "invalid email address"
all is hardcoded for testing, what is missing? thanks!
<html>
<head><title>PHP Mail Sender</title></head>
<body>
<?php
/* All form fields are automatically passed to the PHP script through the array $HTTP_POST_VARS. */
$email = $HTTP_POST_VARS['example#example.com'];
$subject = $HTTP_POST_VARS['subjectaaa'];
$message = $HTTP_POST_VARS['messageeeee'];
/* PHP form validation: the script checks that the Email field contains a valid email address and the Subject field isn't empty. preg_match performs a regular expression match. It's a very powerful PHP function to validate form fields and other strings - see PHP manual for details. */
if (!preg_match("/\w+([-+.]\w+)*#\w+([-.]\w+)*\.\w+([-.]\w+)*/", $email)) {
echo "<h4>Invalid email address</h4>";
echo "<a href='javascript:history.back(1);'>Back</a>";
} elseif ($subject == "") {
echo "<h4>No subject</h4>";
echo "<a href='javascript:history.back(1);'>Back</a>";
}
/* Sends the mail and outputs the "Thank you" string if the mail is successfully sent, or the error string otherwise. */
elseif (mail($email,$subject,$message)) {
echo "<h4>Thank you for sending email</h4>";
} else {
echo "<h4>Can't send email to $email</h4>";
}
?>
</body>
</html>

Change
$email = $HTTP_POST_VARS['jaaanman2324#gmail.com'];
$subject = $HTTP_POST_VARS['subjectaaa'];
$message = $HTTP_POST_VARS['messageeeee'];
to
$email ='jaaanman2324#gmail.com';
$subject ='subjectaaa';
$message = 'messageeeee';

I think you want it to be hardcoded like this:
$email = 'jaaanman2324#gmail.com';
Otherwise you are trying to get the value out of HTTP_POST_VARS with the key of jaaanman2324#gmail.com

First, don't use $HTTP_POST_VARS, it's $_POST now.
Second, by writing $HTTP_POST_VARS['jaaanman2324#gmail.com'] you're looking for table element with juanman234#gmail.com key.
That's not what you wanted to do.
If you want to hardcode it, write
$email = 'jaaanman2324#gmail.com';`
if not, write
$email = $_POST['email'];
to get email field from form.

.php only sending part of a form to a email address

I'm trying to setup a simple website with a form that sends to a specific email address. The idea is to have a few different things to be sent in an email, like: first and last name, age, email, city, subject (which is a dropdown menu with a few different options) and then finally a comment box.
I've actually spent the last 14 hours reading and looking up a way of how to get the PHP script to work properly so that the form will be send. But for some reason I just can't figure it out.
I just cant seem to get the form to send with everything included that I require to be included. Could somebody point me out why the below code doesn't work?
<?php
/* EMAIL RECIPIENT */
$myemail = "name#example.com";
/* Functions we used */
function check_input($data, $problem='')
{
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
if ($problem && strlen($data) == 0)
{
show_error($problem);
}
return $data;
}
/* Check all form inputs using check_input function */
$formName = check_input ($_POST['formName'], "Please enter your First Name");
$formSurname = check_input ($_POST['formSurname'], "Please enter your First Name");
$formAge = check_input ($_POST['formAge'],);
$formEmail = check_input ($_POST['formEmail'], "Please enter your email so we can get back to you");
$formIntent = check_input ($_POST['formIntent'], "Pleas choose a reason for why contact us");
$formIntent = " (MYFORM) " . $formIntent;
$formComment = check_input ($_POST['formComment']);
/* If e-mail is not valid show error message */
if (!preg_match("/([\w\-]+\#[\w\-]+\.[\w\-]+)/", $formEmail))
{
show_error("E-mail address not valid");
}
/* The layout for the email and how it will be set up for reading the email. */
$message = "Hello!
Your contact form has been submitted by:
Name: $formName
Age: $formAge
City: $formCity
Email: $formEmail
Comment: $formName
The reason for contact with Mistral is: $formIntent
Comment: $formComment
End of message.
";
/* Send the message using the mail() function */
mail($myemail, $subject, $message);
/* Redirect visitors to the thank you page */
header('Location: ../thanks.html');
function show_error($myError)
{?>
<html>
<body>
<b>Please correct the following error:</b><br />
<?php echo $myError; ?>
</body>
</html>
<?php
exit();
}
?>

Well, you validate $_POST['formSurname'] but then you never use it. Similarly, you output $formCity in your $message but you never defined it.
This is most likely the cause of your problems.

Contact Forms used for years have stopped working

I posted earlier, but have more information so would like to try again. I am trying to help a friend sort out a problem with the contact forms on his web page, which is built using SiteMan. He has a basic 'contact me' form and a 'request a quote' form on his page. The page is meadowwoodpedestals.com and it is hosted on BlueHost. These forms have worked for years, but we have just discovered that he is not receiving messages being sent via these forms. Upon testing, we found that when the submit button is clicked for either of these pages, instead of getting a confirmation screen, a blank screen is displayed and no message is sent. It has been months since he made any changes in the SiteMan editor.
(1) I contacted the host for support, and the reply told me that the errors indicated a problem with the page code for these two pages:
Premature end of script headers: 500.php, referer: http://www.meadowwoodpedestals.com/content/index.php?page=quote
Premature end of script headers: 500.php, referer: http://www.meadowwoodpedestals.com/content/index.php?page=contact
The response said: As you will see, it appears that the issue is with the code itself. You will need to have your web designer, or a script specialist, look over the code for the two pages, in order to resolve these issues. (My Note: the web designer is out of business)
(2) I found the following in the Bluehost forums (this is a bluehost site), I'm not sure if it is relevant?
"The premature end of script header, on a Bluehost server, is more than likely due to CPU quota (or memory?), the script was killed due to resource limitations."
(3) I looked at the page code for the contact form, which uses method="post" action="/cgi-bin/frmctact.php" and all of the basic html looked good - I don't know javascript so I am not sure about this (I've never seen that little cross symbol before?):
<script type="text/javascript" language="javascript">
function m_sfcon (u) {
pre = "mail";
url = pre + "to:" + u;
document.location.href = url + "#meadowwoodpedestals.com";
}†</script>
(4) I looked at the page code for the quote form, which uses method="post" action="/cgi-bin/mail/mail.php", and there are no script tags at all on that page.
(5) Without posting reams of code (as I'm not sure just what is useful), here is my thinking, please let me know if this is a reasonable track:
Since there are two different pages with the same error, I'm thinking it is not really a problem in either quote.php or contact.php
The two forms use different actions, so I'm guessing it is not mail.php or frmctact.php
==> There must be something common between the two pages, but what is it?? maybe index.php?
(6) I looked at index.php, and when I clicked on the opening php tag it closed with a tag in the sixth line of this statement (the ?> just prior to 'si",):
$adress = "http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
include("data/page_header.php");
switch ($do) {
case "prevphp":
if ($Siteman->mlevel >= 4) {
echo preg_replace("'<\?php.*?\?>'si","",stripslashes($_POST["content"]));
}
break 1;
case "default":
if ($info[2] == 1 || $Siteman->mlevel >= $info[2]) {
include_once($content);
if ($Siteman->mlevel < 5) {
if ($page == "index") {
if (substr_count($_SERVER["HTTP_REFERER"],$adress) == 0) {
echo "<script language=\"Javascript\" type=\"text/javascript\">
var res = screen.width.toString() + 'x' + screen.height.toString();
var referer = '" . urlencode($_SERVER["HTTP_REFERER"]) . "';
document.write('<img width=\"1\" height=\"1\" src=\"stats.php?new=1&res=' + res + '&referer=' + referer + '\" id=\"stat\" name=\"stat\" />');
</script>";
}
}
}
}
break 1;
}
include("data/page_footer.php");
?>
(I don't know why this page works with address misspelled...)
Should I post the full code in cgi-bin/mail/mail.php and cgi-bin/frmctact.php to this area?
My sincere thanks for any / all help!
Abby
EDIT - Here is full frmctact.php - I deleted some blank lines and repeated warnings
<?
// ##########################################################################
//
// DynaForm v1.4 - Created by the Webligo Group
// http://www.webligo.com
//
//--> I deleted license text here
// ###########################################################################
// #### CONFIGURE FROM: ADDRESS ##############################################
// If you would like to specify the From: address of emails sent by DynaForm,
// enter it between the double quotes below. If you leave this blank, the
// server will assign the default email address.
$from_address = "info#meadowwoodpedestals.com";
// ###########################################################################
// #### ACTIVATE REQUIRED FIELDS? ############################################
//
// If you would like to make some fields of your form required, change "no" to
// "yes" below.
$required_on = "yes";
// If you have set $required_on to "yes" above, you can make fields required
// by beginning their name with "r_". For example, if you want to require
// a user to enter their name, use the following HTML:
//
// <input type='text' name='r_Name'>
//
// If a user fails to enter a required field, they will be taken to a page
// where a message such as "You have not completed all the required fields."
// will be displayed. Please specify the URL to this file below:
$required_errorpage = "/content/index.php?page=formerror";
// ###########################################################################
// #### OVERRIDE REQUIRED VARIABLES? #########################################
//NOTE: THIS WILL NOT
// AFFECT YOUR 'TURN ON REQUIRED FIELDS?' SECTION SETTINGS ABOVE.
//
// If you would like to override the three required variables in
// order to hide your email address, email subject, and thank you page
// URL from your email form, change "no" to "yes" below.
$override = "yes";
// If override is set to "yes", the hidden variables on your HTML
// email form named "rec_mailto", "rec_subject", and "rec_thanks" will be
// overridden and can therefore be removed from the form.
// If you have set override to "yes" above, you must specify new values for
// each of these variables below.
// Enter the email address(es) to send the email to.
$incoming_mailto = "info#meadowwoodpedestals.com";
// Enter the email subject.
$incoming_subject = "Website form";
// Enter the thank you page URL.
$incoming_thanks = "/content/index.php?page=formthanks";
// ###########################################################################
// #### BAN IP ADDRESSES? ####################################################
//
// If you would like to ban certain IP addresses from submitting your form,
// change "no" to "yes" below.
$ban_ip_on = "no";
// If you have set $ban_ip_on to "yes" above, please enter a list of the
// IP addresses you would like to ban, seperated only by commas.
// An example has been provided below:
$ban_ip_list = "111.222.33.55,11.33.777.99";
// ###########################################################################
// #### ACTIVATE DOMAIN SECURITY? ############################################
//
// This setting, when set to "yes" (default), will check to make sure other
// people are not submitting data to your dynaform.php file from their
// external domains. This means that if your domain name is "www.mysite.com",
// only forms on "www.mysite.com" will be able to use this dynaform.php.
// IF YOU ARE RECEIVING ERRORS SUCH AS "INVALID DOMAIN" FOR NO REASON, PLEASE
// CHANGE "yes" TO "no" BELOW.
$secure_domain_on = "no";
// ###########################################################################
// #### ACTIVATE AUTO-RESPONSE? ##############################################
//
//
// This setting, when set to "yes", will make DynaForm automatically reply to
// the user who submitted your form with an email message. If you would like
// to use this feature, change "no" to "yes" below.
$autorespond_on = "no";
// If you have set $autorespond_on to "yes" above, you must specify a subject,
// from-address, and message to include in the auto-response email.
// The following setting is the subject of the auto-response email:
$autorespond_subject = "Your Form Submission";
// The following setting is the from-address of the auto-respond email:
$autorespond_from = "youremail#yoursite.com";
// The following setting is the message of your auto-response email:
$autorespond_contents = "Your submission from our website has been received. Thank you!";
// DynaForm also needs to know how to retrieve the user's email address.
// You must specify the name of the field into which the user will enter
// their email address. For example, if your email form contains an input
// field like "<input type='text' name='Email'>" you would set the
// following setting to "Email".
$autorespond_mailto_field = "Email";
// ###########################################################################
// MAKE SURE DYNAFORM IS NOT BEING LOADED FROM THE URL
if($HTTP_SERVER_VARS['REQUEST_METHOD'] == "GET") {
echo "
<html>
<head><title>Webligo PHP DynaForm is installed correctly.</title></head>
<body>
<font style='font-family: verdana, arial; font-size: 9pt;'>
<b>DynaForm is installed correctly.</b></font><br>
<font style='font-family: verdana, arial; font-size: 8pt;'>
DynaForm Easy PHP Form Mailer was created by <a href='http://www.webligo.com'>Webligo Developments</a>.
</font>
</body></html>
";
exit();
}
// SET VARIABLES
$incoming_fields = array_keys($HTTP_POST_VARS);
$incoming_values = array_values($HTTP_POST_VARS);
if($override == "no") {
$incoming_mailto = #$HTTP_POST_VARS['rec_mailto'];
$incoming_subject = #$HTTP_POST_VARS['rec_subject'];
$incoming_thanks = #$HTTP_POST_VARS['rec_thanks'];
}
$incoming_mailto_cc = #$HTTP_POST_VARS['opt_mailto_cc'];
$incoming_mailto_bcc = #$HTTP_POST_VARS['opt_mailto_bcc'];
$form_url = #$HTTP_REFERER;
// MAKE SURE DYNAFORM IS BEING RUN FROM THE RIGHT DOMAIN
if($secure_domain_on == "yes") {
$form_url_array = parse_url($form_url);
$form_domain = $form_url_array[host];
if($form_domain != $HTTP_SERVER_VARS[HTTP_HOST]) {
echo "<h2>DynaForm Error - Invalid Domain</h2>
You have accessed DynaForm from an external domain - this is not allowed.<br>
You may only submit forms to a DynaForm file that exists on the same domain name.<br>
If you believe to be receiving this message in error, please refer to your readme.txt file.
<br><br>";
$error = "yes";
}
}
// CHECK IF MAILTO IS SET
if($incoming_mailto == "") {
echo "<h2>DynaForm Error - Missing Field</h2>
Your form located at <a href='$form_url'>$form_url</a> does not work because you forgot to include
the required \"<b>rec_mailto</b>\" field within the form. This field specifies who the email will
be sent to.
<br><br>
This should look like:<br>
<input type=\"hidden\" name=\"rec_mailto\" value=\"youremail#yoursite.com\">
<br><br>
If you are still confused, please refer to the readme.txt for more information and examples.<br><br><br><br>
";
$error = "yes";
}
// CHECK IF SUBJECT IS SET
if($incoming_subject == "") {
echo "<h2>DynaForm Error - Missing Field</h2>
Your form located at <a href='$form_url'>$form_url</a> does not work because you forgot to include
the required \"<b>rec_subject</b>\" field within the form. This field specifies the subject of
the email that will be sent.
<br><br>
This should look like:<br>
<input type=\"hidden\" name=\"rec_subject\" value=\"New DynaForm Email\">
<br><br>
If you are still confused, please refer to the readme.txt for more information and examples.<br><br><br><br>
";
$error = "yes";
}
// CHECK IF THANKS IS SET
if($incoming_thanks == "") {
echo "<h2>DynaForm Error - Missing Field</h2>
Your form located at <a href='$form_url'>$form_url</a> does not work because you forgot to include
the required \"<b>rec_thanks</b>\" field within the form. This field specifies what page the user
will be taken to after they submit the form.
<br><br>
This should look like:<br>
<input type=\"hidden\" name=\"rec_thanks\" value=\"thanks.html\">
<br><br>
If you are still confused, please refer to the readme.txt for more information and examples.<br><br><br><br>
";
$error = "yes";
}
// CHECK IF IP ADDRESS IS BANNED
if($ban_ip_on == "yes") {
if(strstr($ban_ip_list, $HTTP_SERVER_VARS[REMOTE_ADDR])) {
echo "<h2>DynaForm Error - Banned IP</h2>
You cannot use this form because your IP address has been banned by the administrator.<br>
";
$error = "yes";
}
}
if($error == "yes") {
exit();
}
// SET EMAIL INTRODUCTION
$message = "This email was received from your DynaForm located at $form_url \n\n";
// LOAD EMAIL CONTENTS
for ($i = 0; $i < count($incoming_fields); $i++) {
if($incoming_fields[$i] != "rec_mailto") {
if($incoming_fields[$i] != "rec_subject") {
if($incoming_fields[$i] != "rec_thanks") {
if($incoming_fields[$i] != "opt_mailto_cc") {
if($incoming_fields[$i] != "opt_mailto_bcc") {
// CHECK FOR REQUIRED FIELDS IF ACTIVATED
if($required_on == "yes") {
$sub = substr($incoming_fields[$i], 0, 2);
if($sub == "r_") {
if($incoming_values[$i] == "" OR !isset($incoming_values[$i]) OR $incoming_values[$i] == " ") {
header("Location: $required_errorpage");
exit();
}}}
// ADD FIELD TO OUTGOING MESSAGE
$message .= "$incoming_fields[$i]:\n$incoming_values[$i]\n\n";
}}}}}}
// SET EMAIL FOOTER
$message .= "\n\nEnd";
// CLEAR HEADERS
$headers = "";
// ADD FROM ADDRESS
if($from_address != "") {
$headers .= "From: $from_address\r\n";
}
// CHECK FOR CC OR BCC
if($incoming_mailto_cc != "") {
$headers .= "Cc: $incoming_mailto_cc\r\n";
}
if($incoming_mailto_bcc != "") {
$headers .= "Bcc: $incoming_mailto_bcc\r\n";
}
// SEND EMAIL
mail($incoming_mailto, $incoming_subject, $message, $headers);
// SEND AUTO-RESPONSE IF ACTIVATED
if($autorespond_on == "yes") {
$autorespond_mailto = #$HTTP_POST_VARS[$autorespond_mailto_field];
$autorespond_headers = "From: $autorespond_from";
mail($autorespond_mailto, $autorespond_subject, $autorespond_contents, $autorespond_headers);
}
// FORWARD TO THANK YOU PAGE
header("Location: $incoming_thanks");
?>

The 500 errors mean PHP is crashing. You need to look in the apache error log (bluehost have an icon for this in the cpanel, IIRC), and hopefully will see some PHP error message.
[people say] "the script was killed due to resource limitations."
I don't think it is this, because the 500 error happens immediately after submitting the form.

Trouble with jquery email form submitHandler

Here is the code I'm using for the submitHandler:
submitHandler: function() {
$('.holder').fadeOut('slow');
$('#loading').fadeIn('slow');
$.post('email.php',{name:$('#em_name').val(), email:$('#em_email').val(), message:$('#em_message').val()},
function(data){
$('#loading').css({display:'none'});
if( data == 'success') {
$('#callback').show().append('Message delivered successfully');
$('#emailform').slideUp('slow');
} else {
$('#callback').show().append('Sorry but your message could not be sent, try again later');
}
});
}
This isn't working when used in conjunction with this php:
<?php $name = stripcslashes($_POST['name']);
$emailAddr = stripcslashes($_POST['email']);
$message = stripcslashes($_POST['message']);
$email = "Message: $message \r \n From: $name \r \n Reply to: $emailAddr";
$to = 'mail#example.com';
$subject = 'Message from example';
//validate the email address on the server side
if(eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*#[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $emailAddr) ) {
//if successful lets send the message
mail($to, $subject, $email);
echo('success'); //return success callback
} else {
echo('An invalid email address was entered'); //email was not valid
}
?>
Does anyone have any suggestions as to why this isn't working like it should. It seems to just lock up when I submit. Any help would be appreciated. Thanks!

Recommendations
Get firebug or httpfox to debug ajax scripts. You can see all requests made and the post/get variables.
Dont use eregi use preg
Dont use preg to validate email use php's filter functions
Another debugging idea: set the $_POST vars above the email.php code and visit the email.php in your browser to see if its working.