i'm making a website that has a form which gets validated in php.
When people post the form the email gets sent to a $email variable and i check for the correct format. However i've yet to find a piece of code that checks if the format is correct (if its valid doesnt matter right now), i've found phps own function but it doesnt check for swedish letters, i've also found another function that checks the mail format but that breaks if you have an email with format xxx.yy#zz.aa. it only works if the format is xxx#zz.aa.
I would very much appreciate any help to make this work and to find a function that works.
You can use this regexp:
if(preg_match("/^\b[A-ZÅÄÖåäö0-9._%+-]+#[A-ZÅÄÖåäö0-9.-]+\.[A-Z]{2,4}\b$/i",$email)){
//mail is valid
}
This will validate youråäö#adressö.se etc.
Single thing that you can check in email address is it contains #. Check for that without any code found anywhere
i personally suggest you to validate forms in client side (i.e) using javascript or jquery
if all form validations are carried to the server the server load gets increased that too there is re- submission for invalid entries.
jquery code for email validation :
function ValidateEmail(email) {
var expr = /^([\w-\.]+)#((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([\w-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?)$/;
return expr.test(email);
};
$("#id").blur(function(){
if(!ValidateEmail($("#id").val())){
//your code
}
else {
//your code
}
})
Related
I have the code below in the submitted form section of a php file. It is meant to catch any emails that contain a url and reject them.
if (preg_match("/(\b(((https?|ftp|file|):\/\/)|www[.])[-A-Z0-9+&##\/%?=~_|!:,.;]*[-A-Z0-9+&##\/%=~_|])/i", $msg)) {
return false;
}
return true;
But I received an email with dozens of lines like this:
[url=http://example.рф]шкафы купе[/url]
I tried sending a message with one of the lines in the original email and the code blocked it. Why didn't it stop this spammer?
Based on the replies, which I deeply appreciate, I changed the code to the following. All I really want is to block url's. It doesn't matter what the path and parameters are so I think this catches all possibilities. This is used instead of php filters because the filters page says it can't catch URN's.
if (preg_match("/(\b(((https?|ftp|file|[-A-Z0-9]|):\/\/)|www[.]))/i", $msg)) {
I'm using PHPMailer to send emails via contact form.
When I enter an invalid email address in the input field, the email is still sent. I want to perform both client-side and server-side validations.
Does PHPMailer have a built-in validation system to check for invalid email address? If the email entered is invalid I want to return an error and not send the email.
The easiest and most correct way to validate email addresses is to use filter_var. Rather than relying on a patched PHPMailer, you could write a function to validate them before you send them to PHPMailer.
function validateEmailAddr($addr) {
// note: do not attempt to write any regex to validate email addresses;
// it will invariably be wrong
return filter_var($addr, FILTER_VALIDATE_EMAIL);
}
You said that you could enter something like 'sdjfygsdfisdf' and still get the email sent to you.
That's odd. Because adding any email address ('to', 'cc', 'bcc', 'replyto') in PHPMailer will go through the addOrEnqueueAnAddress() function, which does include validation checks. Adding a 'from' address uses different code, but also does validation checks.
The most obvious thing here is that you're not actually doing any error checking to trap for those errors.
Depending on whether you've got PHPMailer using exceptions or not, you might just be getting a false value returned from functions like setFrom() when you give it a bad address. If you ignore that value and carry on anyway, then yes, the email will still be sent.
So you need to add some error handling. Check for function call returning false.
However my preferred suggestion would be to switch to using exceptions for your error handler -- PHPMailer can do this just by setting a flag. This will make error handling easier, as you won't need to check for false on every single function call; just wrap the whole thing in a try catch block, and do your error handling in one go at the end.
I have got a wordpress instance with the plugin contact-form-7. In some tutorials, I saw that I can do something before sending the mail with this code:
add_action("wpcf7_before_send_mail", "wpcf7_do_something_else");
function wpcf7_do_something_else(&$wpcf7_data) {
// Here is the variable where the data are stored!
var_dump($wpcf7_data);
// If you want to skip mailing the data, you can do it...
$wpcf7_data->skip_mail = true;
}
I got the code from here http://code.tutsplus.com/tutorials/mini-guide-to-contact-form-7--wp-25086
But somehow, it is not working. I don't receive any error - the contact form is not sending the mail anymore, even without the $wpcf7_data->skip_mail = true, and it doesn't print anything.
My questions:
Where do I have to write this code? Directly into the plugin? (At the moment, I wrote this code into a custom plugin, maybe wrong?)
Is it even possible to print any data from the form in there? (Is the tutorial bad?)
Thanks!
Well, it is normal that the contact form does not send email anymore, as it is defined on this line $wpcf7_data->skip_mail = true;.
This code is used if you want something else than the default posting (sending in email), as described in the tutorial.
This code, however, should be placed in your theme's functions.php file (if file exists, create it). But still, the email will not be send.
If you want to skip emails and perform other action, then leave this piece of code
$wpcf7_data->skip_mail = true;
and add your logic after this line.
Describe more precisely what do you want to do (instead of sending email) in your question.
Just wondering why this is too strict, I can send very simplified emails to say tim#yahoo.com or two#google.com
but if I make the email any longer (sacagawea#gmail.com) it does not get sent.
Instead it echos back my error message:Invalid Email Address Supplied
// Create a function to check email
function checkEmail($email)
{
// Add some regex
return preg_match('/^\S+#[\w\d.-]{2,}\.[\w]{2,6}$/iU', $email) ? TRUE : FALSE;
}
If you have access to php 5.2 or above, you should use the filter functions :
function checkEmail($email){
return filter_var($email, FILTER_VALIDATE_EMAIL) !== false;
}
Or validate it, "the right way".
This part
#[\w\d.-]{2,}
is gobbling up
#gmail.com
leaving nothing for this part
[\w\d.-]{2,}
to match.
Better to reuse something already proven, see for example http://www.regular-expressions.info/email.html
I usually don't fret myself too much for checking email validity. I just need to check there is a value in front of "#" and at the back. That's all. The rest of the "checking" job, the MTAs will do that for me. If its invalid email, i will get a response from MTA. If its able to be sent out, that means the email is most probably valid.
please try
'/^[_a-zA-Z0-9-]+(\.[_a-zA-Z0-9-]+)*#[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)+$/'
it also fits for subdomain email adresses as email#sub.domain.tl
Folks,
I have an html form which sends the form data as an email. Unfortunately spam bots have been filling the form in and send web site links and email addresses in the message part of the form.
Is there a way I can delete the web site links and email addresses when the "Submit" button is pressed before it gets sent on as an email address? I use PHP to do the actually sending of the form data as an email message.
Thanks and regards,
Tony
Have you tried having a hidden form via css (display: none) but in HTML like a regular form, and call it email or something common, and if that form has data, then it must be a bot.
How about using regular expressions to replace anything that matches a web link or email address to an empty string.
You can find tones of regular expression examples on the web, just google it
You can do that with Javascript. The problem is that Javascript needs to be enabled for that to happen so you can imagine the odds that the spambots will be cooperative when it comes to this.
You're going to have to filter it out on the server. Personally I would simply reject outright any message containing links or email addresses. Spit back an error to the user but don't even save it.
For some tips on detecting spam in PHP read Spam-free accessible forms.
You may also want to consider the use of CAPTCHA.
Well, if your really want to fight spam, go for these steps:
Put a CAPTCHA in the form so that non-humans cannot even submit the form. A very popular CAPTCHA implementation is reCAPTCHA.
Do a strip_tags on the fields so that even if someone puts URLs by hand, it will be removed.
Do a regular expression check for email addresses and remove them as well. Pick a good regex expression from the web which will pick most email formats.
Hope this help. Cheers!
Presumably, you don't want to accept any kind of HTML, just plain text? In this case strip_tags is your friend. strip_tags also allows you to specify some tags that are acceptable.
I also heartily recommend incorporating a header-injection defence script.
Folks,
I tried using strip_tags which certainly removes tags but doesn't remove "mailto:" nor "http://" text, so the links are still links.
Is there an easy PHP command or routine that can scan a string and just replace "mailto:" and/or "http://" with a harmless empty string "" in those portions of the string?
Tried googling too but most of the stuff I found was about trimming white space etc.
Sorry about this, I'm kinda new to PHP.
Thanks and Regards,
Tony
This is very simplistic, but you could build on it I'm sure ...
Try adding a picture of a cat or dog, then asking them to enter the three letter name of the animal shown ... or something similar. Do a validation check, then go from there ... cheap and easy Captcha. This way only human input is going out .. .
You would have to iterate over every field in the $_POST array (at least the ones you don't want to have emails or links in) and check it against a couple of regexes.
The suggestion to use CAPTCHA is also a good one.
Anyway, here's a crappy implementation of the checking:
class ValidationHelper
{
// Regex taken from https://github.com/google-code-export/prado3/blob/master/framework/Web/UI/WebControls/TEmailAddressValidator.php
const EMAIL_REGEX = "#\\w+([-+.]\\w+)*#\\w+([-.]\\w+)*\\.\\w+([-.]\\w+)*#";
// hacked up regex that I just cooked up - could be hugely improved i'm sure.
const LINK_REGEX = "#(h\s*t\s*t\s*p\s*s?|f\s*t\s*p)\s*:\s*/\s*/#";
public static function containsEmail($value)
{
if (preg_match(self::EMAIL_REGEX, $value))
return true;
return false;
}
public static function containsLink($value)
{
if (preg_match(self::LINK_REGEX, $value))
return true;
return false;
}
}
$errors = array();
foreach ($_POST as $key=>$value) {
// presumably you want at least one email field, yeah?
if ($key != 'email') {
// perhaps you should be running strip_tags over everything if you don't want html and such...
// see http://php.net/strip_tags for more info. without it (or something similar), there's nothing
// to stop people from putting <script type="text/javascript" src="http://notyourdomain.com/~1337skriptkiddy/haxxors.js"></script>
// into your form. even if you might not necessarily ever be displaying this in a scenario
// where it can cause trouble, it's never a bad idea to stop this stuff *before* it gets into your db
$_POST[$key] = $value = strip_tags($value);
if (ValidationHelper::containsEmail($value) || ValidationHelper::containsLink($value))
$errors[] = 'Please ensure the value you entered for '.$fieldNames[$key].' does not contain any links or email addresses';
}
}
if (!empty($errors)) {
// failed - show errors.
}
else {
// success!
}