All Syllabus

Home About PHP HTML CSS SQL Java Script jQuery AJAX      

PHP Tutorial

PHP Introduction

PHP 5 Installation

PHP 5 Syntax

PHP 5 Variables

PHP 5 echo and print Statements

PHP 5 Data Types

PHP 5 String Functions

PHP 5 Constants

PHP Arithmetic Operators

PHP 5 if...else...elseif Statements

PHP 5 switch Statement

PHP 5 while Loops

PHP 5 for Loops

PHP 5 Functions

PHP 5 Arrays

PHP 5 Sorting Arrays

PHP 5 Superglobals

PHP Forms

PHP 5 Form Handling

PHP 5 Form Validation

PHP 5 Forms - Required Fields

PHP 5 Forms E-mail /URL

PHP Form Complete

PHP Advanced

PHP 5 Multidimensional Arrays

PHP 5 Date and Time

PHP Include Files

PHP File Handling

PHP File Open/Read

PHP File Create/Write

PHP File Upload

PHP Cookies

PHP Sessions

PHP E-mail

PHP Secure E-mails

PHP Error Handling

PHP Exception Handling

PHP Filter

PHP Database

PHP MySQL Introduction

PHP MySQL Connect

PHP Create DB/Tables

PHP MySQL Insert Into

PHP MySQL Select

PHP MySQL Where

PHP Order By

PHP Update

PHP Delete

PHP ODBC

PHP Secure E-mails

There is a weakness in the PHP e-mail script in the previous chapter.


PHP Stopping E-mail Injections

The best way to stop e-mail injections is to validate the input.

The code below is the same as in the previous chapter, but now we have added an input validator that checks the "from" field in the form:

<html>
<body>
<?php
function spamcheck($field) {
   // Sanitize e-mail address
   $field=filter_var($field, FILTER_SANITIZE_EMAIL);
   // Validate e-mail address
   if(filter_var($field, FILTER_VALIDATE_EMAIL)) {
     return TRUE;
   } else {
     return FALSE;
   }
}
?>

<h2>Feedback Form</h2>
<?php
// display form if user has not clicked submit
if (!isset($_POST["submit"])) {
  ?>
  <form method="post" action="<?php echo $_SERVER["PHP_SELF"];?>">
  From: <input type="text" name="from"><br>
  Subject: <input type="text" name="subject"><br>
  Message: <textarea rows="10" cols="40" name="message"></textarea><br>
  <input type="submit" name="submit" value="Submit Feedback">
  </form>
  <?php 
} else {  // the user has submitted the form
  // Check if the "from" input field is filled out
  if (isset($_POST["from"])) {
    // Check if "from" email address is valid
     $mailcheck = spamcheck($_POST["from"]);
    if ($mailcheck==FALSE) {
       echo "Invalid input";
    } else {
      $from = $_POST["from"]; // sender
      $subject = $_POST["subject"];
      $message = $_POST["message"];
      // message lines should not exceed 70 characters (PHP rule), so wrap it
      $message = wordwrap($message, 70);
      // send mail
      mail("webmaster@example.com",$subject,$message,"From: $from\n");
      echo "Thank you for sending us feedback";
    }
  }
}
?>
</body>
</html>

In the code above we use PHP filters to validate input:

  • The FILTER_SANITIZE_EMAIL filter removes all illegal e-mail characters from a string
  • The FILTER_VALIDATE_EMAIL filter validates value as an e-mail address