Contact form problem - filter extensions etc

Hi all,

I’m still working on my forms but need some help please. Something is not quite right.

I first run everything through a spam scrubber and also through an appropriate filter extension.

The problem, for example, is when I add a name to my name input and press send, the error message ‘please enter a name’ will display. This should only happen if the name input is empty or if it hasn’t been run through the filter extension.

I have another conditional which does a final check before the body of the email message can be created. At the moment it only checks if $scrubbed[‘email’] and $scrubbed[‘name’] are both not empty. They should however, both be set (not NULL) and have been run through the filter extension, before anything else can happen. I hope this makes sense!

Should I thus have something like the following?

if (!empty($scrubbed[‘name’]) && isset filter_var($scrubbed[‘name’], FILTER_SANITIZE_STRING) etc…

My PHP is still shaky at best, so I’d be very happy for some assistance.

Thank you .

$errors = array();


if ($_SERVER['REQUEST_METHOD'] == 'POST') {


if (!isset($scrubbed['name']) || !filter_var($scrubbed['name'], FILTER_SANITIZE_STRING)) {
    $errors['name'] = 'Please enter a name.';
}



if (!isset($scrubbed['email']) || !filter_var($scrubbed['email'], FILTER_VALIDATE_EMAIL)) {
    $errors['email'] = 'Please enter a valid email address.';
}



// Conditional before body of message can be created.
if (!empty($scrubbed['email']) && !empty($scrubbed['name']) ) {
	
	
}

// Create the HTML form:
?>
<p>Please fill out this form to contact me.</p>
<form action="email.php" method="post">

	
	<p>Name:
	<span><?php if (isset($errors['name'])) echo $errors['name'];?></span>
	</p>
	<input type="text" name="name" size="30" maxlength="60" value=
	"<?php if (isset($scrubbed['name'])) echo filter_var($scrubbed['name'], FILTER_SANITIZE_STRING); ?>" />
	
	
	<p>Email Address:
	<span><?php if (isset($errors['email'])) echo $errors['email'];?></span>
	</p>
	<input type="text" name="email" size="30" maxlength="80" value=
	"<?php if (isset($scrubbed['email'])) echo filter_var($scrubbed['email'], FILTER_VALIDATE_EMAIL); ?>" />
	
	
	<p><input type="submit" name="submit" value="Send!" /></p>
</form>
</body>
</html>

Hi,

I think you have to change || to &&

|| means OR
&& means AND

If you get confused with || and && then you can use OR and AND also.

The following should work also fine:

if (!filter_var($scrubbed['name'], FILTER_SANITIZE_STRING)) { $errors['name'] = 'Please enter a name.'; } 
if (!filter_var($scrubbed['email'], FILTER_VALIDATE_EMAIL)) { $errors['email'] = 'Please enter a valid email address.'; }

Thanks.

Hi Tapan,

thanks for your input. If I use &&, I receive an undefined variable notice.

I’m not sure how to write that ($scrubbed[‘name’]) is set and has been filtered.

Can’t I do something like the following:


if ($_SERVER['REQUEST_METHOD'] == 'POST') {


$x = filter_var($scrubbed['name'], FILTER_SANITIZE_STRING);


if ( !isset($x)) {
    $errors['name'] = 'Please enter a name.';
}


The problem is that $scrubbed['name'] doesn’t appear to be set anywhere in your code, and judging by the name of the variable it should contain the output from the filter_var function, not the input, surely?

It looks like what you want to be doing is something like this:


if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    
    $scrubbed = array();
    $errors = array();

    $scrubbed['name'] = filter_var($_POST['name'], FILTER_SANITIZE_STRING);

    if ( ! $scrubbed['name']) {
        $errors['name'] = 'Please enter a name.';
    }

}

filter_var will return false if $_POST[‘name’] is not set, so you can remove the isset check and simply check for a truthy value.

Hi fretburner,

thanks a lot for your help. It certainly works better now.

What would you say I should do about the final conditional before the body of the email is created?


	if (!empty($scrubbed['email']) && !empty($scrubbed['name']) ) {
			
		$body = "Name: {$scrubbed['name']}\
\
";

		$body = wordwrap($body, 70);

At the moment if name is filled in and email has some random text, the form can be submitted which shouldn’t be the case because the email address should be valid.

Here is the form code:

<form action="email.php" method="post">

	
	<p>Name:
	<span><?php if (isset($errors['name'])) echo $errors['name']; ?></span>
	</p>
	<input type="text" name="name" size="30" maxlength="60" value=
	"<?php if (isset($scrubbed['name'])) echo filter_var($scrubbed['name'], FILTER_SANITIZE_STRING); ?>" />
	
	
	<p>Email Address:
	<span><?php if (isset($errors['email'])) echo $errors['email'];?></span>
	</p>
	<input type="text" name="email" size="30" maxlength="80" value=
	"<?php if (isset($scrubbed['email'])) echo filter_var($scrubbed['email'], FILTER_VALIDATE_EMAIL); ?>" />
	
	
	<p><input type="submit" name="submit" value="Send!" /></p>
</form>

Thanks again.

You can do something similar to what I did for the name field:


$scrubbed['email'] = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);

// check for errors, etc..

if ($scrubbed['name'] && $scrubbed['email']) {
    $body = "Name: {$scrubbed['name']}\
\
";
    $body = wordwrap($body, 70);

    // send the email etc..
}

As for your HTML form, as you’ve already filtered the POST values you can simplify the output code a bit:


<input type="text" name="name" size="30" maxlength="60" value="<?php if ($scrubbed['name']) echo $scrubbed['name']; ?>" /> 

Hi,

if I have the following I get a notice:undefined variable.

<input type="text" name="email" size="30" maxlength="80" value=
	"<?php if ($scrubbed['email']) echo $scrubbed['email']; ?>" />

This works:

<input type="text" name="email" size="30" maxlength="80" value=
	"<?php if (isset($scrubbed['email'])) echo $scrubbed['email']; ?>" />

I’m however still able to submit the form when I have an invalid email address

Oops, yeah, $scrubbed won’t be set the first time through the script, so you’ll need the isset check.

What invalid value were yu using for the email address? When I tested it, the code seemed to work OK.

I just entered any random letters into the email input and pressed send

Could you repost all your form processing code please? Like I say, the code I posted seems to work OK when I test it, so perhaps there’s something else that we’re missing.

if ($_SERVER['REQUEST_METHOD'] == 'POST') {


 $scrubbed = array();
    $errors = array();

    $scrubbed['name'] = filter_var($_POST['name'], FILTER_SANITIZE_STRING);

    if ( ! $scrubbed['name']) {
        $errors['name'] = 'Please enter a name.';
    }

        $scrubbed['email'] = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);

    if ( ! $scrubbed['email']) {
        $errors['email'] = 'Please enter a valid email address.';
    }


    

I have left out the code that cleans the form of potential spam.

$scrubbed = array_map('spam_scrubber', $_POST);

	  if ($scrubbed['name'] && $scrubbed['email']) {
	
	         $body = "Name: {$scrubbed['name']}\
\
";

		$body = wordwrap($body, 70);

       //other code left out.
	
		}

	
<p>Please fill out this form to contact me.</p>
<form action="email.php" method="post">

	
	<p>Name:
	<span><?php if (isset($errors['name'])) echo $errors['name']; ?></span>
	</p>
	<input type="text" name="name" size="30" maxlength="60" value=
	"<?php if (isset($scrubbed['name'])) echo $scrubbed['name']; ?>" />
	
	
	<p>Email Address:
	<span><?php if (isset($errors['email'])) echo $errors['email'];?></span>
	</p>
	<input type="text" name="email" size="30" maxlength="80" value=
	"<?php if (isset($scrubbed['email'])) echo $scrubbed['email']; ?>" />
	
	
	<p><input type="submit" name="submit" value="Send!" /></p>
</form>

Thank you

OK, I see what’s happening… this line is overwriting the contents of the $scrubbed array with $_POST values:

$scrubbed = array_map('spam_scrubber', $_POST);

so it’s basically undoing the email validation we already performed. Depending on how your spam_scrubber function works, you might be able to do this:

$scrubbed = array_map('spam_scrubber', $scrubbed);

Hi fretburner,

that did the trick! It’s working now. :slight_smile:

Thank you so much. Sorry for taking up all of your time, but I didn’t expect that a contact form could be so complicated.

I’m off to continue testing my forms.