Eregi error

if (eregi(‘http:’, $notes))

Getting the error with this deprecated eregi code. Can some help me fix it. Thanks.

Don’t use depreciated functions.
Use an alternative.
http://php.net/manual/en/function.eregi.php

To SamA74

I appreciate your quick response. I am a bit of a novice…in other words I am just beginning to learn. Here is the school project I am working on:

<?php

$ip = $_POST['ip']; 
$httpref = $_POST['httpref']; 
$httpagent = $_POST['httpagent']; 
$visitor = $_POST['visitor']; 
$visitormail = $_POST['visitormail']; 
$phone = $_POST['phone'];
$notes = $_POST['notes'];
$followup = $_POST['followup'];
$marketing = $_POST['marketing'];
$followup = $_POST['followup'];
$cell = $_POST['cell'];
$time = $_POST['time'];

if (preg_match( ‘http:', $notes)) {
die ("Please click back and tell us a little about your project. ");
}
if(!$visitormail == "" && (!strstr($visitormail,"@") || !strstr($visitormail,"."))) 
{
echo "<h2>Use Back - Please Enter a valid e-mail</h2>\n"; 
$badinput = "<h2>Request was NOT submitted</h2>\n";
echo $badinput;
die ("Please Go Back ");
}

if(empty($visitor) || empty($visitormail) || empty($notes )) {
echo "<h2>Use Back - fill in all fields</h2>\n";
die ("Please Go Back"); 
}

$todayis = date("l, F j, Y, g:i a") ;

$subject = $visitor;

$notes = stripcslashes($notes); 

$message = " $todayis \n
Message: $notes ($company) ($followup) ($marketing)\n 
Name: $visitor \n
Phone: $phone \n
Cell: $cell \n
Follow Up: $followup \n
Address: $address ($city) ($state) ($zip) \n
From: $visitor ($visitormail) ($phone) ($company) \n
Additional Info : IP = $ip \n
Browser Info: $httpagent \n
$httpref \n
";

$from = "From: $visitormail\r\n";


mail("test@gmail.com", $subject, $message, $from);

?>

How can I make this work?

First you need to format the code properly in the forum post, so people can read it.
Edit your post and put 3 backticks ` on a line of their own at the beginning and the end of the code block.

To SamA74

My apologies:

<?php

$ip = $_POST['ip']; 
$httpref = $_POST['httpref']; 
$httpagent = $_POST['httpagent']; 
$visitor = $_POST['visitor']; 
$visitormail = $_POST['visitormail']; 
$phone = $_POST['phone'];
$notes = $_POST['notes'];
$followup = $_POST['followup'];
$marketing = $_POST['marketing'];
$followup = $_POST['followup'];
$cell = $_POST['cell'];
$time = $_POST['time'];

if (preg_match( ‘http:', $notes)) {
die ("Please click back and tell us a little about your project. ");
}
if(!$visitormail == "" && (!strstr($visitormail,"@") || !strstr($visitormail,"."))) 
{
echo "<h2>Use Back - Please Enter a valid e-mail</h2>\n"; 
$badinput = "<h2>Request was NOT submitted</h2>\n";
echo $badinput;
die ("Please Go Back ");
}

if(empty($visitor) || empty($visitormail) || empty($notes )) {
echo "<h2>Use Back - fill in all fields</h2>\n";
die ("Please Go Back"); 
}

$todayis = date("l, F j, Y, g:i a") ;

$subject = $visitor;

$notes = stripcslashes($notes); 

$message = " $todayis \n
Message: $notes ($company) ($followup) ($marketing)\n 
Name: $visitor \n
Phone: $phone \n
Cell: $cell \n
Follow Up: $followup \n
Address: $address ($city) ($state) ($zip) \n
From: $visitor ($visitormail) ($phone) ($company) \n
Additional Info : IP = $ip \n
Browser Info: $httpagent \n
$httpref \n
";

$from = "From: $visitormail\r\n";


mail("test@gmail.com", $subject, $message, $from);

?>

I will remember the backpacks forever!

Whoops…typing too fast…backticks…

I added a delimiter and ran the script and I did not get an error, however I did not receive the info to the designated email. I used a different email than the one below:

mail("test@gmail.com", $subject, $message, $from);

Here is the line with the delimiter I added:

if (preg_match( '/http:/', $notes)) {

To make preg_match case insensitive, like eregi was, add the i

if (preg_match( '/http:/i', $notes)) {

I discovered the information was going to the Junk Email folder! I will make the changes. Thank you for helping a novice. Have a great day!!

You could probably improve on the validation. For example the Email validation:-

if(!filter_var($visitormail, FILTER_VALIDATE_EMAIL, FILTER_NULL_ON_FALIURE)) {
     // Message for Invalid Email Address
}

I am assuming I can enter this under my existing PHP code like this:

if(empty($visitor) || empty($visitormail) || empty($notes )) {
echo "<h2>Use Back - fill in all fields</h2>\n";
die ("Please Go Back"); 
}

if(!filter_var($visitormail, FILTER_VALIDATE_EMAIL, FILTER_NULL_ON_FALIURE)) {
     // Message for Invalid Email Address
}

I was thinking you could replace this bit:-

if(!$visitormail == "" && (!strstr($visitormail,"@") || !strstr($visitormail,".")))

with:-

if(!filter_var($visitormail, FILTER_VALIDATE_EMAIL, FILTER_NULL_ON_FALIURE))

to determine if the email address is a valid one.
There are filters to validate various types of data.
http://php.net/manual/en/filter.filters.validate.php

For even minimal security the email address shouldn’t be moved anywhere out of the $_POST until after that validation has been done. Otherwise you will not know if $visitormail has actually been validated or not when you see it elsewhere in the code.

Minimal safe version that doesn’t turn off some security features built into PHP:

if(!filter_var($_POST['visitormail'], FILTER_VALIDATE_EMAIL, FILTER_NULL_ON_FAILURE)) {
     // Message for Invalid Email Address
} 
$visitormail = $_POST['visitormail'];

You need similar for ALL $_POST fields or you negate one of PHPs most basic security features.

@felgall what filtering would you do on $notes which presumably could contain any printable character? I don’t see a filter value for that in the manual.

If it can contain any printable character then you need to filter out the unprintable characters.

Where a filter or function doesn’t exist for validating a field then you can use a regular expression instead. /[:print:]/

Where a field can literally contain any characters at all then there would be no reason for moving the field out of the $_POST as they can be referenced by that name just as easily - the purpose in copying to a new name is as a reminder that they have been validated or sanitized.

True. I actually use the sanitize filter directly on the Email Post in my forms to make it safe, then pass it to the validate filter to check that it is an actual email address.

$visitormail = filter_var($_POST['visitormail'], FILTER_SANITIZE_EMAIL);

I think some have argued that there is no need to run both filters, because a “harmful” string would not pass validation, but I don’t see the harm in doing both. I like to sanitize everything that can be manipulated from the outside.

Once it has been sanitized it will always be valid because sanitizing removes anything invalid.

Can you explain. I may be misunderstanding how it works. Does sanitize validate the address as well? Can it be used in an if statement, like validate to return false for an invalid address?

I thought sanitize just filtered out unwanted characters, leaving valid ones in.

Remove all characters except letters, digits and !#$%&'*±=?^_`{|}~@..

But the resulting string may not be a valid address.
For example, someone types “foo” in the email form field. It passes the sanitize filter because those are valid characters.
But, that’s not an email address, I don’t want a script to try to send to it, because it will fail.
I don’t want to store it in a database as someone’s address, because it’s useless.
What I do want is for the script to tell the user they have not entered a valid address and to try again.
That same string that will pass the sanitize filter, will not pass the validate filter, because it does not resemble an email address. Or have I got it wrong? Or should I be using just validate?

Validating rejects the field if it contains invalid characters or doesn’t contain the characters in a meanigful order. Anything that pases validation would pass through sanitizing unchanged.

There is never a need to both validate and sanitize the same field.

You validate those inputs where the value is being entered by a visitor to your site and where they can be asked to correct the input if they enter it wrong.

You sanitize those inputs that are not entered by your visitor but where a visitor could potentially change the value in an attempt to compromise your script. If a sanitized value does not match the original then you know that the value has been tampered with and can terminate the script. This at least eliminates some of the attempts to attack your script by changing the data being passed to it.

Consider asdf(@example.com - this email address is invalid because of the ( in it however if you sanitize it then the address becomes valid. If you then validate it the address will pass validation even though the original email address entered would fail validation. Instead of advising your visitor they entered an invalid email address you have removed the invalid character and then simply assumed that is the correct email address (where in this case it is more likely they intended to enter asdf9@example.com and simply held the shift key down by accident while trying to type the 9. So sanitizing and then validating has resulted in a valid but incorrect email address getting through.

Indeed. I had a quick play with this just to see for myself

<?php
error_reporting(E_ALL);
ini_set('display_errors', 'true');

$test_arr = array(
            "test@gmail.com"
            , " untrimmed@hotmail.com "
            , " tabs@fake.com   "
            , "notarealemailaddress"
            , "mynumber5@facebook.net"
            , "Could+be@gmail.com"
            , "badinput(@yahoo.net"
            , "myblog@wordpress.org"
            , "my space@myspace.com"
           );
            
function test_if_valid($input) {
 $valid = ( filter_var($input, FILTER_VALIDATE_EMAIL) ) ? "valid" : "<span class='not'>invalid</span>";
return $valid;
}

function get_sanitized($input) {
  $sanitized = filter_var($input, FILTER_SANITIZE_EMAIL);
return $sanitized;
}

$test_results = "";
foreach ($test_arr as $test_val) {
$test_results .= "<tr>";
$test_results .= "<td><span>" . $test_val . "</span></td>";
$test_results .= "<td>" . test_if_valid($test_val) . "</td>";
$test_results .= "<td><span>" . get_sanitized($test_val) . "</span></td>";
$test_results .= "<td>" . test_if_valid(get_sanitized($test_val)) . "</td>";
$test_results .= "</tr>";
}
?>
<!DOCTYPE HTML>
<html lang="en">
<head>
<title>Validation - Sanitization (email addresses)</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<style type="text/css">
td {
  padding: 0 1em;
}
span {
  white-space: pre;
  outline: 1px solid #666;
}
.not {
  color: #F00;
  outline: none;
}
</style>
<script>
// script needed before the DOM is loaded here
</script>
</head>
<body>
<h1>Validation - Sanitization (email addresses)</h1>
<table>
  <thead>
    <tr>
      <th>Raw</th>
      <th>Valid?</th>
      <th>Sanitized</th>
      <th>Sanitized Valid?</th>
    </tr>
  </thead>
  <tbody>
  <?php echo $test_results; ?>
  </tbody>
</table>   
<script>
// script that needs the DOM to be loaded here
</script>
</body>
</html>

Raw  	 	 	Valid? 	Sanitized 	 	Sanitized Valid?
test@gmail.com	 	valid	test@gmail.com	  	valid
 untrimmed@hotmail.com 	invalid	untrimmed@hotmail.com	valid
 tabs@fake.com   	invalid	tabs@fake.com	 	valid
notarealemailaddress	invalid	notarealemailaddress	invalid
mynumber5@facebook.net	valid	mynumber5@facebook.net	valid
Could+be@gmail.com	valid	Could+be@gmail.com	valid
extra.dots@g.mail.com	valid	extra.dots@g.mail.com	valid
badinput(@yahoo.net	invalid	badinput@yahoo.net	valid
myblog@wordpress.org	valid	myblog@wordpress.org	valid
my space@myspace.com	invalid	myspace@myspace.com	valid