I am currently writing an email form with PHP and this is the first time I have attempted to write all the security necessary to keep it from being used for not intended purposes.
Currently, I am having an issue with trying to verify whether or not a value is in an array called $tokens using the in_array command.
I have verified that the string $_POST[‘token’] is in the array, but it always drops down and executes the statements under else instead of sending out the email.
I am not sure what I am missing…
Here is the code:
<?php
$tokens = file('./tokens.txt');
if (in_array($_POST['token'], $tokens))
{
$name = $_POST['name'];
if (!preg_match("/^[a-zA-Z]+(\\s+)?$/", $name)) //verify $name contains only letters and spaces
{
echo htmlspecialchars('Name field is invalid, letters and spaces only please correct and re-submit.');
exit();
}
$email = $_POST['email'];
if (!preg_match('/^[^@]+@[a-zA-Z0-9._-]+\\.[a-zA-Z]+$/', $email)) //verifies that $email syntax is correct
{
echo htmlspecialchars('Email field is invalid, please correct and re-submit.');
exit();
}
$reason = $_POST['reason'];
if (!preg_match("/[A-Z|a-z]/", $reason)) //verfies that $reason contains only letters
{
echo htmlspecialchars('Reason field is invalid, letters only please correct and re-submit.');
exit();
}
$comment = $_POST['comment'];
$comment = strip_tags($comment, ENT_QUOTES); //strips out all html tags
$comment = wordwrap($comment, 70, "\\r\
"); ///wraps text to new line after seventy characters
$headers = "Reply-To: $email" . "\\r\
" . "Reason: $reason" . "\\r\
" . "$comment"; //defines headers to be passed to browser
mail( "name@doamain.com", "A Message has been received", "$headers"); //sends out the email
}
else //executed if $_POST['token'] is not in the array $tokens
{
echo htmlspecialchars("Invalid Submission Method", ENT_QUOTES, 'utf-8');
}
?>
and here is the form code if needed
<?php
$token = md5(time());
$fp = fopen('./tokens.txt', 'a');
fwrite($fp, "$token\
");
fclose($fp);
?>
All fields are required<BR/>
<form action="secure.php" method="post">
<input type="hidden" name="token" id="token" value="<?php echo $token; ?>" />
<TABLE>
<TR>
<TD><label for="name">Name:</label></TD><TD></TD>
<TD><input type="text" name="name" id="name" /><br/><br/></TD>
</TR>
<TR>
<TD><label for="email">Email Address:</label></TD><TD></TD>
<TD><input type="text" name="email" id="email" /><br/><br/></TD>
</TR>
<TR>
<TD><label for="reaason">Reason for Contact:</label></TD><TD></TD>
<TD><select name="reason" id="reason" size="1">
<option value="Default">Please Choose</option>
<option value="comment">Comment</option>
<option value="Prayer Request">Prayer Request</option>
<option value="question">Question</option>
<option value="other">Other</option>
</select><br/><br/>
</TD>
</TR>
<TR>
<TD> <label for="comment">Enter Message Below:</label></TD><TD></TD><TD></TD>
</TR>
</TABLE>
<TABLE>
<TR>
<TD><textarea cols="50" rows="4" name="comment" id="comment"></textarea></TD><TD></TD>
</TR>
<TR>
<TD><input type="submit" value="Send" id="submit"/></TD>
</TR>
</TABLE>
</form>
Thanks in advance for any help
Plus if anyone notices any security issues that I have missed that would be worthwhile to address… That is appreciated as well