Problems with validation and PHP

PHP
1

I am hoping that someone can please help me with this PHP Script, I am so lost right now… It sends the email perfectly, although the validation doesn’t work. This script is also not stripping HTML tags from the email when sent. This makes me worry that my sanitizeString function is not working properly and am open to xss. My user group will not have Java support…hence trying to use PHP. With that said, I’m a new to PHP and have been all over trying to find a solution that will do what I need below. If you need anything else, please let me know.

Here is the PHP Code:


    <?php

    //Strip Tags and white Space from all input with this function
    function sanitizeString($value){
    $value = strip_tags($value);
    $value = trim($value);
    $value = escapeshellcmd($value);
    $value = htmlentities($value);

    return $value;
    }

    $send = $_POST[send];

    //Email validation 
    if (filter_var($from, FILTER_VALIDATE_EMAIL)) {
    $email_error = true;
    $error_message[] = "Please use a valid email format: name@domain.com";
    }	  

    if($send == 1){$email_sent = true; $step_1 = "complete";}
    else{$email_sent = false; $step_1 = "complete";}
	
    if($email_sent === true) {

    $from = sanitizeString($_POST['from']);
    $to = sanitizeString($_POST['to']);
    $name = sanitizeString($_POST['name']);
    $title = sanitizeString($_POST['title']);
    $company = sanitizeString($_POST['company']);
    $phone = sanitizeString($_POST['phone']);
    $subject = sanitizeString($_POST['subject']);
    $message = sanitizeString($_POST['message']);

    // define variables and initialize with empty values
    $nameErr = $addressErr = $emailErr = $messageErr = $phoneErr = "";
    $name = $address = $email = $message = $phone = "";

    if ($_SERVER["REQUEST_METHOD"] == "POST") {
    if (empty($_POST["name"])) {

        $nameErr = "Please enter your name.";
    }
    else {
        $name = $_POST["name"];
    }

    if (empty($_POST["email"])) {
        $emailErr = "Please enter your email."; 
    }
    else {
        $email = $_POST["email"];
    }
	if (empty($_POST["phone"])) {
		$phoneErr = "Please enter a phone number.";
	}
	else {
		$phone = $_POST["phone"];
	}
    if (empty($_POST["message"]))  {
        $messageErr = "Cannot leave message box blank."; 
    }
    else {
        $message = $_POST["message"];
    }

    }
					  
    //select the correct to address - This hides my email addresses from the source and allows me to add different addressees when needed. Would love a better solution if you have one...
    switch ($to) {
    case "1":
	$to = "Contact1@example.com";
	break;
    case "2":
	$to = "Contact2@example.com";
	break;
    default:
	$to = "Contact1@example.com";
	break;}
					  
    if($message_error !== true && $email_error !== true){
    $email_headers = "From:".$from."\
MIME-Version: 1.0 \
Content-type: text/html; charset=iso-8859-1";

    $message_send = "<h3>".$name."<br>".$title."<br>".$company."<br>".$phone."<br>".$from."</h3><hr><h4>".$subject."</h4>".$message;

    if (mail($to, $subject, $message_send, $email_headers)) {$error_message = "Thank you, your email is on the way!";}
    else {$error_message = "There seems to be a problem!";}}

    }
	
    ?>

For simplicity and the fact that I don’t need HTML support, which I seem to get with every post asking for PHP help, here are my input fields. Yes before you comment on the input fields, I use css and I will be placing them in the right area of the page. :slight_smile: Not trying to be rude, just trying to prevent suggestions outside of the topic stated above…


    <form action="<?php ($_SERVER["PHP_SELF"]);?>" method="post">
    <input name="name" placeholder="Name*" type="text" class="text"/><span class="error"><?php echo $nameErr;?></span>
    <input type="text" placeholder="Title" name="title" size="50"/>
    <input type="text" placeholder="Company" name="company" size="50" />
    <input name="phone" placeholder="Phone*" type="tel" size="10" maxlength="10" value="<?php echo htmlspecialchars($phone);?>"/><span class="error"><?php echo $phoneErr;?></span>
    <input name="from" placeholder="Email*" type="email" class="text" value="<?php echo htmlspecialchars($email);?>"><span class="error"><?php echo $emailErr;?>
    <select name="to" size="1">
		<option value="1">Contact1</option>
		<option value="2">Contact2</option>
		</select>
    <input type="text" name="subject" placeholder="Subject" size="50" />
    <textarea cols="50" rows="4" name="message" placeholder="Type your message here."></textarea>
    <input type="hidden" name="send" value="1" /><input type="submit" value="Send" name="email_1" />
    </form>
Edit:

For Reference, please see http://www.sitepoint.com/forums/showthread.php?1187031-Need-help-with-a-contact-form

2
  1. You have

if (filter_var($from, FILTER_VALIDATE_EMAIL))

but $from has not yet been defined. That’s why the validation does nothing.

  1. Your sanitizeString function does indeed strip the HTML tags, but look at what is happening. You have
$message = sanitizeString($_POST['message']);

then four lines down you set $message to be empty. Later on you have

$message = $_POST["message"];

So you end up with an unclean version.

Also, as somewhat of a side note, sanitizeString() isn’t really what you want for everything. For example, you don’t want to htmlentities() the to address when sending an email.

3

A little confused by what you mean on number 1? New to PHP… I made some changes, but the email is the only thing that validates. Everything else goes through with or without entries. How would you validate the input fields. I don’t really care what they put in the fields I just want something in there before the form sends it out. I’ve used examples from this forum and other forums and I’ve even used my PHP books trying to figure this out…which all led me to where I am now…do you know how many different ways people do things in PHP? Sorry, a little frustrated…

As for the removing the HTML tags, had some help for that and it is now fixed, I can no longer send html tags in my form. YEAH! That was the most important thing I needed.

4

You have


filter_var($from, FILTER_VALIDATE_EMAIL)

where $from is a variable, but what is the value of $from ? Nothing. It hasn’t been set by that point. You probably want


filter_var($_POST['from'], FILTER_VALIDATE_EMAIL)
5

htmlentities is an output escaping function specific to HTML output. It shouldn’t be included in a sanitize function as it has nothing to do with sanitizing.