[Phpwm] Securing feedback forms

[Phil Beynon]

> > only from the beginning or end of the string though, not anywhere within
> > it.
> >
>
> Sigh. That'll teach me to read things properly in future...
>
> Thanks for all the suggestions. I'm now doing the following to user input:
> * checking the string length is not greater than the maxlength of
> the text box
> * checking for \n and \r control characters
> * doing addslashes, trim and strip_tags (to stop me receiving
> garbage, rather
> than to increase security)
> * checking for multiple occurrences of '@' in the provided from address
>
> Hopefully that should keep the spammers away for a while, unless
> anyone can
> think of something I've missed. I remember the days when you
> could just stick
> your e-mail address in a mailto: link on your website without fear...
>
> Cheers,
> David.
>

David,
Just do this;

if(!eregi ("^([a-z0-9_]|\\-|\\.)+@(([a-z0-9_]|\\-)+\\.)+[a-z]{2,4}$",
$emaila)) error_alert("Invalid email address");

function error_alert($msg){global $flag; $flag = 1; echo
"<script>alert(\"Error: $msg\");history.go(-1)</script>";}

Where $emaila is the incoming email address. $flag is used to control the
send based upon a successful series of tests, like required fields are
filled etc.

This will strip out anything like a \n \r additional @ signs etc
etc............
If you want to play with it on a live site then goto
http://www.ralphsutcliffeminerals.co.uk/notify.php and have a play and watch
it kick you back, you wont get signed up for the newsletter as its not a
100% live site yet - will be a few days though! :-)

Regular expressions are your friends and a very very powerful tool, learn to
use them!
One good regular expression can replace a heap of individual statements when
correctly done and is way more efficient.

Phil

Phil