Posted by J.O. Aho on 04/30/07 04:34

uncleclinto wrote:
> Hey all,
>
> I'm a designer, not a developer, but I'm trying to learn. Anyway, I'm
> trying to get a contact form working, but apparently I have some empty
> expressions here. Of course, I don't know what the heck to put in them.
> Here's the lines in question. Any ideas other than "stick with design" and
> some choice explitives?
>
> $_POST['email'] = preg_replace("\r", "", $_POST['email']);
> $_POST['email'] = preg_replace("\n", "", $_POST['email']);

http://www.php.net/manual/en/function.preg-replace.php

Those two lines can be replaced with

$_POST['email'] = ereg_replace("[\r\n]", "", $_POST['email']);


What they do is remove new-line (\n) carriage return (\r), a text input don't
insert any new lines nor carriage returns. With e-mail forms you usually have
trouble with the from-address, as it's really a mail header and you can inject
new rules for the mail, as extra cc: bcc:, which spammers usually try to take
advantage of.

I wouldn't store a new value in $_POST, but put it in a new variable:

$email = ereg_replace("[\r\n]", "", $_POST['email']);
if($email == $_POST['email']) {
mail(...);
} else {
//if $email isn't the same as $_POST['email'] then we did
//remove header injections and the feedback post is a
//spam, no point in sending it.
}


--

//Aho

[Back to original message]