help with my form validation code

Jami

I am currently using php 4, but I could move to 5 if need be.

I got the following code from a friend and thought it was working, but then I started to get spammers like crazy.... can someone look it over and tell me what I need to do to get it to work for me? {I think the problem might be the $element_value, I don't set $element_value and I don't use it later in my script so maybe it's a lost var. I have removed code that didn't apply for the sake of shortening}


$Comment = $_POST['Comment'];
$Phone = $_POST['Phone'];
$Email = $_POST['Email'];
$FirstName = $_POST['FirstName'];
$LastName = $_POST['LastName'];
$Street1 = $_POST['Street1'];
$Street2 = $_POST['Street2'];
$City = $_POST['City'];
$State = $_POST['State'];
$Zip = $_POST['Zip'];
$Country = $_POST['Country'];

$errors = array();
if($_SERVER['REQUEST_METHOD'] == "POST"){$form_input = $_POST;}elseif($_SERVER['REQUEST_METHOD'] == "GET"){$form_input = $_GET;}else{exit;}

// Remove leading whitespace from all values.
function recursive_array_check(&$element_value)
{
if(!is_array($element_value)){$element_value = ltrim($element_value);}
else
{
foreach($element_value as $key => $value){$element_value[$key] = recursive_array_check($value);}
}
return $element_value;
}
recursive_array_check($form_input);


// Check referrer is from same site.
if(!(isset($_SERVER['HTTP_REFERER']) && !empty($_SERVER['HTTP_REFERER']) && stristr($_SERVER['HTTP_REFERER'],$_SERVER['HTTP_HOST']))){$errors[] = "You must enable referrer logging to use the form";}


[B]// Strip HTML tags from all fields.[/B]  {this isn't working for sure!}
function recursive_array_check2(&$element_value)
{
	if(!is_array($element_value)){$element_value = strip_tags($element_value);}
	else {
	foreach($element_value as $key => $value){$element_value[$key] = recursive_array_check2($value);}
}
return $element_value;
}
recursive_array_check2($form_input);


// Validate FirstName field.
if(isset($form_input['FirstName']) && !empty($form_input['FirstName']))
{
	if(preg_match("`[\r\n]`",$form_input['FirstName'])){$errors[] = "You have submitted an invalid new line character";}
	if(preg_match("/[^a-z' -]/i",stripslashes($form_input['FirstName']))){$errors[] = "You have submitted an invalid character in the frist name field";}
}

// Validate LastName field.
if(isset($form_input['LastName']) && !empty($form_input['LastName']))
{
	if(preg_match("`[\r\n]`",$form_input['LastName'])){$errors[] = "You have submitted an invalid new line character";}
	if(preg_match("/[^a-z' -]/i",stripslashes($form_input['FirstName']))){$errors[] = "You have submitted an invalid character in the last name field";}
}

// Validate Phone field.
if(isset($form_input['Phone']) && !empty($form_input['Phone']))
{
	if(preg_match("`[\r\n]`",$form_input['Phone'])){$errors[] = "You have submitted an invalid new line character";}
//	if(preg_match("/[^a-z' -]/i",stripslashes($form_input['FirstName']))){$errors[] = "You have submitted an invalid character in the phone field";}
}

// Validate Street1 field.
if(isset($form_input['Street1']) && !empty($form_input['Street1']))
{
	if(preg_match("`[\r\n]`",$form_input['Street1'])){$errors[] = "You have submitted an invalid new line character";}
}

// Validate Street2 field.
if(isset($form_input['Street2']) && !empty($form_input['Street2']))
{
	if(preg_match("`[\r\n]`",$form_input['Street2'])){$errors[] = "You have submitted an invalid new line character";}
}

// Validate City field.
if(isset($form_input['City']) && !empty($form_input['City']))
{
	if(preg_match("`[\r\n]`",$form_input['City'])){$errors[] = "You have submitted an invalid new line character";}
}


// Validate email field.
if(isset($form_input['Email']) && !empty($form_input['Email']))
{
if(preg_match("`[\r\n,]`",$form_input['Email'])){$errors[] = "You have submitted an invalid characters in your email";}
if(!preg_match('/^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-z]{2,4}$/i',$form_input['Email'])){$errors[] = "Email address is invalid";}
}

// Validate comment field.
if(isset($form_input['Comment']) && !empty($form_input['Comment']))
{
if(preg_match(<[^<>]+>+"url"+"www"+"href"+[=/\+],$form_input['Comment'])){$errors[] = "Your Comment entry contains invalid characters";}
}

// Display any errors and exit if errors exist.
if(count($errors)){foreach($errors as $value){print "$value<br>";} 
exit;}


// Build message.
$message = $OutString;

$message = stripslashes($message);

$subject = $type . " " . $ID;

$headers = "From: " . $form_input['Email'] . "\n" . "Return-Path: " . $form_input['Email'] . "\n" . "Reply-To: " . $form_input['Email'] . "\n";

mail($office_email,$subject,$message,$headers);

Can someone tell me, in a simple way, why it doesn't take out html tags? Or stop injecting of headers?

This doesn't trow errors, but it isn't working either - help!

Thank you,

sneakyimp

Have you tested your recursive_array_check2() function? Have you checked all those preg_match functions on their own? In a separate file? Are you sure they do what you want?

mcdsoftware

Now I'm not sure if this is the solution your necessarily looking for, but why not use htmlspecialchars? Seems to me like your kind of re-inventing the wheel, but I may be wrong...Sorry I see you're already using strip_tags my bad :o