[RESOLVED] Complex email validation script

Liz_SA

Hi there, I need to create a php form validation that will do the following.
1. Restrict users with public email address such as hotmail or gmail.
2. Check a mysql database for exceptions to the rule (Certain people that have approval to use hotmail or gmail)
3. If the email address is accepted then send an autorespond email.

My boss does not want to supply me with his client contact database so this is the only other way I can think to do this.

If you know any scripts or suggestions to do this It will be very helpful.

Thanks

devinemke

use [man]strpos[/man] to check for strings such as "@gmail.com" and "@.com"
query your mysql db for the email to see if it is one of the exceptions.
if the email is allowed use [man]mail[/man] to send the autoresponse

Liz_SA

Hi thanks for that... at least now I have a start...
I have

$mystring = $_POST['emailcheck'];
$findme   = '@gmail.com';
$pos = strpos($mystring, $findme);

// Note our use of ===.  Simply == would not work as expected
// because the position of 'a' was the 0th (first) character.
if ($pos === false) {
    echo "The string '$findme' was not found in the string '$mystring'";
} else {
    echo "The string '$findme' was found in the string '$mystring'";
    echo " and exists at position $pos";
}

This will check for the gmail account and works.

Now would I replace

echo "The string '$findme' was found in the string '$mystring'";
    echo " and exists at position $pos";

with my query to the database?

Liz_SA

I may have this totally wrong... please bear with me

$mystring = $_POST['emailcheck'];

$host="localhost"; // Host name
$username="user"; // Mysql username
$password="pass"; // Mysql password
$db_name="test"; // Database name
$tbl_name="clients"; // Table name 

$sql="SELECT * FROM $tbl_name WHERE emailcheck='$mystring'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);

$findme   = '@gmail.com';
$pos = strpos($mystring, $findme);

// Note our use of ===.  Simply == would not work as expected
// because the position of 'a' was the 0th (first) character.
if ($pos === false) {
    header("location:automate.php");
} else if($count==1){
header("location:automate.php");
}

It finds the gmail address... but when I try find the exceptions. I get a blank screen... don't know where my error is.

If I put a normal address in it works fine.

Liz_SA

Cracked it... My automate.php page is my autoresponder

$mystring = $_POST['emailcheck'];

$host="localhost"; // Host name
$username=""; // Mysql username
$password=""; // Mysql password
$db_name="test"; // Database name 

mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

$sql="SELECT * FROM clients WHERE emailcheck='$mystring'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
if($count==1){
include 'automate.php';
}
$findme   = '@gmail.com';
$pos = strpos($mystring, $findme);

// Note our use of ===.  Simply == would not work as expected
// because the position of 'a' was the 0th (first) character.
if ($pos === false) {
    include 'automate.php';
}

Liz_SA

My script below works but can someone help me to add more than one value in my strpos function? I currently only have gmail there and when I add hotmail it doesn't work?

$mystring = $_POST['emailcheck'];

$host="localhost"; // Host name
$username=""; // Mysql username
$password=""; // Mysql password
$db_name="test"; // Database name

mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

$sql="SELECT * FROM clients WHERE emailcheck='$mystring'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
if($count==1){
include 'automate.php';
}
$findme   = '@gmail.com';
$pos = strpos($mystring, $findme);

// Note our use of ===.  Simply == would not work as expected
// because the position of 'a' was the 0th (first) character.
if ($pos === false) {
    include 'automate.php';
}

bradgrafelman

If you have multiple domains to check for, it might be easier to use a regexp match:

if(preg_match('/@(?:gmail\.com|hotmail\.com|msn\.com)$/i', $mystring)) {

Otherwise, note that even for your code above, if I entered 'brad@Gmail.com' as my e-mail address, your script would allow it.

Also note that your script is vulnerable to MySQL injection attacks. User-supplied data should never be placed directly into a SQL query string. Instead, you should first sanitize it with a function such as [man]mysql_real_escape_string/man.

Liz_SA

Thanks for that. I added the mysql_real_escape_string as suggested.

With regards to the preg_match It seems to be blocking all addresses even the none gmail and hotmail addresses.

Rather confuzzled now!!!

bradgrafelman

Can you show us an updated copy of your code now?

Liz_SA

Thanks for helping me

$mystring = $_POST['emailcheck'];
$mystring = stripslashes($mystring);
$mystring = mysql_real_escape_string($mystring);

$host="localhost"; // Host name
$username="root"; // Mysql username
$password="triadpass"; // Mysql password
$db_name="test"; // Database name 

mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

$sql="SELECT * FROM clients WHERE emailcheck='$mystring'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
if($count==1){
include 'automate.php';
}     

if(preg_match('/@(?:gmail\.com|hotmail\.com|msn\.com)$/i', $mystring)) { 
     header("Location:pricelist.php");
}
else {
    include 'automate.php';
}




//$findme   = '@gmail.com';
//$pos = strpos($mystring, $findme);

// Note our use of ===.  Simply == would not work as expected
// because the position of 'a' was the 0th (first) character.
//if ($pos === false) {
//   include 'automate.php';
//}
//else {
//    header("Location:pricelist.php");
//}

Liz_SA

I tried using preg_match again and I noticed that if I don't use the mysql_real_escape_string().
Then the preg_match works perfectly!

bradgrafelman

Liz_SA wrote:
if I don't use the mysql_real_escape_string().

Probably another reason why [man]mysql_real_escape_string/man should be used properly. You only need to apply that function when you're putting incoming data into a SQL query string. Otherwise, leave the data in its original format.