Validating email blues

cybereclipse

Okay, I'm working a database project using php and mysql. Just to save time re-writing my code, I copied and pasted into the editor so I can make my changes to finish the project on time. There is an issue though and not sure why it's giving me an error. I entered a valid email addresss on the email field on the form. Before I go into further details, here is my link and code.

<?php


if (isset($_POST['submitted'])){

      require_once('Connections2/orderform.php');

$fields = array(
          'name',
          'email',

);




foreach($fields as $fieldName) {
          if(isset($_POST[$fieldName]) and safe(trim(stripslashes($_POST[$fieldName]))) !==''){
                    $$fieldName = safe(trim(stripslashes($_POST[$fieldName])));

      }else {

                                    $errors[] = "Please enter your". $fieldName .""; //code to validate fields
      }
      if(filter_var($email, FILTER_VALIDATE_EMAIL) == true){
      } else {
                $errors[] = 'Please enter a valid email address';
      }
}
if(!isset($errors)){

      $query = "SELECT id FROM orders WHERE email='$email'";
      $result = mysql_query($query);
      if(mysql_num_rows($result) == 0) {






$query = "INSERT INTO orders (email, name, address, city, state, zip, product, amount, instructions, date) 
VALUES ('$email', '$name', '$address', '$city', '$state', '$zip,'$product', '$amount', '$instructions', NOW())"; //databasse connection

      $result = mysql_query ($query); 






if ($result){

      $url = 'http://'. $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);

      if ((substr($url, -1) == '/') || (substr($url, -1) == '\\')) {
                $url = substr ($url, 0, -1);
      }

      $url .= '/ordersubmitted.php';

      header("Location: $url"); //This is the line of error that is reporting after submitting to the database
      exit();

      } else {

                $errors[] = 'You could not be registered due to a system error. We apologize for any inconvenience.';
                $errors[] = mysql_error() . '<br /><br />Query: ' . $query;
      }

      } else {
                $errors[] = 'The email address has already been registered.';
      }

      }
      mysql_close();

      } else { 
                $errors = NULL;

      }


if (!empty($errors)){
                              echo '<h1 id="mainhead">Error!</h1>
                    <p class="error">The following error(s) occurred:<br />';
                    foreach($errors as $msg) {
                              echo " - $msg<br/>\n";
                    }
                    echo '</p><p>Please try again.</p><p><br/></p>';
          }






function safe($string) 
          { 
                    $pattern = "/\r|\n|\%0a|\%0d|Content\-Type:|bcc:|to:|cc:/i"; 
                    return preg_replace($pattern, '', $string); 
          }

?>

http://www.rodriguezstudios.com/orderform

The error is coming from this line of code


if(filter_var($email, FILTER_VALIDATE_EMAIL) == true){


      } else {


                $errors[] = 'Please enter a valid email address';


      }


}

The html email field is

But i checked the other forms on the same website (different database accounts) that has that same code fragment and the information is submitted successfully. What is going on? Thanks for your help in advanced!

bradgrafelman

See the manual page for [man]filter_var/man - you're not checking for the appropriate return value.

Additionally, why are you using [man]stripslashes/man on incoming data? Why do you consider line breaks or the string "to:" unsafe?

cybereclipse

bradgrafelman;11035289 wrote:
See the manual page for [man]filter_var/man - you're not checking for the appropriate return value.

Additionally, why are you using [man]stripslashes/man on incoming data? Why do you consider line breaks or the string "to:" unsafe?

You are right so I went ahead to add the values in the array plus I've forgot to write the html form handler. everything working out.

Couple reasons why I did the stripslashes, the code will be a lot cleaner plus the "safe" will call the safe function which is on the bottom of the syntax. This will prevent sql injection in all of the fields. I've written this way so I don't have to write a bunch of if statements which I'll be checking a bunch of fields. Thanks for your help

Weedpacket

cybereclipse wrote:
This will prevent sql injection in all of the fields.

That is not what [man]stripslashes[/man] is for; you should use the appropriate functionality appropriate to your database (in your case, the deprecated [man]mysql_real_escape_string[/man]).

cybereclipse

Weedpacket;11035295 wrote:
That is not what [man]stripslashes[/man] is for; you should use the appropriate functionality appropriate to your database (in your case, the deprecated [man]mysql_real_escape_string[/man]).

No, that's not what I've said. After I've said my thoughts about stripslashes, I started saying "plus the "safe" will call the safe function which is on the bottom of the syntax. This will prevent sql injection in all of the fields."

The "safe function" has nothing do to with stripslashes plus I went on the coding techniques that I used to write less code.

bradgrafelman

cybereclipse;11035297 wrote:
After I've said my thoughts about stripslashes, I started saying "plus the "safe" will call the safe function which is on the bottom of the syntax. This will prevent sql injection in all of the fields."

You said that... but that doesn't make it true. Few issues with your current code:

You shouldn't be calling [man]stripslashes/man at all. It does nothing to prevent SQL injections/errors.
Your safe() function doesn't do anything to prevent SQL injections/errors.
Your safe() function strips line breaks and an assortment of phrases for... some unknown reason. (A guess would be a oversimplified attempt to prevent e-mail header injections.)

cybereclipse;11035297 wrote:
plus I went on the coding techniques that I used to write less code.

... and employs less security and even less sense.

Actually, I'd even argue the "less code" part. You claim that this:

function safe($string)  

          {  

                    $pattern = "/\r|\n|\%0a|\%0d|Content\-Type:|bcc:|to:|cc:/i";  

                    return preg_replace($pattern, '', $string);  

          }

$$fieldName = safe(trim(stripslashes($_POST[$fieldName])));

is less code than this:

$$fieldName = mysql_real_escape_string($_POST[$fieldName]);