My PHP form submits but does not validate the email address

Question

I am an eager novice with PHP so please forgive my errors as I am learning as I go. Basically, I am building a simple contact form for my website and have successfully been able to have the form send the user's first and last name, subject, email address and message. I am using a second file, "form_process.php" to process the form data from "index.php".

The problem is that the email address does not seem to be validating and will send any words typed. I would greatly appreciate it if some more seasoned eyes could take a look and help me sort this out. Thank you in advance.

• Michael.

HTML:

    <div id="form">
  <form action="form_process.php" method="post" enctype="multipart/form-data">
    <p>
      <input type="text" maxlength="100" size="50" name="fName" value="<?php echo $stored_fName;?>" placeholder="First Name" />
    </p>
    <p>
      <input type="text" maxlength="100" size="50" name="lName" value="<?php echo $stored_lName;?>" placeholder="Last Name" />
    </p>
    <p>
      <input type="text" maxlength="80" size="50" name="email" value="<?php echo $stored_email;?>" placeholder="Email Address" />
    </p>
    <p>
      <input type="text" maxlength="100" size="50" name="subject" value="<?php echo $stored_subject;?>" placeholder="Subject" />
    </p>
    <p>
      <textarea name="message" rows="6" cols="38" placeholder="Message"></textarea>
    </p>
    <br />
    <input type="submit" value="Submit" name="submit" />
    <input type="reset" value="Clear" name="clear">
  </form>
</div>
<!-- form ends --> 

PHP: "form_process.php"

    <?php
session_start();

// Report all PHP errors
error_reporting(E_ALL);

//use $_POST to to store data from submitted form into these variables
$fName =  check_input($_POST['fName']);
$lName =  check_input($_POST['lName']);
$sender =  check_input($_POST['email']);
$subject =  check_input($_POST['subject']);
$message =  check_input($_POST['message']);


//check_input function to strip unnessessary characters and sanitize user data
function check_input($data)
{
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}

$name = $fName ." ". $lName;//concatenating first and last names to new name variable

$sanitizedEmail = filter_var($sender, FILTER_SANITIZE_EMAIL);

//generates error messages on index.php if form fields left blank
if ($fName == ''){
    header("Location:index.php?message=1");
    exit();
}
if ($lName == ''){
    header("Location:index.php?message=2");
    exit();
}
if ($sender == ''){
    header("Location:index.php?message=3");
    exit();
}
if ($subject == ''){
    header("Location:index.php?message=4");
    exit();
}
if ($message == ''){
    header("Location:index.php?message=5");
    exit();
}

//headers
$headers = "MIME-Version: 1.0" . "\r\n";
$headers .= "Content-type:text/html;charset=iso-8859-1" . "\r\n";
$headers .= $name . "\r\n";
$headers .= "From:" . " " . $sanitizedEmail . "\r\n";

//mail function
$to = "me@myemail.com";
$subject = $subject;
$message = $message;

//send message
$send_message = mail($to,$subject,$message,$headers);

if($send_message){
    header("Location:index.php?message=6");
}else {
    header("Location:index.php?message=9");
    exit();
}

?>

"index.php" error messages:

    <?php

//all fields empty until user inputs data for session to store 
$stored_fName = '';//init as NULL
$stored_lName = '';//init as NULL
$stored_email = '';//init as NULL
$stored_subject = '';//init as NULL
$stored_message = '';//init as NULL

//session data used to repopulate form fields if any info is missing or incorrect
if (isset($_SESSION['fName'])){
    $stored_fName = $_SESSION['fName'];
}
if (isset($_SESSION['lName'])){
    $stored_lName = $_SESSION['lName'];
}
if (isset($_SESSION['email'])){
    $stored_email = $_SESSION['email'];
}
if (isset($_SESSION['subject'])){
    $stored_subject = $_SESSION['subject'];
}
if (isset($_SESSION['message'])){
    $stored_message = $_SESSION['message'];
}


//error messages displayed to user if text fields have been left blank
$_GET['message'];

if ($_GET['message'] == 1) {//first name
    echo "<strong>Please type your first name.</strong>";
}
if ($_GET['message'] == 2) {//last name
    echo "<strong>Please type your last name.</strong>";
}
if ($_GET['message'] == 3){//email address
    echo "<strong>Please type an email address.</strong>";
}
if ($_GET['message'] == 4){//subject
    echo "<strong>Please type a subject.</strong>";
}
if ($_GET['message'] == 5){//message text
    echo "<strong>Please type your message.</strong>";
}
if ($_GET['message'] == 6){//message success from form_process.php
    echo "<strong>Your message was sent successfully.  Thank you.</strong>";
}
if ($_GET['message'] == 9){
    echo "<strong>I'm sorry but your message was not sent.  Please try again, thank you.</strong>";
}
?>

Answer 1

You should be using it like this:

if(filter_var($email, FILTER_VALIDATE_EMAIL)){ 
    // is email
    $sender = $email; 
}else{ 
    // isn't email
    $sender = '';    
} 

Read more about PHP Validate Filters