PHP form : validation, submission, displaying content

Question

For last couple of days I have been trying to modify the PHP form I found on the Internet (and I can see it is quite popular one as I have seen a number of post regarding that form). When the form is submitted it send me an e-mail - which is awesome. But there are other things I have been trying to change and could not find the right/working solution at all.

What I want to achieve is:

1) Receive e-mail when the form is submitted (I consider this one done)

2) Validation

3) Display error messages within the same page E.g.

Name *

(Your Name is required)

[....... this is text field .......]

4) Allow to submit the form only once - when all the mistakes were corrected or when all data was entered correctly the first time.

5) When having error messages (before) while validating data my footer wasn't displayed. What would be the reason for this? It was displayed fine when the form was submitted.

This is the code I have been trying to modify (I copied the 'original' code as mine is probably too messy and too changed after me playing with it)

<?php
if(isset($_POST['email'])) {

// EDIT THE 2 LINES BELOW AS REQUIRED
$email_to = "you@yourdomain.com";
$email_subject = "Your email subject line";


function died($error) {
    // your error code can go here
    echo "We are very sorry, but there were error(s) found with the form you submitted. ";
    echo "These errors appear below.<br /><br />";
    echo $error."<br /><br />";
    echo "Please go back and fix these errors.<br /><br />";
    die();
}

// validation expected data exists
if(!isset($_POST['first_name']) ||
    !isset($_POST['last_name']) ||
    !isset($_POST['email']) ||
    !isset($_POST['telephone']) ||
    !isset($_POST['comments'])) {
    died('We are sorry, but there appears to be a problem with the form you submitted.');       
}

$first_name = $_POST['first_name']; // required
$last_name = $_POST['last_name']; // required
$email_from = $_POST['email']; // required
$telephone = $_POST['telephone']; // not required
$comments = $_POST['comments']; // required

 $error_message = "";
 $email_exp = '/^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}$/';
 if(!preg_match($email_exp,$email_from)) {
 $error_message .= 'The Email Address you entered does not appear to be valid.<br />';
 }
 $string_exp = "/^[A-Za-z .'-]+$/";
 if(!preg_match($string_exp,$first_name)) {
 $error_message .= 'The First Name you entered does not appear to be valid.<br />';
 }
 if(!preg_match($string_exp,$last_name)) {
 $error_message .= 'The Last Name you entered does not appear to be valid.<br />';
 }
 if(strlen($comments) < 2) {
 $error_message .= 'The Comments you entered do not appear to be valid.<br />';
 }
 if(strlen($error_message) > 0) {
 died($error_message);
 }
 $email_message = "Form details below.\n\n";

 function clean_string($string) {
  $bad = array("content-type","bcc:","to:","cc:","href");
  return str_replace($bad,"",$string);
}

$email_message .= "First Name: ".clean_string($first_name)."\n";
$email_message .= "Last Name: ".clean_string($last_name)."\n";
$email_message .= "Email: ".clean_string($email_from)."\n";
$email_message .= "Telephone: ".clean_string($telephone)."\n";
$email_message .= "Comments: ".clean_string($comments)."\n";


// create email headers
$headers = 'From: '.$email_from."\r\n".
'Reply-To: '.$email_from."\r\n" .
'X-Mailer: PHP/' . phpversion();
@mail($email_to, $email_subject, $email_message, $headers);  
?>

<!-- include your own success html here -->

Thank you for contacting us. We will be in touch with you very soon.

<?php
}
?>

Below is a part of my code from contact.php (where the form is)

<form name="contactform" method="post" action="submit_form.php">

<div class="left_form">
 <label for="name" class="label">your name</label>

(this is the code that was suppose to display error message within the same page

<?php if($errors['name'] = "") echo $errors['name']; ?>)


<input type="text" class="inputtext" name="name" value="" />

The above code is pretty much the same for all the input fields (the only different thing is the name=" ")

If anyone can help me, I would be very grateful.

Thank you. =)

Answer 1

Handle the post from within a function such and generate a separate array to hold the errored fields. If you have errors, output them or, handle the post if the fields validated OK. Never trust user input.

if(isset($_POST['submit']))
{

    if(!ctype_alpha($_POST['fieldname'])) //or other validation type you prefer
    {
       $errors[] ='<p>problem with fieldname</p>';
    }

... repeat above for each field

    if(count($errors))
    {
        //output error message using foreach from
    }
    else
    {
        //process the post
    }
}

If you're not very familiar with php I suggest some heavy reading and tutorial studying so you can understand what it is you're producing and how to improve it in the future.

Start by writing out in plain text what you want to happen as a form of pseudo code then bit by bit, replace with real php code, this way you can test your results at each stage.

php official site foreach construct

Answer 2

I highly recommend that you take the pain away by using a form library.

Here are some examples:

• Phorms, probably the easiest
• Pear's QuickForm, PEAR is PHP's official component repository
• Zeta Component's UserInput, probably the hardest, but uses the filter php extension which is the only decent way of validating and sanitizing input that i know

If you still want to validate and sanitize user input yourself, then at least try the filter php extension. But really, try to reuse the external code rather than reinventing the wheel, it will clean up your code a lot !!!!

Also, your code is subject to at least a security issue: CSRF request forgery, which means someone could potentially submit this form without his consent