1

I have a form which posts variables through to a PHP processing script.

Before the processing script begins I would like to sanitize the posted variables:

$Contact_Name = filter_var($_POST['contactName'], FILTER_SANITIZE_STRING);
$Company = filter_var($_POST['company'], FILTER_SANITIZE_STRING);
$Telephone = filter_var($_POST['telephone'],FILTER_SANITIZE_NUMBER_INT);

So far. So good.

But sanitizing and validating the email is a real pain.

$Email = $_POST['email'];
$Sanitised_Email = filter_var($Email, FILTER_SANITIZE_EMAIL);
$Email_is_valid = filter_var($Email, FILTER_VALIDATE_EMAIL);

If $Sanitised_Email isn't the same as $Email, I want to go back to the form page:

if ($Sanitised_Email != $Email) {
header('Location: http://'.$_SERVER['HTTP_HOST'].'/form.php');
}

If $Email_is_valid is false, I want to go back to the form page:

if ($Email_is_valid == FALSE) {
header('Location: http://'.$_SERVER['HTTP_HOST'].'/form.php');
}

Neither of these two if statements work when I enter an email which is both invalid and in need of sanitisation such as:

i.am.(totally)invalid@asanemailaddress

What am I doing wrong? Have I messed up my syntax somewhere?

Rounin
  • 27,134
  • 9
  • 83
  • 108
  • This won't solve your problem, but you should consider using [`!==` instead of `!=`](http://php.net/manual/en/language.operators.comparison.php) – devlin carnate Feb 05 '16 at 19:23
  • 2
    Why do you need to sanitize instead of just checking if the supplied address is valid? – PeeHaa Feb 05 '16 at 19:23
  • 1
    One other note: consider passing an error message back to the form rather than a plain-jane re-direct (thus likely leaving the user wondering why the form didn't submit). You could improve your current method with a simple url parameter that triggers an error display on the form, for example. – devlin carnate Feb 05 '16 at 19:25
  • Yes, I agree with passing an error message back to the form. Haven't got to that bit yet. – Rounin Feb 05 '16 at 19:25
  • Are you sure it's the `if` that's "not working"? 'cause it works for me: http://codepad.org/qf3NIr0i – gen_Eric Feb 05 '16 at 19:26
  • @PeeHaa, please acknowledge that I am learning how `filter_var` works. – Rounin Feb 05 '16 at 19:26
  • 2
    Do you want to check wether the sanitized email is valid after its been cleaned? Or do you really want to run both functions on the user input email? – dmgig Feb 05 '16 at 19:27
  • I want to check if the sanitized version of the email is the same as the user input email. Then I want to check if the user input email is valid. – Rounin Feb 05 '16 at 19:28
  • 1
    After looking @RocketHazmat is it possible your "HTTP_HOST" is not returning anything? I've had that not be populated (or populated incorrectly) as a server variable before. http://stackoverflow.com/questions/2297403/http-host-vs-server-name – dmgig Feb 05 '16 at 19:29
  • When I echo the variables on the form processing page, `$Sanitized_Email` is not the same as `$Email` and `$Email_is_valid` shows up as `false`. So everything appears to be working. But it isn't. That's why I suspect I might have a syntax error, somewhere. – Rounin Feb 05 '16 at 19:35
  • 1
    @Rounin: If you had a syntax error, you'd see a fatal error. Either on the page, or in your server logs. Also, try to replace the `header()` call with an `echo` to see if it's working. Finally, try to add `ini_set('display_errors', 1); error_reporting(-1);` to enable error reporting (you can also set this in php.ini). – gen_Eric Feb 05 '16 at 19:41
  • 2
    is the code you mentioned at the top of the PHP page and are you sure you have not already sent output before trying to send header information. – Dave Feb 05 '16 at 19:42
  • That's an excellent point to raise @Dave, but it's the one thing that I did know to take account of when using `header(Location: ');`. What I didn't know was that if `header(Location: ');` comes before the end of the script, it must be followed by `exit();` as Daniel MK pointed out in his answer below. – Rounin Feb 05 '16 at 21:38

1 Answers1

2

Syntax seems good. I think your problem is that you are not ending your script after setting header. Change it to:

if (condition) {
        header('Location: www.example.com');
        exit();
}

Learn how to debug your code, you can simply echo something to know if you are entering a structure or not. A good practice is also to create a function to redirect pages, it's quick, clean and save some lines:

function redirect($page){
        header('Location: http://'.$_SERVER['HTTP_HOST']."/$page.php");
        exit();
}
Daniel MK
  • 46
  • 6
  • That's a priceless answer, @Daniel MK - thank you so much! The problem, as you correctly identified was that I wasn't ending the script with `exit();` after setting the header. (I've used `header('Location: ');` several times before, but only ever at the end of scripts, so I've never been aware that this is necessary.) Setting up a `redirect(page);` function is a great idea and using `echo` statements to verify whether conditions are being followed properly is a very smart time-saver. Thank you for all your tips. If I could give you extra points, I would. – Rounin Feb 05 '16 at 21:35
  • I'm glad I've helped you, you're welcome, thanks for your nice words =) – Daniel MK Feb 06 '16 at 00:30