0

I have an input field, which allows a user to update the email address of a specific record on a 3rd party application, my question is around the sanitizing & encoding of the email address before its sent to the endpoint via a GET request as query string. You will notice I already enforce specific user input using the edit_data_email_address function. Is it still necessary to run the filter_var & urlencode functions as per the lead-email-address-update.php script?

view-lead.php

/**
 * Update email address
 */
function edit_data_email_address() {
        var lead_id=$("#LeadID").val();
        var email_address = $("#email_address").val();
        var agent_full_name=$("#agent_full_name").val();

        $(".error").hide();
        var hasError = false;
        var emailReg = /^([\w-\.]+@([\w-]+\.)+[\w-]{2,4})?$/;

        if(email_address == '') {
            $("#email_address_edit_input").after('<span class="error">Lead email address NOT updated, please enter an email address</span>');
            $("#email_address").css("border", "1px solid red");
            hasError = true;
        }
        else if(!emailReg.test(email_address)) {
            $("#email_address_edit_input").after('<span class="error">Lead email address NOT updated, please enter a valid email address</span>');
            $("#email_address").css("border", "1px solid red");
            hasError = true;
        }
        else if (confirm('Are you sure you want to update the Email Address of this lead?')) {
        $.ajax({
            url: "lead-email-address-update.php",
            method: "POST",
            data: {
                lead_id: lead_id,
                email_address: email_address,
                agent_full_name: agent_full_name
            },
            dataType: "text",
            success: function(data) {
                $('#update_lead_email_address_result').show();
                $("#update_lead_email_address_result").html(data);
                $("#email_address").css("border", "1px solid #ccc");
            }
        });
    } else {
        alert('Lead Email Address update cancelled');
    }
}

<input class="style5" type="text" name="email_address" id="email_address" class="email_address" value="'.$row['Email Address'].'"/>
<button class="btnstyle-7" onclick="edit_data_email_address();">Save</button>

lead-email-address-update.php

/**
 * User input sanitize function
 */

function sanitize_email_address($email_address)
{
    $email_address = filter_var($email_address, FILTER_SANITIZE_EMAIL);
    $email_address = urlencode($email_address);
    return $email_address;
}

$email_address_cleaned = sanitize_email_address($email_address);


$curl_url = "https://endpoint.com?email_address=$email_address";
$ch = curl_init();
  curl_setopt($ch,CURLOPT_URL, $curl_url);
  curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
  curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
  curl_setopt($ch, CURLOPT_HEADER, 0);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  curl_setopt($ch, CURLOPT_VERBOSE, 0);
  $curl_result = curl_exec($ch);
  $curl_info = curl_getinfo($ch);
  $curl_info = json_encode($curl_info);
  curl_close($ch);
code-is-life
  • 175
  • 2
  • 16
  • Just a notice about the HTML form, you could use [a HTML5 email type of field](https://www.w3schools.com/tags/att_input_type_email.asp) with the `required` attribute. This will help the user as the keyboard should normally be adapted. I also think that the [email validation regular expression](https://stackoverflow.com/questions/201323/how-can-i-validate-an-email-address-using-a-regular-expression) must be improved a bit. – Patrick Janser May 02 '22 at 08:29
  • 3
    The validation should always be done server-side with your PHP code. The JavaScript validation is a "nice to have" feature and can always be easily bypassed so this is why you have to re-validate the data in PHP and then effectively sanitize and escape it if you send it later to your API endpoint. Using `urlencode()` or [`curl_escape()`](https://www.php.net/manual/fr/function.curl-escape.php) should be ok. – Patrick Janser May 02 '22 at 08:33

0 Answers0