First time PHP cURL, small issue to integrate API to sign form

I am trying to integrate the https://www.validator.pizza/ API to my sign form.

Here is my process form. My goal is to pass the email in the api validator, if the status value is 400, it cancels by returning an error. If the status is anything else (200 The request is successful / 429 The rate limit is exceeded) It goes true the other weaker check up. Right now, the api is not working properly because spam provider can still register.

Hope you can help Thanks

<?php
require_once 'sendemails.php';
session_start();
$fname = "";
$lname = "";
$email = "";
$canada = "";
$consent = "";
$comment = "";
$errors = [];

$conn = new mysqli('localhost', '*****', '******', '******');

// SIGN UP USER
if (isset($_POST['signup-btn'])) {
    if (empty($_POST['fname'])) {
        $errors['fname'] = 'First Name required';
    }
    if (empty($_POST['lname'])) {
        $errors['lname'] = 'Last Name required';
    }
    if (empty($_POST['email'])) {
        $errors['email'] = 'Email required';
    }


    $fname = $_POST['fname'];
    $lname = $_POST['lname'];
    $email = $_POST['email'];


    $ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://www.validator.pizza/email/' . $email);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$response = curl_exec($ch);
curl_close($ch);
// Decode JSON into PHP array
$response_data = json_decode($response, true);
$status = $response_data['status'];
if ($status == 400) {
    $errors['email'] = 'Invalid email address';
    } else {
        
        if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
    $errors['email'] = 'Invalid email address';
    // invalid emailaddress
    }
    
    
    $domain = ltrim(stristr($email, '@'), '@') . '.';
    if (!checkdnsrr($domain, 'MX')) {
        $errors['email'] = 'Invalid email address';
    // domain is not valid
    }
}



    $canada = $_POST['canada'];
    $consent = $_POST['consent'];
    $comment = $_POST['comment'];
    $token = bin2hex(random_bytes(50)); // generate unique token

    // Check if email already exists
    $sql = "SELECT * FROM signatures WHERE email='$email' LIMIT 1";
    $result = mysqli_query($conn, $sql);
    if (mysqli_num_rows($result) > 0) {
        $errors['email'] = "Email already exists";
    }

    if (count($errors) === 0) {
        $query = "INSERT INTO signatures SET fname=?, lname=?, email=?, canada=?, consent=?, comment=?, token=?";
        $stmt = $conn->prepare($query);
        $stmt->bind_param('sssssss', $fname, $lname, $email, $canada, $consent, $comment, $token);
        $result = $stmt->execute();

        if ($result) {
            $user_id = $stmt->insert_id;
            $stmt->close();

            // TO DO: send verification email to user
            sendVerificationEmail($email, $token);

            $_SESSION['id'] = $user_id;
            $_SESSION['fname'] = $fname;
            $_SESSION['lname'] = $lname;
            $_SESSION['email'] = $email;
            $_SESSION['canada'] = $canada;
            $_SESSION['consent'] = $consent;
            $_SESSION['comment'] = $comment;
            $_SESSION['verified'] = false;
            $_SESSION['message'] = 'You have signed the petition. Please Verify Your Email address to complet the signature. / Vous avez signé la pétition. Veuillez vérifier votre adresse e-mail pour compléter la signature.';
            $_SESSION['type'] = 'alert-success';
            header('location: thankyou.php');
        } else {
            $_SESSION['error_msg'] = "Database error: Could not register user";
        }
    }
}

1 answer

  • answered 2020-10-30 08:37 tompec

    You're not handling the case when the API returns a 200 response and the email is disposable.

    Replace this:

    if ($status == 400) {
        $errors['email'] = 'Invalid email address';
    } else {
        if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
            $errors['email'] = 'Invalid email address';
            // invalid emailaddress
        }
        
        $domain = ltrim(stristr($email, '@'), '@') . '.';
      
        if (!checkdnsrr($domain, 'MX')) {
            $errors['email'] = 'Invalid email address';
            // domain is not valid
        }
    }
    

    by this:

    if ($status == 400) {
        $errors['email'] = 'Invalid email address';
    } else if ($status == 200 && $response_data['disposable'] == true) {
        $errors['email'] = 'Invalid email address';
    } else {
        if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
            $errors['email'] = 'Invalid email address';
            // invalid emailaddress
        }
        
        $domain = ltrim(stristr($email, '@'), '@') . '.';
      
        if (!checkdnsrr($domain, 'MX')) {
            $errors['email'] = 'Invalid email address';
            // domain is not valid
        }
    }