Help me check my PHP

So I have a friend with a hacking website. Although I just found that this was already one of the challenges, I believe that doing this right is still pretty good practice. The challenge was going to be that you have to modify the page source in some way to change an email address.

Since there are so many variables that I don't know, I can't actually test the code. I've looked over it a couple of times, and it looks, to me, like everything is written properly, but I can't be sure, so any help with that would be great. Also, if anyone can identify any vulnerable code and help me work through how to fix it, that would be nice too.

<?php
function real_email($unchecked){
$unchecked = filter_var( $unchecked, FILTER_SANITIZE_EMAIL );
if ( filter_var($unchecked, FILTER_VALIDATE_EMAIL)){
  if ( $unchecked !== 'default@basic.net' ){
  return GoodEmail_NotDefault;
  }
  elseif ( $unchecked == 'default@basic.net' ){
  return Fail;
  }
 }
else{
 return BadEmail;
 }
}

$check = real_email($_REQUEST['email']);
if ( $check == GoodEmail_NotDefault ){
 echo "<div class='main-caption'>Basic #</div>
       <div class='main-body'>
       <center>
       <h2>Congratulations! You completed basic #.</h2>
       <a href='/profile.php?lookup=/*user id here*/' title='My Profile'>View MyProfile</a><hr>";
 if ( /*User has completed mission already*/ ){
  echo "You have already beaten this challenge.</center></div>
  </div>";
  }
 elseif ( /*User hasn't completed mission already*/ ){
  /*Put code to update user's profile*/
  echo "</div>";
  }
 }

elseif ( $check == Fail ){
 echo "<center>
       The form is sending sensitive data that you need,<br>make it send that information to your email address.
       <br><br><form action='./index.php' method='post'>
       <input type='hidden' name='email'value='defalut@basic.net'>
       <input name='submit' value='Send Email' type='submit'>
       </form>";
 }
elseif ( $check == BadEmail ){
 echo "<center>
       <h3>Email was not in the form of  part@place.end</h3><br>
       The form is sending sensitive data that you need,<br>make it send that information to your email address.
       <br><br><form action='./index.php' method='post'>
       <input type='hidden' name='email'value='defalut@basic.net'>
       <input name='submit' value='Send Email' type='submit'>
       </form>";
 }
else{
 echo "<center>
       The form is sending sensitive data that you need,<br>make it send that information to your email address.
       <br><br><form action='./index.php' method='post'>
       <input type='hidden' name='email'value='defalut@basic.net'>
       <input name='submit' value='Send Email' type='submit'>
       </form>";
 }
?>

Errhhh, PHP outputs errors.

1. Your return values aren't strings.
2. $_REQUEST is goofy… use $_POST.

Okay I got it.

I thought I wouldn't get accurate errors if I had comments enclosed in my if statements. All I had to do was just make a random variable and put that in those if statements with comments instead of real parameters.

So now I've gotten the syntax checking done, and I know that the code will work properly. Now I just need to know if anyone can find any vulnerabilities in my code.

s3klyma wrote: I thought I wouldn't get accurate errors if I had comments enclosed in my if statements. All I had to do was just make a random variable and put that in those if statements with comments instead of real parameters.

Umm… alright. Whatever works.

As for how secure it is, familiarize yourself with exactly what "SANITIZE_EMAIL" filter does. It leaves a lot of room for special characters. You might as well just use a regex for alphanums, period, dash, underscore, or @… repeated no more than 3 times on either side of the @.