PHP script unable to gather filename of calling html page

Question

I'm trying to have the mail.php script identify the page that called the script, and return the user to that page and if the form didn't validate, was empty, etc. When I click on submit, it just 404's.

<?php
/*
This first bit sets the email address that you want the form to be submitted to.
You will need to change this value to a valid email address that you can access.
*/
$webmaster_email = "email@email.com";

/*
This next bit loads the form field data into variables.
If you add a form field, you will need to add it here.
*/
$email_address = $_REQUEST['email'];
$comments = $_REQUEST['comment'];
$fname = $_REQUEST['first-name'];
$lname = $_REQUEST['last-name'];
$filename = debug_backtrace();
$page = $filename[0]['file'];

/*
The following function checks for email injection.
Specifically, it checks for carriage returns - typically used by spammers to inject a CC list.
*/
function isInjected($str) {
    $injections = array('(\n+)',
        '(\r+)',
        '(\t+)',
        '(%0A+)',
        '(%0D+)',
        '(%08+)',
        '(%09+)'
    );
    $inject = join('|', $injections);
    $inject = "/$inject/i";
    if(preg_match($inject,$str)) {
        return true;
    }
    else {
        return false;
    }
}

// If the user tries to access this script directly, redirect them to the feedback form,
if (!isset($_REQUEST['email_address'])) {
    header( "Location: $page" );
}

// If the form fields are empty, redirect to the error page.
elseif (empty($email_address) || empty($comments) || empty($fname)) {
    echo "<script type=\"text/javascript\">window.alert('Please fill in the required fields.');
    window.location.href = $page;</script>";
    exit;
}

// If email injection is detected, redirect to the error page.
elseif (isInjected($email_address)){
    echo "<script type=\"text/javascript\">window.alert('Please, Try Again.');
    window.location.href = $page;</script>";
    exit;
}

// If we passed all previous tests, send the email then redirect to the thank you page.
else {
    mail("$webmaster_email", "Feedback Form Results", $comments, "From: $email_address");
    echo "<script type=\"text/javascript\">window.alert('Thank You for contacting us!');
    window.location.href = $page;</script>";
    exit;
}
?>

Answer 1

No need for debug_backtrace(). To get the referring page, you could replace this:

$filename = debug_backtrace();
$page = $filename[0]['file'];

With this:

$page = $_SERVER['HTTP_REFERER'];

However, $_SERVER['HTTP_REFERER'] is unreliable according to the PHP docs:

This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

So another solution is to add an additional field in the referring form and retrieve it in the PHP script e.g.

<input name="referrer" type="hidden" value="<?php echo $_SERVER['PHP_SELF'];?>"/>

Then:

$page = $_REQUEST['referrer'];