dms Posted April 16, 2009 Report Share Posted April 16, 2009 (edited) I'm sure this can be improved, but hoping it's a good start. This is my first attempt at processing a form, so any and all contributions are appreciated. Form validation is my main concern. <?php /* data recieved from the contact_form.php .......................................*/ $name = $_POST['firstname'] .' '. $_POST['lastname']; $email = $_POST['email']; $phone = $_POST['phone']; $message = $_POST['message']; /* stripos for email verification................................*/ $v_email = stripos ("$email" , "@"); /* strip tags from following varibles....................*/ //corrected to add variable $name = strip_tags("$name"); $email = strip_tags("$email"); $phone = strip_tags("$phone"); $message = strip_tags("$message"); /* varables to send email ....................................*/ $to = 'someone@gmail.com'; $subject = 'From ABC (FORM-RESPONCE)'; $msg = "Name: $name\n" . "Phone: $phone\n" . $message; /* somewhat validating the form information.....................................*/ if ((empty($name)) || (empty($email)) || (empty($message))) { echo 'Please complete all required areas. ' . 'Use your back button to complete the form.'; }elseif (!$v_email) { echo 'Please use a valid email address. ' . 'Use your back button to complete the form'; }else { mail($to, $subject, $msg, 'From:' . $email); echo 'Hello ' . $name .', your email has been recieved and I will respond asap. If this is urgent in nature, please give me a call at 573-275-6262.'; } ?> Edited April 25, 2009 by dms Quote Link to comment Share on other sites More sharing options...
jlhaslip Posted April 16, 2009 Report Share Posted April 16, 2009 Any errors when you run it? Are the empty inputs being caught and reported? Looks to me like a good start. Quote Link to comment Share on other sites More sharing options...
dms Posted April 16, 2009 Author Report Share Posted April 16, 2009 Thanks jlhaslip, No errors. Empty inputs are being caught and reported. Would you be at ease using this code? Quote Link to comment Share on other sites More sharing options...
monkeysaurus Posted April 16, 2009 Report Share Posted April 16, 2009 Looks good at first glance, but I wouldn't be comfortable using this code until it incorporated some email injection protection. Quote Link to comment Share on other sites More sharing options...
jlhaslip Posted April 17, 2009 Report Share Posted April 17, 2009 /* ************************************************************************ * * function used to clean Mail :: from Larry Ullman at dmcinsights.com * * as found here: http://www.dmcinsights.com/phorum/read.php?6,28810 * * called by the following line on the mail page prior to using the mail() * * $_SAFE_POST = array_map('clear_user_input', $_POST); * * cleans each element of the $_POST array before using them in the mail() using array_map * *************************************************************************** */ function clear_user_input($value) { // Check for bad values: if (stristr($value, 'content-type')) return ''; if (stristr($value, 'bcc:')) return ''; if (stristr($value, 'to:')) return ''; if (stristr($value, 'cc:')) return ''; if (stristr($value, 'href')) return ''; // Strip quotes, if Magic Quotes are on: if (get_magic_quotes_gpc()) $value = stripslashes($value); // Replace any newline characters with spaces: $value = str_replace(array( "\r", "\n", "%0a", "%0d"), ' ', $value); // Return the value: return trim($value); } Try that function. Quote Link to comment Share on other sites More sharing options...
dms Posted April 17, 2009 Author Report Share Posted April 17, 2009 Thanks for bringing this to my attention - I have some more reading to do for sure. I'll look over the code by Larry Ullman and read up on email injection, and repost asap. Thanks! Quote Link to comment Share on other sites More sharing options...
dms Posted April 24, 2009 Author Report Share Posted April 24, 2009 (edited) Ok, I've experimented with preventing email injection and have a problem. No matter what I put in the code to prevent email injection I receive an added slash before each and evey single quote, double quote or backslash on my reply form and in the email sent. I would like the form to return nothing or an empty string when any of the above are meet by the email injection code. Even after removing the email injection prevention code and adding an \ "" '' in one of the fields and I still receive my response to the form with the added slash before each \ " ' and in the email. I've ask my hosting company and they really don't seem to have a response as to why this is happening. BTW.. Magic quotes is turned off. Below is the hosting companies reply to why this is happening. Does this make any sense? [[[Dear Mark, Thank you for contacting our technical support team. Those slashes added because of nature of PHP. Mail form when sending parameters of form using POST, translating the content and adding trailer shalshes to shield the data send from your form.]]] Maybe this is true, but it does not make sense to me - but I've very green to programming. Mark Edited April 25, 2009 by dms Quote Link to comment Share on other sites More sharing options...
jlhaslip Posted April 24, 2009 Report Share Posted April 24, 2009 could you list the code you are working with, please. Also, do a phpinfo() to see if magic-quotes is 'on' for the Server. Thanks. Quote Link to comment Share on other sites More sharing options...
dms Posted April 24, 2009 Author Report Share Posted April 24, 2009 (edited) I know this is not complete but should work when a backslash is inserted into a field, shouldn't it? if (eregi("(\r|\n)", $name)) return ''; if (eregi("(\r|\n)", $email)) return ''; if (eregi("(\r|\n)", $phone)) return ''; if (eregi("(\r|\n)", $from)) return ''; This code was added just below... $v_email = stripos ("$email" , "@"); in the code posted earlier. Edited April 25, 2009 by dms Quote Link to comment Share on other sites More sharing options...
jlhaslip Posted April 25, 2009 Report Share Posted April 25, 2009 nope. That is checking for the existence of newlines and returns. It would really be nice to see your phpinfo() results, there is more than one way to set magic-quotes and handling them differs based on the setting. If you are concerned about security with respect to the Forum here, create the file and send me the link by PM. Quote Link to comment Share on other sites More sharing options...
dms Posted April 25, 2009 Author Report Share Posted April 25, 2009 (edited) PHP Version 5.2.3 jlhaslip viewed phpinfo and magic quotes was on. I had turned it off and did not save. Edited April 25, 2009 by dms Quote Link to comment Share on other sites More sharing options...
jlhaslip Posted April 25, 2009 Report Share Posted April 25, 2009 Ack! Just re-read the opening post and I apologize for failing to see the most basic of flaws in the code... my bad! /* strip tags from following varibles....................*/ strip_tags("$name"); strip_tags("$email"); strip_tags("$phone"); strip_tags("$message"); /* See anything wrong with that snippet? The strip_tags function is not being assigned to variables... I should have caught that sooner. Sorry. /* data recieved from the contact_form.php .......................................*/ $name = $_POST['firstname'] .' '. $_POST['lastname']; $email = $_POST['email']; $phone = $_POST['phone']; $message = $_POST['message']; /* stripos for email verification................................*/ $v_email = stripos ("$email" , "@"); /* strip tags from following varibles....................*/ $name = strip_tags("$name"); $email = strip_tags("$email"); $phone = strip_tags("$phone"); $message = strip_tags("$message"); /* Or: /* data recieved from the contact_form.php .......................................*/ $name = strip_tags($_POST['firstname']) .' '. strip_tags($_POST['lastname']); $email = strip_tags($_POST['email']); $phone = strip_tags($_POST['phone']); $message = strip_tags($_POST['message']); /* Quote Link to comment Share on other sites More sharing options...
dms Posted April 25, 2009 Author Report Share Posted April 25, 2009 (edited) Finding out that magic-quotes was on, I know why the backward slash was added. I corrected the strip_tags to include a variable. Even with magic_quotes turned off, the script still does not work properly. I turned magic_quotes back on till i figure this out. strip_tags() apparently does not include single quotes, double quotes or the backslash, but does include HTML tags??? I would like to start over, take everything out and insert Larry Ullmans code, but I don't thoroughly understand it. I'll take a stab at it tomorrow and repost. Thanks for you help! Edited April 25, 2009 by dms Quote Link to comment Share on other sites More sharing options...
dms Posted April 25, 2009 Author Report Share Posted April 25, 2009 (edited) starting over from scratch and will start a new post Edited April 30, 2009 by dms Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.