Jump to content

First attempt at processing a form.


dms

Recommended Posts

I'm sure this can be improved, but hoping it's a good start. This is my first attempt at processing a form, so any and all contributions are appreciated. Form validation is my main concern.

 

 

 

<?php

/*

data recieved from the contact_form.php .......................................*/

$name = $_POST['firstname'] .' '. $_POST['lastname'];

$email = $_POST['email'];

$phone = $_POST['phone'];

$message = $_POST['message'];

/*

stripos for email verification................................*/

$v_email = stripos ("$email" , "@");

/*

strip tags from following varibles....................*/ //corrected to add variable

$name = strip_tags("$name");

$email = strip_tags("$email");

$phone = strip_tags("$phone");

$message = strip_tags("$message");

/*

varables to send email ....................................*/

$to = 'someone@gmail.com';

$subject = 'From ABC (FORM-RESPONCE)';

$msg = "Name: $name\n" .

"Phone: $phone\n" .

$message;

 

/*

somewhat validating the form information.....................................*/

if ((empty($name)) || (empty($email)) || (empty($message))) {

echo 'Please complete all required areas.

 

' .

'Use your back button to complete the form.';

}elseif (!$v_email) {

echo 'Please use a valid email address.

 

' .

'Use your back button to complete the form';

}else {

mail($to, $subject, $msg, 'From:' . $email);

echo 'Hello ' . $name .', your email has been recieved and I will respond asap.

If this is urgent in nature, please give me a call at 573-275-6262.';

}

?>

Edited by dms
Link to comment
Share on other sites

/* ************************************************************************
*
* function used to clean Mail :: from Larry Ullman at dmcinsights.com
*
* as found here: http://www.dmcinsights.com/phorum/read.php?6,28810
*
* called by the following line on the mail page prior to using the mail()
*
* $_SAFE_POST = array_map('clear_user_input', $_POST);
*
* cleans each element of the $_POST array before using them in the mail() using array_map
*
*************************************************************************** */
function clear_user_input($value) {
   // Check for bad values:
   if (stristr($value, 'content-type')) return '';
   if (stristr($value, 'bcc:')) return '';
   if (stristr($value, 'to:')) return '';
   if (stristr($value, 'cc:')) return '';
   if (stristr($value, 'href')) return '';

   // Strip quotes, if Magic Quotes are on:
   if (get_magic_quotes_gpc()) $value = stripslashes($value);

   // Replace any newline characters with spaces:
   $value = str_replace(array( "\r", "\n", "%0a", "%0d"), ' ', $value);

   // Return the value:
   return trim($value);

}

Try that function.

Link to comment
Share on other sites

Thanks for bringing this to my attention - I have some more reading to do for sure.

 

I'll look over the code by Larry Ullman and read up on email injection, and repost asap.

 

Thanks!

Link to comment
Share on other sites

Ok, I've experimented with preventing email injection and have a problem.

 

No matter what I put in the code to prevent email injection I receive an added slash before each and evey single quote, double quote or backslash on my reply form and in the email sent. I would like the form to return nothing or an empty string when any of the above are meet by the email injection code.

 

Even after removing the email injection prevention code and adding an \ "" '' in one of the fields and I still receive my response to the form with the added slash before each \ " ' and in the email. I've ask my hosting company and they really don't seem to have a response as to why this is happening. BTW.. Magic quotes is turned off.

 

Below is the hosting companies reply to why this is happening. Does this make any sense?

 

[[[Dear Mark,

Thank you for contacting our technical support team.

 

Those slashes added because of nature of PHP. Mail form when sending parameters of form using POST, translating the content and adding trailer shalshes to shield the data send from your form.]]]

 

Maybe this is true, but it does not make sense to me - but I've very green to programming. Mark

Edited by dms
Link to comment
Share on other sites

I know this is not complete but should work when a backslash is inserted into a field, shouldn't it?

 

if (eregi("(\r|\n)", $name)) return '';

if (eregi("(\r|\n)", $email)) return '';

if (eregi("(\r|\n)", $phone)) return '';

if (eregi("(\r|\n)", $from)) return '';

 

This code was added just below... $v_email = stripos ("$email" , "@"); in the code posted earlier.

Edited by dms
Link to comment
Share on other sites

nope. That is checking for the existence of newlines and returns.

It would really be nice to see your phpinfo() results, there is more than one way to set magic-quotes and handling them differs based on the setting.

If you are concerned about security with respect to the Forum here, create the file and send me the link by PM.

Link to comment
Share on other sites

Ack!

 

Just re-read the opening post and I apologize for failing to see the most basic of flaws in the code... my bad!

 

/*
strip tags from following varibles....................*/   
       strip_tags("$name");
       strip_tags("$email");
       strip_tags("$phone");   
       strip_tags("$message");
/* 

See anything wrong with that snippet?

The strip_tags function is not being assigned to variables... I should have caught that sooner. Sorry.

/*
data recieved from the contact_form.php .......................................*/
       $name = $_POST['firstname'] .' '. $_POST['lastname'];
       $email = $_POST['email'];
       $phone = $_POST['phone'];
       $message = $_POST['message'];
/*
stripos for email verification................................*/
       $v_email = stripos ("$email" , "@");
/*
strip tags from following varibles....................*/   
       $name = strip_tags("$name");
       $email = strip_tags("$email");
       $phone = strip_tags("$phone");   
       $message = strip_tags("$message");
/* 

 

Or:

/*
data recieved from the contact_form.php .......................................*/
       $name  = strip_tags($_POST['firstname']) .' '. strip_tags($_POST['lastname']);
       $email = strip_tags($_POST['email']);
       $phone = strip_tags($_POST['phone']);
       $message = strip_tags($_POST['message']);
/*

Link to comment
Share on other sites

Finding out that magic-quotes was on, I know why the backward slash was added.

 

I corrected the strip_tags to include a variable. Even with magic_quotes turned off, the script still does not work properly. I turned magic_quotes back on till i figure this out.

 

strip_tags() apparently does not include single quotes, double quotes or the backslash, but does include HTML tags???

 

I would like to start over, take everything out and insert Larry Ullmans code, but I don't thoroughly understand it. I'll take a stab at it tomorrow and repost.

 

Thanks for you help!

Edited by dms
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...