Jump to content

First-time form from scratch - probably doing a LOT wrong


Recommended Posts

if (isset($_POST['submit'])) {

   $to = "someone@somewhere.com";
   $subject = "Website Order";
   $name_field = $_POST['name'];
   $phone_field = $_POST['phone'];
   $mobile_field = $_POST['mobile'];
   $email_field = $_POST['email'];
   $address = $_POST['address'];
   $postcode_field = $_POST['postcode'];
   foreach ($_POST['regionalSeries'] as $value) {
       $radio_msg .= "Regional Series: $value";
   if (isset($_POST[?personalised?])) {
       foreach ($_POST['personalised'] as $value) {
           $radio_msg2 .= "Regional Series: $value\n";
   foreach ($_POST['locations'] as $value) {
       $check_msg .= "Locations: $value\n";
   //foreach ($_POST['personalised'] as $value) {
   //            $radio_msg2 .= "Personalised: $value";
   //        }

   $description = $_POST['description'];
   $instructions = $_POST['instructions'];
   $body = "\nFrom: $name_field\nTelephone: $phone_field\nCellphone: $mobile_field\nE-Mail: $email_field\n\nDelivery Address: $address\nPostcode: $postcode_field\n\n$radio_msg\n$check_msg\n\n$radio_msg2\nPersonalised: $description\nSpecial Instructions: $instructions";

   //echo "Data has been submitted to $to!";
   header("Location: thank-you.html");
   mail($to, $subject, $body);

} else {

   echo "blarg!";


What I'm trying to do here is (well, probably obvious) - just not to me.

Any advice on how to make this better?

Error correction. Hmmm... Security? What's that?

Basically, it works (well, the $radio_msg2 doesn't display in the email) so I guess it doesn't really.

I'm just looking for some pointers, to improve the way the form data is handled.

If this isn't the right place to post such a thing - I apologise in advance.

Thanks for looking.


Link to comment
Share on other sites

Apologies, here we go;


<table width="100%" border="0" cellspacing="0" cellpadding="0">* Name: (This name will appear on your invoice).Telephone:Cellphone:* E-mail:* Delivery Address:Postcode:</table>
<br><table width="100%" border="0" cellspacing="0" cellpadding="0">Regional Series Size:600mm wide x 1000mm high

$490900mm wide x 1500mm high

<br><table width="100%" border="0" cellspacing="0" cellpadding="0">North IslandAucklandHawkes Bay/Bay of Plenty/GisborneNorthlandWellingtonTaranaki/Manawatu/WanganuiWaikato South IslandCanterburyTasman/Nelson/MarlboroughWest CoastOtagoCentral OtagoSouthland New Zealand </table>
<br><table width="100%" border="0" cellspacing="0" cellpadding="0">Personalised Size:600mm wide x 1000mm high

$5901000mm wide x 1500mm high

$790Please note down approximately 16 names (i.e. place names, roads, streets, mountains, lakes, beaches, rivers etc.) Try to vary the
           length of the words to create more interest. We choose the 12 names that fit best in the design so please underline the
           important ones that you don?t want missed out of the design & we will endeavour to fit them in.  Special Instructions</table>

Link to comment
Share on other sites

Aside from the lack of Security, I would do the mail() before the header() at the bottom of the code snippet in the first posting. Otherwise, the email would never be sent since the header would re-direct.

It is really, really, really important that you "screen" the user input before you handle it. This form is wide open for email server high-jacking and a Spammer's Delight if they find it.

There are tons of resources out there for how to manage the POST data for emailing. Google it.


/* ************************************************************************
* function used to clean Mail :: from Larry Ullman at dmcinsights.com
* as found here: [url]http://www.dmcinsights.com/phorum/read.php?6,28810[/url]
* called by the following line on the mail page prior to using the mail()
* $_SAFE_POST = array_map('clear_user_input', $_POST);
* cleans each element of the $_POST array before using them in the mail() using array_map
*************************************************************************** */

function clear_user_input($value) {

   // Check for bad values:
   if (stristr($value, 'content-type')) return '';
   if (stristr($value, 'bcc:')) return '';
   if (stristr($value, 'to:')) return '';
   if (stristr($value, 'cc:')) return '';
   if (stristr($value, 'href')) return '';

   // Strip quotes, if Magic Quotes are on:
   if (get_magic_quotes_gpc()) $value = stripslashes($value);

   // Replace any newline characters with spaces:
   $value = str_replace(array( "\r", "\n", "%0a", "%0d"), ' ', $value);

   // Return the value:
   return trim($value);



here is a function to start your user-input screening.

Edited by jlhaslip
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...