jhkoning Posted September 8, 2009 Report Share Posted September 8, 2009 <?php if (isset($_POST['submit'])) { $to = "someone@somewhere.com"; $subject = "Website Order"; $name_field = $_POST['name']; $phone_field = $_POST['phone']; $mobile_field = $_POST['mobile']; $email_field = $_POST['email']; $address = $_POST['address']; $postcode_field = $_POST['postcode']; foreach ($_POST['regionalSeries'] as $value) { $radio_msg .= "Regional Series: $value"; } if (isset($_POST[?personalised?])) { foreach ($_POST['personalised'] as $value) { $radio_msg2 .= "Regional Series: $value\n"; } } foreach ($_POST['locations'] as $value) { $check_msg .= "Locations: $value\n"; } //foreach ($_POST['personalised'] as $value) { // $radio_msg2 .= "Personalised: $value"; // } $description = $_POST['description']; $instructions = $_POST['instructions']; $body = "\nFrom: $name_field\nTelephone: $phone_field\nCellphone: $mobile_field\nE-Mail: $email_field\n\nDelivery Address: $address\nPostcode: $postcode_field\n\n$radio_msg\n$check_msg\n\n$radio_msg2\nPersonalised: $description\nSpecial Instructions: $instructions"; //echo "Data has been submitted to $to!"; header("Location: thank-you.html"); mail($to, $subject, $body); } else { echo "blarg!"; } ?> What I'm trying to do here is (well, probably obvious) - just not to me. Any advice on how to make this better? Error correction. Hmmm... Security? What's that? Basically, it works (well, the $radio_msg2 doesn't display in the email) so I guess it doesn't really. I'm just looking for some pointers, to improve the way the form data is handled. If this isn't the right place to post such a thing - I apologise in advance. Thanks for looking. Jas Quote Link to comment Share on other sites More sharing options...
jlhaslip Posted September 9, 2009 Report Share Posted September 9, 2009 where is the form code? Quote Link to comment Share on other sites More sharing options...
jhkoning Posted September 9, 2009 Author Report Share Posted September 9, 2009 Apologies, here we go; > </pre> <table width="100%" border="0" cellspacing="0" cellpadding="0">* Name: (This name will appear on your invoice).Telephone:Cellphone:* E-mail:* Delivery Address:Postcode:</table> <br><table width="100%" border="0" cellspacing="0" cellpadding="0">Regional Series Size:600mm wide x 1000mm high $490900mm wide x 1500mm high $690</table> <br><table width="100%" border="0" cellspacing="0" cellpadding="0">North IslandAucklandHawkes Bay/Bay of Plenty/GisborneNorthlandWellingtonTaranaki/Manawatu/WanganuiWaikato South IslandCanterburyTasman/Nelson/MarlboroughWest CoastOtagoCentral OtagoSouthland New Zealand </table> <br><table width="100%" border="0" cellspacing="0" cellpadding="0">Personalised Size:600mm wide x 1000mm high $5901000mm wide x 1500mm high $790Please note down approximately 16 names (i.e. place names, roads, streets, mountains, lakes, beaches, rivers etc.) Try to vary the length of the words to create more interest. We choose the 12 names that fit best in the design so please underline the important ones that you don?t want missed out of the design & we will endeavour to fit them in. Special Instructions</table> <br Quote Link to comment Share on other sites More sharing options...
jlhaslip Posted September 10, 2009 Report Share Posted September 10, 2009 (edited) Aside from the lack of Security, I would do the mail() before the header() at the bottom of the code snippet in the first posting. Otherwise, the email would never be sent since the header would re-direct. It is really, really, really important that you "screen" the user input before you handle it. This form is wide open for email server high-jacking and a Spammer's Delight if they find it. There are tons of resources out there for how to manage the POST data for emailing. Google it. /* ************************************************************************ * * function used to clean Mail :: from Larry Ullman at dmcinsights.com * * as found here: [url]http://www.dmcinsights.com/phorum/read.php?6,28810[/url] * * called by the following line on the mail page prior to using the mail() * * $_SAFE_POST = array_map('clear_user_input', $_POST); * * cleans each element of the $_POST array before using them in the mail() using array_map * *************************************************************************** */ function clear_user_input($value) { // Check for bad values: if (stristr($value, 'content-type')) return ''; if (stristr($value, 'bcc:')) return ''; if (stristr($value, 'to:')) return ''; if (stristr($value, 'cc:')) return ''; if (stristr($value, 'href')) return ''; // Strip quotes, if Magic Quotes are on: if (get_magic_quotes_gpc()) $value = stripslashes($value); // Replace any newline characters with spaces: $value = str_replace(array( "\r", "\n", "%0a", "%0d"), ' ', $value); // Return the value: return trim($value); } ?> here is a function to start your user-input screening. Edited September 10, 2009 by jlhaslip Quote Link to comment Share on other sites More sharing options...
jhkoning Posted September 10, 2009 Author Report Share Posted September 10, 2009 Thanks for the feedback jlhaslip, I knew the security was lacking, I was going to deal with that after I got the thing actually working correctly. I will (as you say) Google it. Cheers Jas Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.