5 replies to this topic

[ststacytucker9]

Hello friends please can any one help me how where mail() validation put in this code for short form.

Code here:-

PHP Code:

<?php
if (isset($_REQUEST['email']))
//if "email" is filled out, send email
{
//send email
$email = $_REQUEST['email'] ;
$subject = $_REQUEST['subject'] ;
$message = $_REQUEST['message'] ;
mail("info@yoursitesite.com", "$subject",
$message, "From: $email" );
echo "Thank you for using our mail form";
}
else
//if "email" is not filled out, display the form
{
echo "<form method='post' action='inquiry.php'>
Email: <input name='email' type='text' /><br />
Subject: <input name='subject' type='text' /><br />
Message:<br />
<textarea name='message' rows='15' cols='40'>
</textarea><br />
<input type='submit' />
</form>";
}
?>

Edited by Jaan, 22 March 2010 - 03:04 AM.
Please use code tags when you are posting your codes!

[noel]

Hi here is one of my contact from scripts hope it helps if you not using includes files to your html/css files in you will need to replace them with your raw html page code

<?php
session_start();

require('../system/config.php');

$title = 'Contact Me';



// email validation function
function email_valid($email) { 
    if (eregi("^[a-z0-9._-]+@[a-z0-9._-]+.[a-z]{2,6}$", $email)) { 
        return TRUE; 
    } else { 
        return FALSE; 
    }
}



if(isset($_POST['send']))
{
$error = '';
$thankyou= '';

$to ='username@domain.com';
$subject ='Contact Me';
$email = $_REQUEST['email'];
$name = $_REQUEST['name'];
$message = $_REQUEST['message'];
$headers ='From;$email';
$sent = ($to. $subject. $name. $message. $headers);

//echo $message;  //message box contents
    // Validations        
if(!email_valid($email)) {
    $error = ' That email is invalid';
} 
else if($name =='') {        
    $error = ' Please enter your name';
}
else if($message =='') {
    $error = ' Please enter a message';
}    
    

if(empty($error)) {

if($sent) {
    $thankyou ='Thank you your message has been sent';
}
else {
    $error ='Sorry due to an error your email was not sent';
}
}//error
}//isset
include($path.'./includes/header.php');

$email ='';
$name ='';
$message ='';
?>


<form method="post" action="">
<input type = "hidden" name = "true">
<?php if(!empty($error)) { echo '<p class="error">'.$error.'</p>'; } ?>
<?php if(!empty($thankyou)) { echo '<p class="thankyou">'.$thankyou.'</p>'; } ?>
<p class ="p4">Email: <input type="text" name="email" value="<?php echo htmlentities ($email); ?>"/></p>
<p class ="p4">Name: <input type="text" name="name" value="<?php echo htmlentities ($name); ?>"/></p>
<p class ="p4">Message: </p>
<textarea name="message" rows ="10"  cols ="80"  value="<?php echo htmlentities ($message); ?>"  ></textarea><br />
<input type="submit" name = "send" value="Submit Message"/>
</form>

<?php

include($path.'./includes/footer.php');

?>

Edited by Jaan, 26 March 2010 - 08:13 AM.
Please use code tags when you are posting your codes!

[ststacytucker9]

Thanks for Reply

[SoN9ne]

I would recommend you read this, Email Injection | damonkohler, the code above has no email injection prevention. Someone could turn your server into a spambox very easily. Also, from a security standpoint, $_REQUEST should never be used.

[ststacytucker9]

SoN9ne said:

I would recommend you read this, Email Injection | damonkohler, the code above has no email injection prevention. Someone could turn your server into a spambox very easily. Also, from a security standpoint, $_REQUEST should never be used.

Thanks for alert me

[Orjan]

SoN9ne said:

I would recommend you read this, Email Injection | damonkohler, the code above has no email injection prevention. Someone could turn your server into a spambox very easily. Also, from a security standpoint, $_REQUEST should never be used.

Oh well, as long as you know what you are doing, there is no problem using $_REQUEST. it's not as you get it to sound, a tremendeous hazard just using it in all cases.
Of course you shall be precautions of using such a combined variable, but it has it's value as well as many other parts of PHP. It's content needs to be treated as insecure, but really, that's how you need to treat $_POST, $_GET and $_COOKIE as usual.

I found a nice text explaining why $_REQUEST has a problem, so read for example Why PHP’s $_REQUEST is dangerous - Devlog and see what the problem really is, and how you can avoid the problem.