6 replies to this topic

[hoku_2000 _99]

I am fairly new to php, so with that being said, I've been suggested that I use form validation in my php. Right now, my php just sends an email and works properly. Any help is welcomed as I've been going about this for months and not too sure what else to do.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Contact</title>
<link href="style.css" rel="stylesheet" type="text/css" />
</head>
<body>
<?php
$first_name=$_POST['name'];
$email_address=$_POST['email'];
$subject=$_POST['subject'];
$message=$_POST['text'];

mail("myemailaddress@gmail.com","Subject: $subject",
$message,"From: $first_name <$email_address>");

echo "Thank you for using our mail form.<br/>";
echo "Your email has been sent.";
?>
</body>
</html>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Contact</title>
<link href="style.css" rel="stylesheet" type="text/css" />


</head>
<body>

<div id="templatemo_wrapper"> 

    <div id="templatemo_header">

 
        
        <ul id="social_box">
                    <li><a href="http://www.facebook.com/"><img src="images/facebook.png" alt="facebook" /></a></li>
            <li><a href="http://www.twitter.com/"><img src="images/twitter.png" alt="twitter" /></a></li>              
        </ul>
        
          <div id="site_title">
            <h1><a href="default.htm"><img src="images/logo2.png" alt="logo" /><span></span></a></h1>
        </div> <!-- end of site_title -->
        
      
    </div> <!-- end of templatemo_header -->
    


<!-- end of templatemo_menu -->
    
    <div id="templatemo_content_wrapper">
        <div id="templatemo_content_top"></div>
        <div id="templatemo_content">
        
            <h2>Contact</h2>


        
            <div class="cleaner_h50"></div>
            
                <div id="contact_form">
            
                    <h4>Quick Contact</h4>
            <p align="left">* Required fields.</p>
                    
                    <form method="post" name="ContactForm" id="contact" action="email4.php" ">
                        
                        <div class="col_w340 float_l">
                        
                            <label for="name">* Name:</label> <input name="name" type="text" class="input_field" id="name" maxlength="40" />
                              <div class="cleaner_h10"></div>

 <label for="subject">* Subject:</label> <input name="subject" type="text" class="input_field" id="subject" maxlength="40" />
                              <div class="cleaner_h10"></div>

                            
                            <label for="email">* Email:</label> <input name="email" type="text" class="input_field" id="email" maxlength="40" />
                              <div class="cleaner_h10"></div>
                            
                                          

</div>
                        


                        <div class="col_w340 float_r">
                        
                            <label for="text">* Message:</label> <textarea id="text" name="text" rows="0" cols="0" class="required"></textarea>
                            <div class="cleaner_h10"></div>
                            
                            <input type="submit" class="submit_btn float_l" name="submit" id="submit" value="Send" />
                            <input type="reset" class="submit_btn float_r" name="reset" id="reset" value="Reset" />

                            
                        </div>
                        
                   </form>

            </div> 

            <div class="cleaner"></div>
            
        </div>
        <div id="templatemo_content_bottom"></div>
    </div>
    
    <div id="templatemo_sp_box">
    
        <div class="col_w340 float_l">
         
            </div>
        </div>
        
        <div class="col_w340 float_r">
        
            </div>
        </div>
    
    </div>
    
    <div id="templatemo_footer">

      
        Copyright © 2011 <a href="www.twitter.com/">Starr</a><br/> 
        <a href="http://www.iwebsitetemplate.com" target="_parent">Website Templates</a> 
        by <a href="http://www.templatemo.com" target="_parent">Free CSS Templates</a>
    
    </div> <!-- end of templatemo_footer -->
    
</div> <!-- end of templatemo_wrapper -->    

</body>
</html>

[Alexander]

There are many resources online of things to validate or escape when accepting data for an email, the most outstanding one off the top of my head is that you are not checking for newlines in your email parameters.

Quote

"Subject: $subject",

What if they enter this as the subject in the HTML form:

something
Bcc: bob@to-be-spammed.com, webmaster@fbi.gov, ...

This newline after "something" can be used to inject headers, and use your email address as an automated spamming point or worse.

There are many methods to sanitize, however you can do this for that:

$subject = str_replace(array("\r", "\n"), "", $_POST['subject']);

A small set of filtering functions can be found here:
Sanitize and Validate Data with PHP Filters | Nettuts+

[hoku_2000 _99]

Thanks for the tutorial, its exactly what I was looking for. I went ahead and tested it the example to see if it works on my web host, it works, but when I send an email to my gmail account, I dont get the email? :crying:

[Alexander]

Have you checked your junk mail? It is very simple to send spam from a PHP script (especially if not properly sanitised), so most email hosts deny simple emails such as that.

If it has not sent, try to check if mail() has returned false. If it hasn't, then this may be an issue with your web host (or something simple we've missed)

[hoku_2000 _99]

Yes, I did check my spam folder and there was nothing. I wrote up a simple php email contact and it worked, but now with adding the validation and making the changes I get no email. How do I check to see if the mail () returns false?

[Orjan]

if (mail([...])) {
  echo "success";
} else {
  echo "failure";
}

[hoku_2000 _99]

This is what the example has and what I used.

if (isset($_POST['email'])) {  
        $email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);  
        if (filter_var($email, FILTER_VALIDATE_EMAIL)) {  
            echo "$email is a valid email address.<br/><br/>";  
        } else {  
            echo "$email is <strong>NOT</strong> a valid email address.<br/><br/>";  
        }  
    }  

Could the error be somewhere in here?

 if (!$errors) {              $mail_to = 'me@somewhere.com';              $subject = 'New Mail from Form Submission';              $message  = 'From: ' . $_POST['name'] . "\n";              $message .= 'Email: ' . $_POST['email'] . "\n";              $message .= 'Homepage: ' . $_POST['homepage'] . "\n";              $message .= "Message:\n" . $_POST['message'] . "\n\n";              mail($to, $subject, $message);                echo "Thank you for your email!<br/><br/>";          } else {              echo '<div style="color: red">' . $errors . '<br/></div>';          }  

---------- Post added at 08:45 PM ---------- Previous post was at 08:15 PM ----------

Nevermind, I think I figured it out. In the mail() it didnt call $mail_to, it just called $to. Work great!