3 replies to this topic

[matrixreality]

Hi! This is my first post here on this forum. I am having issues with the contact form on my website and would like your input on why it's not working properly. Basically once the form is submitted, it comes to the mailbox only with the subject line. All other content doesn't make it. The email is just completely empty. What is the problem?

Here is the PHP script (sendmail.php):

<?

       $Name = trim($Name);

       $Name = stripslashes($Name);

       $Email = trim($Email);

       $Email = stripslashes($Email);

       $Phone = trim($Phone);

       $Phone = stripslashes($Phone);

       $Message = trim($Message);

       $Message = stripslashes($Message);

       $Body = $Message . "\n\n" . $Name . "\n" . $Phone;


       mail ("hola@email.com", "Hi, Gorgeous!", $Body, "From: $Email");


?>

And here is the Form HTML:

<form method="post" action="sendthestupidemail.php">

      <fieldset>

      <table border="0" cellspacing="0" cellpadding="0">

        <tbody>

          <tr>

            <td><label id="name_label" for="name">Name</label></td>

            <td><input id="name" class="REQUIRED" name="Name" size="30" type="text" />

          </tr>

          <tr>

            <td><label id="email_label" for="email">Email</label></td>

            <td><input id="email" class="REQUIRED EMAIL" name="Email" size="30" type="text" /></td>

          </tr>

          <tr>

            <td><label id="phone_label" for="phone">Phone</label></td>

            <td><input id="phone" class="REQUIRED PHONE" name="Phone" size="30" type="text" /></td>

          </tr>

          <tr>

            <td class="message"><label id="message_label" for="Message">Message</label></td>

            <td><textarea id="message" class="REQUIRED" name="Message"></textarea></td>

          </tr>

          <tr class="last">

            <td> </td>

            <td><input id="submit_btn" class="btn" name="submit" type="submit" value="Send →" /></td>

          </tr>

        </tbody>

      </table>

      </fieldset>

    </form>

Can anyone impart their wisdom as to what is wrong here? Thank you!

[Alexander]

According to your code, $Phone is an empty variable. Even if the older register_globals had been active, it would have to not be capitalised to work ($phone.)

Try something like this:

$Name = trim($_POST['name']);

The $_POST superglobal array can be accessed anywhere and more safely provides the contents of a POST result (or GET, COOKIE, or SESSION where appropriate.)

PHP: Superglobals - Manual

Further notes are that "\r" and "\n" characters should be stripped from headers (email address) to prevent a simple but dangerous injection.

Alexander.

[matrixreality]

Alexander,

Thanks you for your response! I just tried modifying the variables as follows:

<?

	$Name = trim($_POST['name']);

	$Name = stripslashes($_POST['name']);

	$Email = trim($_POST['email']);

	$Email = stripslashes($_POST['email']);

	$Phone = trim($_POST['phone']);

	$Phone = stripslashes($_POST['phone']);

	$Message = stripslashes($_POST['message']);

	$Message = stripslashes($_POST['message']);

	$Body = $Message . "\n\n" . $Name . "\n" . $Phone;	


	mail ("hola@randomsite.com", "Hi, Random Dude!", $Body, "From: $Email");


?>	

I still get null results :crying:

Also can you please expound on the use of "\n" characters? How do I replace them?

Thanks for your help!

Edited by matrixreality, 08 January 2012 - 09:37 PM.

[Alexander]

Remember, whatever you set "name=..." in the input form is what you will need to access it. In your case, it is "Name" not "name". If anything is null, it likely is from a variable that has not been defined yet, therefore you must look at your code and see what code fails ($_POST['nothing'] returns null, as a POST request with the name 'nothing' is not sent by the form)

You also overwrite the variables, once you trim the name it will return it. You can then use stripslashes on $Name directly as it already has the contents of $_POST['Name'].

For at least stripping obvious header exploits, it may be as simple as this:

$Email = str_replace(array("\r", "\n"), "", $Email);

This would prevent people from putting an email such as this:

foo@bar.com\r\nSome-Spam-Header: victim@somesite.com

Which would of course render as a legitimate header unfortunately in most cases. Replacing \r\n with nothing ("") will at least prevent the mail from sending.