PHP newbie needs help with website contact form script

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

blueluna86
Forum Newbie
Posts: 9
Joined: Wed Jul 29, 2009 8:07 pm

PHP newbie needs help with website contact form script

Post by blueluna86 »

Hi, PHP beginner here, trying to use a script (safemail.php, code shown below) with a contact form on this website: http://www.alisonborden.com/k8dollar. It's not working, wondering if someone can tell me what might be wrong? Let me know if you need to see the HTML, CSS, or the Javascript that calls this PHP file. Thanks for your help!

Code: Select all

<?php
// Pick up the form data and assign it to variables
$first_name = $_POST['First Name'];
$last_name = $_POST['Last Name'];
$email = $_POST['Email'];
$phone = $_POST['Phone'];
$checkbox1 = $_POST['Residential'];
$checkbox2 = $_POST['Commercial'];
$checkbox3 = $_POST['Landscape'];
$comments = $_POST['Comments'];
 
// Build the email 
$to = 'bordengraphic@yahoo.com';
$subject = "k8dollar.com Contact Form Submission";
$message = "New message from your contact form at k8dollar.com: $first_name $last_name Area of Interest: $checkbox1 $checkbox2 $checkbox3 ... Comments: $comments ... Contact Info: $email $phone";
$headers = "From: $email";
 
// Send the mail using PHPs mail() function
mail($to, $subject, $message, $headers);
 
// Redirect
header("Location: pages/formsubmit.htm");
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: PHP newbie needs help with website contact form script

Post by social_experiment »

Have you tested the script with another email address? I copied the code and just replaced it with another email addy and it works fine. There are a few things you might want to change.

Code: Select all

 
<?php 
 $first_name = $_POST['First Name'];
?>
 
should change to

Code: Select all

 
<?php
  $first_name = htmlspecialchars($_POST['First Name']);
?>
 
because currently this might be vulnerable to cross side scripting.

Code: Select all

 
<?php
mail($to, $subject, $message, $headers);
?>
 
What about using the following :

Code: Select all

 
<?php
$send = mail($to, $subject, $message, $headers);
 
if ($send) {
 // give a confirmation message
 }
else {
 // do something like redirect the user
}
?>
 
Hope this helps :)
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: PHP newbie needs help with website contact form script

Post by jackpf »

You do have an smtp server installed right?
straightman
Forum Commoner
Posts: 48
Joined: Sun Apr 19, 2009 5:20 am

Re: PHP newbie needs help with website contact form script

Post by straightman »

post the html code of the form that collects the data and sends it to the php processing page.
and the javascript if any. Besides, any more specific regarding "it is not working", what is exactly what happens or doesnt happen?


AE
====================================================================


blueluna86 wrote:Hi, PHP beginner here, trying to use a script (safemail.php, code shown below) with a contact form on this website: http://www.alisonborden.com/k8dollar. It's not working, wondering if someone can tell me what might be wrong? Let me know if you need to see the HTML, CSS, or the Javascript that calls this PHP file. Thanks for your help!

Code: Select all

<?php
// Pick up the form data and assign it to variables
$first_name = $_POST['First Name'];
$last_name = $_POST['Last Name'];
$email = $_POST['Email'];
$phone = $_POST['Phone'];
$checkbox1 = $_POST['Residential'];
$checkbox2 = $_POST['Commercial'];
$checkbox3 = $_POST['Landscape'];
$comments = $_POST['Comments'];
 
// Build the email 
$to = 'bordengraphic@yahoo.com';
$subject = "k8dollar.com Contact Form Submission";
$message = "New message from your contact form at k8dollar.com: $first_name $last_name Area of Interest: $checkbox1 $checkbox2 $checkbox3 ... Comments: $comments ... Contact Info: $email $phone";
$headers = "From: $email";
 
// Send the mail using PHPs mail() function
mail($to, $subject, $message, $headers);
 
// Redirect
header("Location: pages/formsubmit.htm");
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: PHP newbie needs help with website contact form script

Post by Eric! »

I don't think mail() is vulnerable to XSS (this mostly depends on how it is handled on the receiving end) but your code is open to header injection.

See the post here for how to do some very basic filtering of your user input fields to keep your mail system from getting hijacked. Use the InjectionAttempt functions. They aren't complete but they will help protect you. It isn't complete because there are more unicode and mime phrases you could filter out too.

viewtopic.php?f=1&t=102493

If you want to go further, you could sanitize your message body to prevent javascripts or xml crap getting stuffed in there too.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: PHP newbie needs help with website contact form script

Post by jackpf »

Yes. Although you shouldn't use old regex, in favour of PCRE :mrgreen:
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: PHP newbie needs help with website contact form script

Post by Eric! »

That snipet is about 6 years old...I didn't feel like updating it. And what I'm using is too buried in other code to be very useful to a beginner.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: PHP newbie needs help with website contact form script

Post by jackpf »

Fair enough... :)
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: PHP newbie needs help with website contact form script

Post by Eric! »

Sorry, but I'm really lazy.

I have been thinking about making some kind of contact form example with all the filtering for all these new people who keep trying these contact forms. If I get to it, I'll post it in the code review section for you to laugh at too. :D
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: PHP newbie needs help with website contact form script

Post by jackpf »

Haha cool. That'd be awesome.
blueluna86
Forum Newbie
Posts: 9
Joined: Wed Jul 29, 2009 8:07 pm

Re: PHP newbie needs help with website contact form script

Post by blueluna86 »

More specifically the problem is, when I test the contact form and hit submit, I am not redirected to the page I expect to see (which would have a line of text telling me basically 'Thanks for submitting the form') and I don't receive an email with the form data. The javascript is supposed to switch out "safemail.php" for "no-javascript.php" ... or so I'm told. I'll post the html and javascript:

Here is the html I'm using for the contact form:

Code: Select all

<form id="contactform" action="no-javascript.php" enctype="text/plain" onsubmit="return formProtect();">
 
         <table width="400" border="0" cellspacing="0" cellpadding="0">
           <tr>
             <td>First Name </td>
             <td><input type="text" name="first_name" /></td>
           </tr>
           <tr>
             <td>Last Name </td>
             <td><input type="text" name="last_name" /></td>
 
           </tr>
           <tr>
             <td>Email address </td>
             <td><input type="text" name="email" /></td>
           </tr>
           <tr>
             <td>Phone number </td>
             <td><input type="text" name="phone" /></td>
           </tr>
           <tr>
             <td>In which area of work are you interested? (Check all that apply) </td>
             <td><input type="checkbox" name="checkbox1" value="checkbox" />
 
               Commercial<br />
               <input type="checkbox" name="checkbox2" value="checkbox" />
               Residential<br />
               <input type="checkbox" name="checkbox3" value="checkbox" />
               Landscape</td>
           </tr>
           <tr>
 
             <td>Type your question or comment to the right. Please be specific, but concise. </td>
             <td><textarea name="comments" cols="20" rows="5" id="inquiry"></textarea></td>
           </tr>
           <tr>
             <td colspan="2"><input id="submit" name="Submit" type="button" value="Submit" />
             </td>
           </tr>
         </table>
 
       </form>
And here is the javascript "protect.js":

Code: Select all

function formProtect() {
    document.getElementById("contactform").setAttribute("action","safemail.php");
}
blueluna86
Forum Newbie
Posts: 9
Joined: Wed Jul 29, 2009 8:07 pm

Re: PHP newbie needs help with website contact form script

Post by blueluna86 »

Thank you so much for your comments. To answer questions:
social_experiment wrote:Have you tested the script with another email address?
No, but that email address is valid - It's my email address. I'm using that for testing this, then I plan to switch it out for another one later.
jackpf wrote:You do have an smtp server installed right?
To be honest, I didn't know about this. So I asked Hostgator, who hosts my site. They informed me that smtp is the outgoing mail server and that it is installed.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: PHP newbie needs help with website contact form script

Post by jackpf »

Ok...so are you actually reaching the script you want to run?
blueluna86
Forum Newbie
Posts: 9
Joined: Wed Jul 29, 2009 8:07 pm

Re: PHP newbie needs help with website contact form script

Post by blueluna86 »

jackpf wrote:Ok...so are you actually reaching the script you want to run?

There is also this part in the head of the html document:

Code: Select all

<script src="protect.js" type="text/javascript"></script>
Maybe I'm not reaching the script?, but I think all the links should be working. Just to make things easier, I put the files "safemail.php" and "protect.js" in the same directory with the file "contact.htm", the page the contact form is on. Where necessary I changed the links in these 3 files to reflect the move. (Changed after posting the code in previous posts). After uploading, and testing the contact form on the site however, it still does not submit the form. You can enter text in the text fields, but upon clicking the submit button, nothing happens. I am expecting to see a new page load, with text to the effect of "thanks for submitting" and to see an email with the data pop up in my email account - but I get nothing :(
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: PHP newbie needs help with website contact form script

Post by jackpf »

Why do you need two scripts may I ask? Surely having javascript enabled or not won't affect how the php script runs.

Have you got a link to this form?

Also, try running it without the javascript and see what happens.
Post Reply