Page 1 of 2
PHP newbie needs help with website contact form script
Posted: Wed Jul 29, 2009 8:21 pm
by blueluna86
Hi, PHP beginner here, trying to use a script (safemail.php, code shown below) with a contact form on this website:
http://www.alisonborden.com/k8dollar. It's not working, wondering if someone can tell me what might be wrong? Let me know if you need to see the HTML, CSS, or the Javascript that calls this PHP file. Thanks for your help!
Code: Select all
<?php
// Pick up the form data and assign it to variables
$first_name = $_POST['First Name'];
$last_name = $_POST['Last Name'];
$email = $_POST['Email'];
$phone = $_POST['Phone'];
$checkbox1 = $_POST['Residential'];
$checkbox2 = $_POST['Commercial'];
$checkbox3 = $_POST['Landscape'];
$comments = $_POST['Comments'];
// Build the email
$to = 'bordengraphic@yahoo.com';
$subject = "k8dollar.com Contact Form Submission";
$message = "New message from your contact form at k8dollar.com: $first_name $last_name Area of Interest: $checkbox1 $checkbox2 $checkbox3 ... Comments: $comments ... Contact Info: $email $phone";
$headers = "From: $email";
// Send the mail using PHPs mail() function
mail($to, $subject, $message, $headers);
// Redirect
header("Location: pages/formsubmit.htm");
Re: PHP newbie needs help with website contact form script
Posted: Thu Jul 30, 2009 1:58 pm
by social_experiment
Have you tested the script with another email address? I copied the code and just replaced it with another email addy and it works fine. There are a few things you might want to change.
Code: Select all
<?php
$first_name = $_POST['First Name'];
?>
should change to
Code: Select all
<?php
$first_name = htmlspecialchars($_POST['First Name']);
?>
because currently this might be vulnerable to cross side scripting.
Code: Select all
<?php
mail($to, $subject, $message, $headers);
?>
What about using the following :
Code: Select all
<?php
$send = mail($to, $subject, $message, $headers);
if ($send) {
// give a confirmation message
}
else {
// do something like redirect the user
}
?>
Hope this helps

Re: PHP newbie needs help with website contact form script
Posted: Thu Jul 30, 2009 2:03 pm
by jackpf
You do have an smtp server installed right?
Re: PHP newbie needs help with website contact form script
Posted: Thu Jul 30, 2009 2:16 pm
by straightman
post the html code of the form that collects the data and sends it to the php processing page.
and the javascript if any. Besides, any more specific regarding "it is not working", what is exactly what happens or doesnt happen?
AE
====================================================================
blueluna86 wrote:Hi, PHP beginner here, trying to use a script (safemail.php, code shown below) with a contact form on this website:
http://www.alisonborden.com/k8dollar. It's not working, wondering if someone can tell me what might be wrong? Let me know if you need to see the HTML, CSS, or the Javascript that calls this PHP file. Thanks for your help!
Code: Select all
<?php
// Pick up the form data and assign it to variables
$first_name = $_POST['First Name'];
$last_name = $_POST['Last Name'];
$email = $_POST['Email'];
$phone = $_POST['Phone'];
$checkbox1 = $_POST['Residential'];
$checkbox2 = $_POST['Commercial'];
$checkbox3 = $_POST['Landscape'];
$comments = $_POST['Comments'];
// Build the email
$to = 'bordengraphic@yahoo.com';
$subject = "k8dollar.com Contact Form Submission";
$message = "New message from your contact form at k8dollar.com: $first_name $last_name Area of Interest: $checkbox1 $checkbox2 $checkbox3 ... Comments: $comments ... Contact Info: $email $phone";
$headers = "From: $email";
// Send the mail using PHPs mail() function
mail($to, $subject, $message, $headers);
// Redirect
header("Location: pages/formsubmit.htm");
Re: PHP newbie needs help with website contact form script
Posted: Thu Jul 30, 2009 2:33 pm
by Eric!
I don't think mail() is vulnerable to XSS (this mostly depends on how it is handled on the receiving end) but your code is open to header injection.
See the post here for how to do some very basic filtering of your user input fields to keep your mail system from getting hijacked. Use the InjectionAttempt functions. They aren't complete but they will help protect you. It isn't complete because there are more unicode and mime phrases you could filter out too.
viewtopic.php?f=1&t=102493
If you want to go further, you could sanitize your message body to prevent javascripts or xml crap getting stuffed in there too.
Re: PHP newbie needs help with website contact form script
Posted: Thu Jul 30, 2009 2:40 pm
by jackpf
Yes. Although you shouldn't use old regex, in favour of PCRE

Re: PHP newbie needs help with website contact form script
Posted: Thu Jul 30, 2009 2:54 pm
by Eric!
That snipet is about 6 years old...I didn't feel like updating it. And what I'm using is too buried in other code to be very useful to a beginner.
Re: PHP newbie needs help with website contact form script
Posted: Thu Jul 30, 2009 4:01 pm
by jackpf
Fair enough...

Re: PHP newbie needs help with website contact form script
Posted: Thu Jul 30, 2009 4:07 pm
by Eric!
Sorry, but I'm really lazy.
I have been thinking about making some kind of contact form example with all the filtering for all these new people who keep trying these contact forms. If I get to it, I'll post it in the code review section for you to laugh at too.

Re: PHP newbie needs help with website contact form script
Posted: Thu Jul 30, 2009 4:17 pm
by jackpf
Haha cool. That'd be awesome.
Re: PHP newbie needs help with website contact form script
Posted: Thu Jul 30, 2009 7:36 pm
by blueluna86
More specifically the problem is, when I test the contact form and hit submit, I am not redirected to the page I expect to see (which would have a line of text telling me basically 'Thanks for submitting the form') and I don't receive an email with the form data. The javascript is supposed to switch out "safemail.php" for "no-javascript.php" ... or so I'm told. I'll post the html and javascript:
Here is the html I'm using for the contact form:
Code: Select all
<form id="contactform" action="no-javascript.php" enctype="text/plain" onsubmit="return formProtect();">
<table width="400" border="0" cellspacing="0" cellpadding="0">
<tr>
<td>First Name </td>
<td><input type="text" name="first_name" /></td>
</tr>
<tr>
<td>Last Name </td>
<td><input type="text" name="last_name" /></td>
</tr>
<tr>
<td>Email address </td>
<td><input type="text" name="email" /></td>
</tr>
<tr>
<td>Phone number </td>
<td><input type="text" name="phone" /></td>
</tr>
<tr>
<td>In which area of work are you interested? (Check all that apply) </td>
<td><input type="checkbox" name="checkbox1" value="checkbox" />
Commercial<br />
<input type="checkbox" name="checkbox2" value="checkbox" />
Residential<br />
<input type="checkbox" name="checkbox3" value="checkbox" />
Landscape</td>
</tr>
<tr>
<td>Type your question or comment to the right. Please be specific, but concise. </td>
<td><textarea name="comments" cols="20" rows="5" id="inquiry"></textarea></td>
</tr>
<tr>
<td colspan="2"><input id="submit" name="Submit" type="button" value="Submit" />
</td>
</tr>
</table>
</form>
And here is the javascript "protect.js":
Code: Select all
function formProtect() {
document.getElementById("contactform").setAttribute("action","safemail.php");
}
Re: PHP newbie needs help with website contact form script
Posted: Thu Jul 30, 2009 7:56 pm
by blueluna86
Thank you so much for your comments. To answer questions:
social_experiment wrote:Have you tested the script with another email address?
No, but that email address is valid - It's my email address. I'm using that for testing this, then I plan to switch it out for another one later.
jackpf wrote:You do have an smtp server installed right?
To be honest, I didn't know about this. So I asked Hostgator, who hosts my site. They informed me that smtp is the outgoing mail server and that it is installed.
Re: PHP newbie needs help with website contact form script
Posted: Thu Jul 30, 2009 8:02 pm
by jackpf
Ok...so are you actually reaching the script you want to run?
Re: PHP newbie needs help with website contact form script
Posted: Fri Jul 31, 2009 6:48 pm
by blueluna86
jackpf wrote:Ok...so are you actually reaching the script you want to run?
There is also this part in the head of the html document:
Code: Select all
<script src="protect.js" type="text/javascript"></script>
Maybe I'm not reaching the script?, but I think all the links should be working. Just to make things easier, I put the files "safemail.php" and "protect.js" in the same directory with the file "contact.htm", the page the contact form is on. Where necessary I changed the links in these 3 files to reflect the move. (Changed after posting the code in previous posts). After uploading, and testing the contact form on the site however, it still does not submit the form. You can enter text in the text fields, but upon clicking the submit button, nothing happens. I am expecting to see a new page load, with text to the effect of "thanks for submitting" and to see an email with the data pop up in my email account - but I get nothing

Re: PHP newbie needs help with website contact form script
Posted: Sat Aug 01, 2009 9:12 am
by jackpf
Why do you need two scripts may I ask? Surely having javascript enabled or not won't affect how the php script runs.
Have you got a link to this form?
Also, try running it without the javascript and see what happens.