Page 1 of 1

PHP Form Help

Posted: Sat Oct 16, 2010 1:04 pm
by rel82me
Alright, first off, I hope this is being posted to the correct forum.

Looking for some help on an issue with a php-based form, which is located on the left of every page here:

http://www.toromovers.com

It's made up of two parts, 1. the form (which is common to all pages) and 2. the form handler (contact_process.php)

Initially, when the form is used, it returns an error from the contact_process.php file "Error - not sent".
When I call the contact_process.php file from my browser, THEN fill out the form, it appears to submit the information which then proceeds to call my "submission recevied" html page.

Having looked around, I think I've narrowed down the problem to two variables:

$valid_ref1 and $valid_ref2 which are simply making reference to another html page but I don't see how this might work. The documentation states:

if you intend to include the contact.html file within a php file then ensure you
enter the correct filename and extension (.php) for the $valid_refs.
ie. $valid_ref1="http://Your--domain/contact.php";

The contact form is only within an html form which is then validated and passed to contact_process.php. There are no other html pages being called.

Help would be much aprecaited and thank you

Re: PHP Form Help

Posted: Sat Oct 16, 2010 3:59 pm
by McInfo
It could be that contact_process.php is checking the HTTP_REFERER request header. If you go directly to the home page, the location is "http://www.toromovers.com/". If you go directly to contact_process.php without submitting anything, you get redirected to "http://www.toromovers.com/index.html".

Try adding "http://www.toromovers.com/" as a "valid_ref".

Re: PHP Form Help

Posted: Sat Oct 16, 2010 4:12 pm
by rel82me
McInfo,

Thanks for your response.

A few lines below you will see "valid_ref1 and valid_ref2"

Both are refering to: http://www.toromovers.com

As mentioned, the form works if I first process the contact_process.php page. Also, do we need both ref1 and ref2?

Code: Select all

<?php
/* PHP Form Mailer - easy, secure form mail:
  phpFormMailer v2.6

 last updated 2nd Dec 2009 - check back often for updates!
     (easy to use and more secure than many cgi form mailers) FREE from:

                  http://www.TheDemoSite.co.uk

      Should work fine on most Unix/Linux platforms
      for a Windows version see: asp.thedemosite.co.uk
*/

// ------- three variables you MUST change below  -------------------------------------------------------
$replyemail="info@toromovers.com"; //change to your email address
$valid_ref1="http://www.toromovers.com/"; //chamge to your domain name
$valid_ref2="http://www.toromovers.com/"; //chamge to your domain name

// -------- No changes required below here -------------------------------------------------------------
//
// email variable not set - load $valid_ref1 page
if (!isset($_POST['email']))
{
 echo "<script language=\"JavaScript\"><!--\n ";
 echo "top.location.href = \"$valid_ref1\"; \n// --></script>";
 exit;
}
$ref_page=$_SERVER["HTTP_REFERER"];
$valid_referrer=0;
if($ref_page==$valid_ref1) $valid_referrer=1;
elseif($ref_page==$valid_ref2) $valid_referrer=1;
if((!$valid_referrer) OR ($_POST["block_spam_bots"]!=1))//you can change this but remember to change it in the contact form too
{
 echo '<h2>ERROR - not sent.';
 if (file_exists("debug.flag")) echo '<hr>"$valid_ref1" and "$valid_ref2" are incorrect within the file:<br>
                                      contact_process.php <br><br>On your system these should be set to: <blockquote>
                                                                          $valid_ref1="'.str_replace("www.","",$ref_page).'"; <br>
                                                                          $valid_ref2="'.$ref_page.'";
                                                                          </blockquote></h2>Copy and paste the two lines above
                                                                          into the file: contact_process.php <br> (replacing the existing variables and settings)';
 exit;
}

//check user input for possible header injection attempts!
function is_forbidden($str,$check_all_patterns = true)
{
 $patterns[0] = '/content-type:/';
 $patterns[1] = '/mime-version/';
 $patterns[2] = '/multipart/';
 $patterns[3] = '/Content-Transfer-Encoding/';
 $patterns[4] = '/to:/';
 $patterns[5] = '/cc:/';
 $patterns[6] = '/bcc:/';
 $forbidden = 0;
 for ($i=0; $i<count($patterns); $i++)
  {
   $forbidden = preg_match($patterns[$i], strtolower($str));
   if ($forbidden) break;
  }
 //check for line breaks if checking all patterns
 if ($check_all_patterns AND !$forbidden) $forbidden = preg_match("/(%0a|%0d|\\n+|\\r+)/i", $str);
 if ($forbidden)
 {
  echo "<font color=red><center><h3>STOP! Message not sent.</font></h3><br><b>
        The text you entered is forbidden, it includes one or more of the following:
        <br><textarea rows=9 cols=25>";
  foreach ($patterns as $key => $value) echo trim($value,"/")."\n";
  echo "\\n\n\\r</textarea><br>Click back on your browser, remove the above characters and try again.
        </b><br><br><br><br>Thankfully protected by phpFormMailer freely available from:
        <a href=\"http://thedemosite.co.uk/phpformmailer/\">http://thedemosite.co.uk/phpformmailer/</a>";
  exit();
 }
}

foreach ($_REQUEST as $key => $value) //check all input
{
 if ($key == "themessage") is_forbidden($value, false); //check input except for line breaks
 else is_forbidden($value);//check all
}

$name = $_POST["name"];
$phone = $_POST["phone"];
$email = $_POST["email"];
$thesubject = $_POST["thesubject"];
$frompostal = $_POST["frompostal"];
$topostal = $_POST["topostal"];
$dateday = $_POST["dateday"];
$datemonth = $_POST["datemonth"];
$datenumber = $_POST["datenumber"];
$dateyear = $_POST["dateyear"];
$themessage = $_POST["themessage"];

$success_sent_msg='<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.toromovers.com/formsubmitted.html">';




$replymessage = "Hi $name

Thank you for your email.

We will endeavour to reply to you shortly.

Please DO NOT reply to this email.

Below is a copy of the message you submitted:
--------------------------------------------------
Name: $name
Phone: $phone
Email Address: $email
Subject: $thesubject
From Postal: $frompostal
To Postal: $topostal
Day of Week: $dateday
Month of Year: $datemonth
On Day: $daynumber
Of Year: $dateyear
Your Message: $themessage
--------------------------------------------------

Thank you";

$themessage = "name: $name \nPhone: $phone \nEmail Address: $email \nSubject: $thesubject \nFrom Postal: $frompostal \nTo Postal: $topostal \nDay of Week: $dateday \nMonth of Year: $datemonth \nOn Day: $daynumber \nOf Year: $dateyear \nYour Message: $themessage";
mail("$replyemail",
     "$thesubject",
     "$themessage",
     "From: $email\nReply-To: $email");
mail("$email",
     "Receipt: $thesubject",
     "$replymessage",
     "From: $replyemail\nReply-To: $replyemail");
echo $success_sent_msg;
/*
  PHP Form Mailer - phpFormMailer (easy to use and more secure than many cgi form mailers)
   FREE from:

    http://www.TheDemoSite.co.uk       */
?>

Re: PHP Form Help

Posted: Sun Oct 17, 2010 12:57 am
by McInfo
Temporarily change the first line of contact_process.php to this and see what appears when you submit the form as usual.

Code: Select all

<?php var_dump($_SERVER['HTTP_REFERER'], $_POST); exit;