FLash Email Form

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

cupaball
Forum Commoner
Posts: 85
Joined: Sun Feb 12, 2006 1:46 pm

FLash Email Form

Post by cupaball »

I have been trying to get a flash form to work, can someone tell me what may be wrong with this code?

Code: Select all

<?php
$sendTo = "mhaynes@blahblahcom";
$subject = "Website Reply";
$headers = "From: " . $_POST["name"] ." <" . $_POST["email"] .">\r\n";
$headers .= "Reply-To: " . $_POST["email"] . "\r\n";
$headers .= "Return-path: " . $_POST["email"];
$message = $_POST["message"];
$phone = $_POST["phone"];
mail($sendTo, $subject, $message, $phone, $headers);
?>
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Code: Select all

<?php
// missing . before the com
$sendTo = "mhaynes@blahblahcom";
$subject = "Website Reply";
// looks ok but maybe only single qoutes around the array ie $_POST['name']
// not sure if that makes a difference
$headers = "From: " . $_POST["name"] ." <" . $_POST["email"] .">\r\n";
$headers .= "Reply-To: " . $_POST["email"] . "\r\n";
// might want to put a line feed "\r\n" after the last header line
$headers .= "Return-path: " . $_POST["email"];
$message = $_POST["message"];
$phone = $_POST["phone"];
// phone must be added to the message, you cannot send mail to a phone number
mail($sendTo, $subject, $message, $phone, $headers);
?>
cupaball
Forum Commoner
Posts: 85
Joined: Sun Feb 12, 2006 1:46 pm

Post by cupaball »

How would I add the phone variable to message? I just wanted to collect the phone number and have it emailed to me.

Would it be like this?

Code: Select all

$message = $_POST["message"];  $_POST["phone"]
Thanks, I will give it a try.
Last edited by cupaball on Sun Feb 12, 2006 2:10 pm, edited 1 time in total.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

Code: Select all

mail($sendTo, $subject, $message, $phone, $headers);
The mail() function doesn't take 5 arguments as far as I know. You could place the phone in the message.
And as a sidenote: i presume/hope you do some input validation?
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Code: Select all

$message = $_POST["message"] . "\r\nPhone: " . $_POST["phone"];
cupaball
Forum Commoner
Posts: 85
Joined: Sun Feb 12, 2006 1:46 pm

Post by cupaball »

matthijs wrote:

Code: Select all

mail($sendTo, $subject, $message, $phone, $headers);
The mail() function doesn't take 5 arguments as far as I know. You could place the phone in the message.
And as a sidenote: i presume/hope you do some input validation?
Thanks, I am trying to take it one step at a time.

I am hoping to validate in the flash movie.
cupaball
Forum Commoner
Posts: 85
Joined: Sun Feb 12, 2006 1:46 pm

Post by cupaball »

agtlewis wrote:

Code: Select all

$message = $_POST["message"] . "\r\nPhone: " . $_POST["phone"];

Okay this is what I have.

Code: Select all

<?php 
$sendTo = "mhaynes@blahblah.com"; 
$subject = "Website Reply"; 
$headers = "From: " . $_POST['name'] ." <" . $_POST['email'] .">\r\n"; 
$headers .= "Reply-To: " . $_POST['email'] . "\r\n"; 
$headers .= "Return-path: " . $_POST['email'] . "\r\n"; 
$message = $_POST['message'] . "\r\n  Phone: " . $_POST['phone']; 
mail($sendTo, $subject, $message, $headers); 
?>
Last edited by cupaball on Sun Feb 12, 2006 2:29 pm, edited 1 time in total.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

a word of warning about your scripts security: your code would allow someone to send spam by allowing them to inject header information.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

I personally don't know any flash but my guess is someone/something who wants to try to exploit your form can ignore the flash movie (and validation) and post the values directly to the php code/script. (if the script is accessible, that is) You might want to make sure that cannot happen.

Good luck.

([edit] what Feyd says)
cupaball
Forum Commoner
Posts: 85
Joined: Sun Feb 12, 2006 1:46 pm

Post by cupaball »

feyd wrote:a word of warning about your scripts security: your code would allow someone to send spam by allowing them to inject header information.

thanks, how would I block something like that, or maybe you could forward me to a tutorial.

By way, it finally worked.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

the best way is to know how to validate the information being submitted. Things such as regular expression matchings for email addresses, removing \r and \n characters, limiting how many addresses can be sent to, or limiting access to the script based on time (say requiring 10 or 15 seconds between emails).. each will deter circumvention for "bad" uses in their own ways..
cupaball
Forum Commoner
Posts: 85
Joined: Sun Feb 12, 2006 1:46 pm

Post by cupaball »

matthijs wrote:I personally don't know any flash but my guess is someone/something who wants to try to exploit your form can ignore the flash movie (and validation) and post the values directly to the php code/script. (if the script is accessible, that is) You might want to make sure that cannot happen.

Good luck.

([edit] what Feyd says)

Sorry to ask so many questions, but is there a way to secure the file?
cupaball
Forum Commoner
Posts: 85
Joined: Sun Feb 12, 2006 1:46 pm

Post by cupaball »

feyd wrote:the best way is to know how to validate the information being submitted. Things such as regular expression matchings for email addresses, removing \r and \n characters, limiting how many addresses can be sent to, or limiting access to the script based on time (say requiring 10 or 15 seconds between emails).. each will deter circumvention for "bad" uses in their own ways..

thanks, you da man (or woman?)
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

You might find the security guide helpfull http://phpsec.org/projects/, as well as the articles on http://shiflett.org/.
Some basic articles about php security here
http://www.ilovejackdaniels.com/securit ... ecure-php/ as well as a good emailvalidation function http://www.ilovejackdaniels.com/php/ema ... alidation/
If you search on the security forum here on "input validation" you'll find plenty of good info.
Good luck.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

feyd wrote:the best way is to know how to validate the information being submitted. Things such as regular expression matchings for email addresses, removing \r and \n characters, limiting how many addresses can be sent to, or limiting access to the script based on time (say requiring 10 or 15 seconds between emails).. each will deter circumvention for "bad" uses in their own ways..
Just want to clarify, I'm pretty sure feyd means removing the \r and \n characters from posted data, NOT the ones that you have used to format the Email in your code. Your script might not work without them if the header is malformed.
Post Reply