Page 1 of 2

FLash Email Form

Posted: Sun Feb 12, 2006 1:49 pm
by cupaball
I have been trying to get a flash form to work, can someone tell me what may be wrong with this code?

Code: Select all

<?php
$sendTo = "mhaynes@blahblahcom";
$subject = "Website Reply";
$headers = "From: " . $_POST["name"] ." <" . $_POST["email"] .">\r\n";
$headers .= "Reply-To: " . $_POST["email"] . "\r\n";
$headers .= "Return-path: " . $_POST["email"];
$message = $_POST["message"];
$phone = $_POST["phone"];
mail($sendTo, $subject, $message, $phone, $headers);
?>

Posted: Sun Feb 12, 2006 1:54 pm
by Benjamin

Code: Select all

<?php
// missing . before the com
$sendTo = "mhaynes@blahblahcom";
$subject = "Website Reply";
// looks ok but maybe only single qoutes around the array ie $_POST['name']
// not sure if that makes a difference
$headers = "From: " . $_POST["name"] ." <" . $_POST["email"] .">\r\n";
$headers .= "Reply-To: " . $_POST["email"] . "\r\n";
// might want to put a line feed "\r\n" after the last header line
$headers .= "Return-path: " . $_POST["email"];
$message = $_POST["message"];
$phone = $_POST["phone"];
// phone must be added to the message, you cannot send mail to a phone number
mail($sendTo, $subject, $message, $phone, $headers);
?>

Posted: Sun Feb 12, 2006 2:06 pm
by cupaball
How would I add the phone variable to message? I just wanted to collect the phone number and have it emailed to me.

Would it be like this?

Code: Select all

$message = $_POST["message"];  $_POST["phone"]
Thanks, I will give it a try.

Posted: Sun Feb 12, 2006 2:06 pm
by matthijs

Code: Select all

mail($sendTo, $subject, $message, $phone, $headers);
The mail() function doesn't take 5 arguments as far as I know. You could place the phone in the message.
And as a sidenote: i presume/hope you do some input validation?

Posted: Sun Feb 12, 2006 2:11 pm
by Benjamin

Code: Select all

$message = $_POST["message"] . "\r\nPhone: " . $_POST["phone"];

Posted: Sun Feb 12, 2006 2:17 pm
by cupaball
matthijs wrote:

Code: Select all

mail($sendTo, $subject, $message, $phone, $headers);
The mail() function doesn't take 5 arguments as far as I know. You could place the phone in the message.
And as a sidenote: i presume/hope you do some input validation?
Thanks, I am trying to take it one step at a time.

I am hoping to validate in the flash movie.

Posted: Sun Feb 12, 2006 2:20 pm
by cupaball
agtlewis wrote:

Code: Select all

$message = $_POST["message"] . "\r\nPhone: " . $_POST["phone"];

Okay this is what I have.

Code: Select all

<?php 
$sendTo = "mhaynes@blahblah.com"; 
$subject = "Website Reply"; 
$headers = "From: " . $_POST['name'] ." <" . $_POST['email'] .">\r\n"; 
$headers .= "Reply-To: " . $_POST['email'] . "\r\n"; 
$headers .= "Return-path: " . $_POST['email'] . "\r\n"; 
$message = $_POST['message'] . "\r\n  Phone: " . $_POST['phone']; 
mail($sendTo, $subject, $message, $headers); 
?>

Posted: Sun Feb 12, 2006 2:21 pm
by feyd
a word of warning about your scripts security: your code would allow someone to send spam by allowing them to inject header information.

Posted: Sun Feb 12, 2006 2:24 pm
by matthijs
I personally don't know any flash but my guess is someone/something who wants to try to exploit your form can ignore the flash movie (and validation) and post the values directly to the php code/script. (if the script is accessible, that is) You might want to make sure that cannot happen.

Good luck.

([edit] what Feyd says)

Posted: Sun Feb 12, 2006 2:28 pm
by cupaball
feyd wrote:a word of warning about your scripts security: your code would allow someone to send spam by allowing them to inject header information.

thanks, how would I block something like that, or maybe you could forward me to a tutorial.

By way, it finally worked.

Posted: Sun Feb 12, 2006 2:37 pm
by feyd
the best way is to know how to validate the information being submitted. Things such as regular expression matchings for email addresses, removing \r and \n characters, limiting how many addresses can be sent to, or limiting access to the script based on time (say requiring 10 or 15 seconds between emails).. each will deter circumvention for "bad" uses in their own ways..

Posted: Sun Feb 12, 2006 2:37 pm
by cupaball
matthijs wrote:I personally don't know any flash but my guess is someone/something who wants to try to exploit your form can ignore the flash movie (and validation) and post the values directly to the php code/script. (if the script is accessible, that is) You might want to make sure that cannot happen.

Good luck.

([edit] what Feyd says)

Sorry to ask so many questions, but is there a way to secure the file?

Posted: Sun Feb 12, 2006 2:39 pm
by cupaball
feyd wrote:the best way is to know how to validate the information being submitted. Things such as regular expression matchings for email addresses, removing \r and \n characters, limiting how many addresses can be sent to, or limiting access to the script based on time (say requiring 10 or 15 seconds between emails).. each will deter circumvention for "bad" uses in their own ways..

thanks, you da man (or woman?)

Posted: Sun Feb 12, 2006 2:58 pm
by matthijs
You might find the security guide helpfull http://phpsec.org/projects/, as well as the articles on http://shiflett.org/.
Some basic articles about php security here
http://www.ilovejackdaniels.com/securit ... ecure-php/ as well as a good emailvalidation function http://www.ilovejackdaniels.com/php/ema ... alidation/
If you search on the security forum here on "input validation" you'll find plenty of good info.
Good luck.

Posted: Sun Feb 12, 2006 3:00 pm
by Benjamin
feyd wrote:the best way is to know how to validate the information being submitted. Things such as regular expression matchings for email addresses, removing \r and \n characters, limiting how many addresses can be sent to, or limiting access to the script based on time (say requiring 10 or 15 seconds between emails).. each will deter circumvention for "bad" uses in their own ways..
Just want to clarify, I'm pretty sure feyd means removing the \r and \n characters from posted data, NOT the ones that you have used to format the Email in your code. Your script might not work without them if the header is malformed.