Page 2 of 2

Posted: Mon Apr 03, 2006 6:28 pm
by RobertGonzalez
Try not to use register_globals. It is safer to keep this directive turned off.

When data is sent from a form to a PHP page it is sent as an array. The array is known as the superglobal $_POST (older PHP versions called this $HTTP_POST_VARS, though this is deprecated in PHP5). So say you have a form field named 'august'. When the form is submitted the value that was in the field 'august' is available to the script by way of the $_POST array var $_POST['august']. You can use that $_POST array var as is, or, if you want to make sure your script is safe from malicious coders planning your site some undue malfesence, you can clean it up and read it into a var of its own. That is how you get $_POST['august'] to be $august in the safest, cleanest possible way.

As far as I know there are not limits, in PHP, as to the number of vars that can be mailed. Your mail server might have a problem handling large amount of mail, but as for the mailing process used by PHP, I am pretty sure you can throw whatever you want at it. To be sure though, I would take a look at the PHP Mail function.

Posted: Mon Apr 03, 2006 10:15 pm
by pixelvixen
everah -- you truly be MASTER of your domain! Thank you, my problems are solved thanks to your register_global ON trick!

Merci! xxx

Posted: Mon Apr 03, 2006 10:18 pm
by RobertGonzalez
Everah wrote:Try not to use register_globals. It is safer to keep this directive turned off.
I still believe that you would be better off with register_globals off. It is mainly for security, seeing as any $_REQUEST var can be sent to your scripts with register_globals on and cause you all sorts of problems. Just my $0.02.

Posted: Mon Apr 03, 2006 10:27 pm
by pixelvixen
Oh I see .. so .. if I wanted all these vars such as $occupation, $city, etc .. to be sent safely, leave register_globals OFF and in my .php form add :

$_POST['occupation'], $_POST['city'], etc ...

and in the last line mail($occupation, $city, etc); ???

Almost there ??! :wink:

Posted: Mon Apr 03, 2006 10:58 pm
by RobertGonzalez
You got it. Leave register_globals off. Then, in the script, set your POST vars to some other var and use that var...

Code: Select all

<?php
if ( isset($_POST['submit']) )
{
    // The submit button was pressed, set some vars
    $occupation = $_POST['occupation'];
    $email = $_POST['email'];
    $first_name = $_POST['first_name'];
    // ... this goes on for whatever vars you want

    // Then use those vars in the message string and send it
    if ( !mail($sendTo, $subject, $message, $headers) )
    {
        // There was a problem
        echo "There was a problem!<br />\n";
    }
}
?>

Posted: Tue Apr 04, 2006 1:22 am
by matthijs
And then, the next step would be to validate the fields. At least the ones that go into the headers of your mail() function. So in this case that's firstname, lastname and email. firstname and lastname can be checked for being alphabetic only, email with a good email regular expression.

Code: Select all

/* start with emailvalidation function
*  from http://www.ilovejackdaniels.com/php/ema ... alidation/  
----------------------------------------------------------------------*/
function check_email_address($email) {
  // First, we check that there's one @ symbol, and that the lengths are right
  if (!ereg("^[^@]{1,64}@[^@]{1,255}$", $email)) {
    // Email invalid because wrong number of characters in one section, or wrong number of @ symbols.
    return false;
  }
  // Split it into sections to make life easier
  $email_array = explode("@", $email);
  $local_array = explode(".", $email_array[0]);
  for ($i = 0; $i < sizeof($local_array); $i++) {
     if (!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$", $local_array[$i])) {
      return false;
    }
  }  
  if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) { // Check if domain is IP. If not, it should be valid domain name
    $domain_array = explode(".", $email_array[1]);
    if (sizeof($domain_array) < 2) {
        return false; // Not enough parts to domain
    }
    for ($i = 0; $i < sizeof($domain_array); $i++) {
      if (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$", $domain_array[$i])) {
        return false;
      }
    }
  }
  return true;
}


// now start the validation

  $firstname = '';
  // validate firstname field 
  if(  strlen($_POST['firstname']) > 1 
      && strlen($_POST['firstname']) < 50 
      && ctype_alpha($_POST['firstname'])  ) 
  {
     $firstname = $_POST['firstname'];
  } 

// same for lastname

// and lnow for the email address
  $email = '';
  if(  check_email_address($_POST['email'])  
       && ctype_print($_POST['email'])  ) 
  {
     $email = $_POST['email'];
  }

//then compose the headers
$headers = "From: " . $firstname ." ". $lastname . "<" . $email .">\r\n";
This is just an example, there is or can be much more to validating then this. (check out the many threads about this in the security forums). But it is very important to validate the input.