Email Issues

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
IanWright
Forum Newbie
Posts: 2
Joined: Thu May 25, 2006 4:48 pm

Email Issues

Post by IanWright »

I'm new to php and have created a page that I've had online for a week or so now. The page displays a table (with radio buttons on the far column) and has 2 contact details boxes below (name and email address). When a user selects an item within the table, fills in the boxes and clicks submit and email is sent to my account.

A typical email output may be:
Test (Test@hotmail.co.uk) has requested the following preach:
Guest Speaker ( Isaiah 61 ) : Steve Whittington - 07/05/06
Recently however I've recieved 2 emails which have somehow broken this formatting and not be carried out legitimately, the output looking like:
veins7551@yorkcitychurch.org.uk (veins7551@yorkcitychurch.org.uk) has requested the following preach:
had
Content-Type: multipart/alternative; boundary=0ba9feb7bf1c52d6c579d0c7106f6d5b
MIME-Version: 1.0
Subject: the builders had hung up a
bcc: DLWoolfolk@aol.com

This is a multi-part message in MIME format.

--0ba9feb7bf1c52d6c579d0c7106f6d5b
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

can t do good work an be honest at th same time. ut whin m hirin a la ad find out first whether he is onto his job, an afther a few years begin to suspect that he is honest, too. anny a dishonest man can
--0ba9feb7bf1c52d6c579d0c7106f6d5b--
I don't understand how this has happened, being so new to php, and am wondering if anyone could suggest possible causes and solutions? I've included the php code below, though to run this you will need a dat file for it to parse. The live example is http://www.yorkcitychurch.org.uk/request.php. The php code is:

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">
<HTML>
<HEAD>
<META name="Description" content="York City Church CD Requests">
<META name="Keywords" content="Sunday, Sunday Meeting, Service, Services, Fellowship">
<TITLE>CD Requests</TITLE>
<LINK rel="stylesheet" TYPE="text/css" HREF="/css/style.css">
</HEAD>
<body>

<DIV id=content>
<h1> CD Requests </h1>
<form method="post" action="request.php">
<TABLE border="5" rules="cols">
<COLGROUP>
   	<COL width="140" align="center">
	<COL width="70" align="center">
	<COL width="400" align="center">
	<COL width="140" align="center">
	<COL width="20" align="center">
<TBODY>
<TR>
   <TH>Preacher</TH>
   <TH>Date</TH>
   <TH>Description</TH>
   <TH>Scripture</TH>
   <TH>Select</TH>
<?php 

$fp = @fopen("requests.dat", "r") or die("Couldn't open file"); 
$data = "";

while(!feof($fp)) 	
{ 
	$data = getline($fp, '|');
	echo "<TR>";
	$value = explode("\t", $data); 	
	echo "<TD>" . $value[0] . " " . $value[1] . "</TD>";
	echo "<TD>" . $value[2] . "</TD>";
	echo "<TD>" . $value[3] . "</TD>";
	echo "<TD>" . $value[4] . "</TD>";
	echo "<TD><INPUT TYPE=RADIO NAME=\"selection\" VALUE=\"" . $value[3] . " ( " . $value[4] . " ) : " . $value[0] . " " . $value[1] .  " - " .$value[2] ."\"></TD>";	
} 

fclose($fp);
function getline( $fp, $delim )
{ 
   $result = "";
   while( !feof( $fp ) )
   {
       $tmp = fgetc( $fp );
       if( $tmp == $delim )
       return $result;
       $result .= $tmp;
   }
return $result;
}

echo "</TABLE><BR>";
if (isset($_POST['submitrequest'])) {
	
if ($_POST['name'] == null){
	echo "<h3><font color=\"red\"> Please enter your name <font color=\"black\"></h3>";
}
else {	
                 if ($_POST['email'] == null){
		echo "<h3><font color=\"red\"> Please enter your email address <font color=\"black\"></h3>";
	}
else {
	if ($_POST['selection'] == null){
		echo "<h3><font color=\"red\"> Please enter your selection <font color=\"black\"></h3>";
	}
else {
	$message = $_POST['name'] . " (" . $_POST['email'] . ") has requested the following preach: \n" . $_POST['selection']; 
	$sendto = "email@york.ac.uk";
	$subject = "CD Request - YCC";
	mail($sendto, $subject, $message, "From: York City Church");
	echo "<h3><font color=\"black\"> Thank You - A CD should be avaliable for collection at the Sunday morning service. An email will be sent if any delays are expected.</h3>"; 
                }
                }
                }
                } 

echo "<p>";
echo "<br><br>";
echo "Name: &nbsp&nbsp&nbsp <INPUT NAME=\"name\" SIZE=30 value=\"" . $_POST['name'] . "\">";

echo "&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp&nbsp Email Address: <INPUT NAME=\"email\" SIZE=30 value=\"" . $_POST['email'] . "\">";
echo "<br>";
echo "<br>";
?>

<input type="submit" name="submitrequest" value="Submit Request">

</FORM>
</DIV>
<?php
include("./includes/middleheader.html");
include("./includes/leftbar.html");
include("./includes/leftheader.html");
include("./includes/rightheader.php");
?>
</BODY>
</HTML>
Thanks for any assistance!
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Re: Email Issues

Post by timvw »

IanWright wrote:When a user selects an item within the table, fills in the boxes and clicks submit and email is sent to my account.
An evil user fills in this form and spams half the world because you don't validate the data...

Here are two articles that describe the vulnerability:

http://www.nyphp.org/phundamentals/emai ... ection.php
http://www.phpbuilder.com/columns/ian_g ... 60412.php3
IanWright
Forum Newbie
Posts: 2
Joined: Thu May 25, 2006 4:48 pm

Post by IanWright »

Thank you very much for the reply.

I've had a brief scan over that first page, looks pretty informative. I'll endaveour to get it fixed shortly :)
Post Reply