I know that this will be a complete bore to you chaps but a complete newbie to PHP begs information.
I've found a PHP tutorial online that demonstrated how to make a functioning PHP form for checkboxes, input fields and that sort of thing. I've introduced it to a website and got it all working but I'm not clear how to make it safe from possible manipulation from unsavoury.
Is there code which can be used to protect input fields which is easy to understand and can be used time and again?
Best wishes
Uncle Tom
Complete beginner
Moderator: General Moderators
hope this is ok
feyd | Please use
This is the original code that I've butchered.
feyd | Please use
Code: Select all
,Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
It would be great if you could. It's giving me a headache.
Here's the PHP and my concerns our over the email, telephone and name inputs. I've been wondering if I'm being overly anxious but according to everything I've been reading you must prepare for the worst.Code: Select all
<?php
} else {
error_reporting(0);
// initialize a array to
//hold any errors we encounter
$errors = array();
// test to see if the form was actually
// posted from our form
//create empty array for any missing fields
$missing = array();
//assume that there is nothing suspect
$suspect = false;
//create a pattern to locate suspect phrases
$pattern = '/Content-Type:|Bcc:|Cc:/i';
//process the $_POST variables
// check to see if a name was entered
if (!$_POST['Name'])
$errors[] = "Name is required";
if (!$_POST['Email'])
$errors[] = "Email is required";
if (!$_POST['Telephone'])
$errors[] = "Tel is required";
// if there are any errors, display them
if (count($errors)>0) {
foreach($errors as $err)
echo "$err<br>\n";
echo "<br>Please click back button to fix.";
} else {
//list expected fields
$expected = array('Name', 'Email', 'Telephone',);
// no errors, so we build our message
switch($_POST['generator']){
case 'New':
$recipient = 'toma@yahoo.co.uk';
break;
case 'Second User':
$recipient = 'toma@yahoo.co.uk';
break;
case 'Either':
$recipient = 'toma@yahoo.co.uk';
break;
default:
$recipient = 'toma@yahoo.co.uk';
}
$subject = "Quick Quote";
$from = stripslashes($_POST['Name']);
$msg = "Message sent by $from\n";
$msg.="\nEmail: ".$_POST['Email'];
$msg.="\nTelephone: ".$_POST['Telephone'];
$msg.="\nCustomer Status: ".$_POST['existingcustomer'];
$msg.="\nUsage: ".$_POST['Usage'];
$msg.="\nspares: ".$_POST['spares'];
$msg.="\n".stripslashes($_POST['MsgBody'])."\n";
if (mail($recipient,$subject,$msg)){
echo "<p>Thanks for contacting us</p>";
echo nl2br($msg);
} else
echo "An unknown error occurred.";
}
}
?>Code: Select all
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>E-mail with Attachment</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<?php
if ($_SERVER['REQUEST_METHOD']=="POST"){
// we'll begin by assigning the To address and message subject
$to="somebody@example.com";
$subject="E-mail with attachment";
// get the sender's name and email address
// we'll just plug them a variable to be used later
$from = stripslashes($_POST['fromname'])."<".stripslashes($_POST['fromemail']).">";
// generate a random string to be used as the boundary marker
$mime_boundary="==Multipart_Boundary_x".md5(mt_rand())."x";
// store the file information to variables for easier access
$tmp_name = $_FILES['filename']['tmp_name'];
$type = $_FILES['filename']['type'];
$name = $_FILES['filename']['name'];
$size = $_FILES['filename']['size'];
// here we'll hard code a text message
// again, in reality, you'll normally get this from the form submission
$message = "Here is your file: $name";
// if the upload succeded, the file will exist
if (file_exists($tmp_name)){
// check to make sure that it is an uploaded file and not a system file
if(is_uploaded_file($tmp_name)){
// open the file for a binary read
$file = fopen($tmp_name,'rb');
// read the file content into a variable
$data = fread($file,filesize($tmp_name));
// close the file
fclose($file);
// now we encode it and split it into acceptable length lines
$data = chunk_split(base64_encode($data));
}
// now we'll build the message headers
$headers = "From: $from\r\n" .
"MIME-Version: 1.0\r\n" .
"Content-Type: multipart/mixed;\r\n" .
" boundary=\"{$mime_boundary}\"";
// next, we'll build the message body
// note that we insert two dashes in front of the
// MIME boundary when we use it
$message = "This is a multi-part message in MIME format.\n\n" .
"--{$mime_boundary}\n" .
"Content-Type: text/plain; charset=\"iso-8859-1\"\n" .
"Content-Transfer-Encoding: 7bit\n\n" .
$message . "\n\n";
// now we'll insert a boundary to indicate we're starting the attachment
// we have to specify the content type, file name, and disposition as
// an attachment, then add the file content and set another boundary to
// indicate that the end of the file has been reached
$message .= "--{$mime_boundary}\n" .
"Content-Type: {$type};\n" .
" name=\"{$name}\"\n" .
//"Content-Disposition: attachment;\n" .
//" filename=\"{$fileatt_name}\"\n" .
"Content-Transfer-Encoding: base64\n\n" .
$data . "\n\n" .
"--{$mime_boundary}--\n";
// now we just send the message
if (@mail($to, $subject, $message, $headers))
echo "Message Sent";
else
echo "Failed to send";
}
} else {
?>
<p>Send an e-mail with an attachment:</p>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"
enctype="multipart/form-data" name="form1">
<p>From name: <input type="text" name="fromname"></p>
<p>From e-mail: <input type="text" name="fromemail"></p>
<p>File: <input type="file" name="filename"></p>
<p><input type="submit" name="Submit" value="Submit"></p>
</form>
<?php } ?>
</body>
</html>feyd | Please use
Code: Select all
,Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
I agree with feyd on using Swift for mailing. It is the best mailing library available.
The code you posted has potential issues all over it and could stand to be cleaned up a bit.
The code you posted has potential issues all over it and could stand to be cleaned up a bit.
Code: Select all
<?php
} else {
error_reporting(0);
// initialize a array to
//hold any errors we encounter
$errors = array();
//create empty array for any missing fields
$missing = array();
//assume that there is nothing suspect
$suspect = false;
//create a pattern to locate suspect phrases
$pattern = '/Content-Type:|Bcc:|Cc:/i';
// check to see if a name was entered
/**
* THIS DOES NOT CHECK ANYTHING OTHER THAN THE VAR NOT BEING FALSE
* Consider using something a little cleaner, along the lines of:
*/
/*
if (!empty($_POST['Name']))
{
$temp_name = $_POST['Name'];
if (strlen(trim($temp_name)) > 5) // Or some other value that you'd expect for a name length
{
if (preg_match('/[a-z\s]$/i', $temp_name)
{
// Now we are looking better....
}
}
}
// That was just an example and should not be used in production
*/
if (!$_POST['Name'])
$errors[] = "Name is required";
if (!$_POST['Email'])
$errors[] = "Email is required";
if (!$_POST['Telephone'])
$errors[] = "Tel is required";
// if there are any errors, display them
if (count($errors)>0) {
foreach($errors as $err)
echo "$err<br>\n";
echo "<br>Please click back button to fix.";
} else {
//list expected fields
$expected = array('Name', 'Email', 'Telephone',);
// no errors, so we build our message
switch($_POST['generator']){
case 'New':
$recipient = 'toma@yahoo.co.uk';
break;
case 'Second User':
$recipient = 'toma@yahoo.co.uk';
break;
case 'Either':
$recipient = 'toma@yahoo.co.uk';
break;
default:
$recipient = 'toma@yahoo.co.uk';
}
$subject = "Quick Quote";
$from = stripslashes($_POST['Name']);
$msg = "Message sent by $from\n";
$msg.="\nEmail: ".$_POST['Email'];
$msg.="\nTelephone: ".$_POST['Telephone'];
$msg.="\nCustomer Status: ".$_POST['existingcustomer'];
$msg.="\nUsage: ".$_POST['Usage'];
$msg.="\nspares: ".$_POST['spares'];
$msg.="\n".stripslashes($_POST['MsgBody'])."\n";
if (mail($recipient,$subject,$msg)){
echo "<p>Thanks for contacting us</p>";
echo nl2br($msg);
} else
echo "An unknown error occurred.";
}
?>