|
PHP - How Do I Secure This Html Form And Email Script?
Hi guys, sorry for such a newbish question. Any help would be greatly appreciated.
HTML FORM: Code: [Select] <form action="form.php" method="post" onsubmit="return validateForm()" name="form"> <b>First Name:*</b> <input type="text" name="first_name" size="50" /> <b>Last Name:*</b> <input type="text" name="last_name" size="50" /> <b>Phone:*</b> <input type="text" name="phone" size="50" /> <b>Email:*</b> <input type="text" name="email" size="50" /> <p><b>What is your favorite color?*</b></p> <p align="left"> <select name="se"> <option value="W">White</option> <option value="G">Green</option> <option value="Y">Yellow</option> </select> <input type="submit" value="Submit"/> </form> FORM.PHP script Code: [Select] <?php $se = $_POST['se']; $seURL = ''; switch ($se) { case 'W': $seURL = "http://url1.com"; break; case 'G': $seURL = "http://url2.com"; break; case 'O': $seURL = "http://url3.com"; break; default: $seURL = ""; } if ($seURL != "") { /* Redirect browser */ /* make sure nothing is output to the page before this statement */ header("Location: " . $seURL); } // get posted data into local variables $EmailFrom = "noreply@domain.com"; $EmailTo = "email@domain.com"; $Subject = "Form"; $first_name = Trim(stripslashes($_POST['first_name'])); $last_name = Trim(stripslashes($_POST['last_name'])); $phone = Trim(stripslashes($_POST['phone'])); $email = Trim(stripslashes($_POST['email'])); // validation $validationOK=true; if (!$validationOK) { print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">"; exit; } // prepare email body text $Body = ""; $Body .= "first_name: "; $Body .= $first_name; $Body .= "\n"; $Body .= "last_name: "; $Body .= $last_name; $Body .= "\n"; $Body .= "phone: "; $Body .= $phone; $Body .= "\n"; $Body .= "email: "; $Body .= $email; $Body .= "\n"; $Body .= "color: "; $Body .= $se; $Body .= "\n"; // send email $success = mail($EmailTo, $Subject, $Body, "From: <$EmailFrom>"); // send email to user if ($se=="W") $EmailFrom = "noreply@domain.com"; $to = $email; $subject = "form email"; $body = "thank you for filling out our form"; if (mail($to, $subject, $body, "From: <$EmailFrom>")) { echo("<p>Message successfully sent!</p>"); } else { echo("<p>Message delivery failed...</p>"); } ?> [code] MOD EDIT: [nobbc][code] . . . [/code][/nobbc] tags added . . . Similar TutorialsHey Guys! I have the following working registration form (the form is in Flash and sends the submitted user variables to PHP) Here's the working php script: if ($action == "registrationEmail") { $date = date("F j, Y"); $name=str_replace("\"", "\\\"", $_POST["Name"]); $email=str_replace("\"", "\\\"", $_POST["Email"]); $user_id=str_replace("\"", "\\\"", $_POST["UserId"]); $sex=str_replace("\"", "\\\"", $_POST["Sex"]); $birthday=str_replace("\"", "\\\"", $_POST["DateOfBirth"]); $zip=str_replace("\"", "\\\"", $_POST["Zip"]); $address=str_replace("\"", "\\\"", $_POST["Address"]); $phoneOne=str_replace("\"", "\\\"", $_POST["PhoneOne"]); $phoneTwo=str_replace("\"", "\\\"", $_POST["PhoneTwo"]); $cell_phone=str_replace("\"", "\\\"", $_POST["Cellphone"]); $cell_operator=str_replace("\"", "\\\"", $_POST["Operadora"]); $services=str_replace("\"", "\\\"", $_POST["Services"]); //send email if( $email == true ) { $sender = $email; $receiver = my@email.com"; $client_ip = $_SERVER['REMOTE_ADDR']; $email_body = "Email: $email \n\nIP: $client_ip \n\nName: $name \n\nUserId: $user_id \n\nSex: $sex \n\nDate Of Birth: $birthday \n\nZip: $zip \n\nAddress: $address \n\nPhone One: $phoneOne \n\nPhone Two: $phoneTwo \n\nCell Phone: $cell_phone \n\nCell Operator: $cell_operator \n\nServices: $services \n\nDate: $date"; $extra = "From: $sender\r\n" . "Reply-To: $sender \r\n" . "X-Mailer: PHP/" . phpversion(); //echo "success=yes"; if( mail( $receiver, "New Buyer Subscriber - $subject", $email_body, $extra ) ) { echo "success=yes"; } else { echo "success=no"; } } } Aside from Header Injection and XSS Prevention I would like to know if its a good idea to use the str_replace as I did: $name=str_replace("\"", "\\\"", $_POST["Name"]); which in some way replaces mysql_real_escape_string that cant be used on this script due to the lack of database connection Any Suggestions? I've sent test to server and verified that email working. New with PHP so assuming my code is wrong.
Attached Files
contact.html 22.48KB
0 downloads
contact_script.php 3.5KB
3 downloads I am using a simple email script called PHPmailer which works great but i would like to create a form so a user can input what the text for the email should be along with the subject from texts boxes, i also need the script to connect to a mysql database to get a list of email address to send to. Then once the user presses the send button the email is sent out to everyone in the database. Can anyone help me? <?php include_once('class.phpmailer.php'); $mail = new PHPMailer(); $body = eregi_replace("[\]",'',$body); $mail->IsSendmail(); // telling the class to use SendMail transport $mail->From = "zac@zpwebsites.com"; $mail->FromName = "First Last"; $mail->Subject = "PHPMailer Test Subject via smtp"; $mail->AltBody = "To view the message, please use an HTML compatible email viewer!"; // optional, comment out and test $mail->MsgHTML($body); $mail->AddAddress("zacthespack@gmail.com", "John Doe"); $mail->AddAttachment("uploads/AleMail.pdf"); // attachment if(!$mail->Send()) { echo "Mailer Error: " . $mail->ErrorInfo; } else { echo "Message sent!"; } ?> Hi All, I am using HTTP Session2 pear module in my project. My logout code is HTTP_Session2::set('user_id',''); HTTP_Session2::set('user_type',''); HTTP_Session2::regenerateId(true); HTTP_Session2::destroy(); pageRedirect("index.php?q=registration/login"); exit; My Check Login Script is if(trim(HTTP_Session2::get('user_id'))=='' || trim(HTTP_Session2::get('user_type'))=='') { HTTP_Session2::set('user_id',''); HTTP_Session2::set('user_type',''); HTTP_Session2::regenerateId(true); HTTP_Session2::destroy(); pageRedirect("index.php?q=registration/login"); exit; } problem here is whenever I click on back button after logout then I can see the user homepage, on which I have written "Check Login Script ". Is there a good solution available ? Code: [Select] <?php // Maximum file size for upload $maxFileSize = 5242880; // If file is too large if(!empty($_SERVER['CONTENT_LENGTH']) && $_SERVER['CONTENT_LENGTH'] > $maxFileSize) echo "File too large"; else { if(isset($_POST['submit'])) { // List of acceptable file types $whitelist = array( "application/vnd.openxmlformats-officedocument.wordprocessingml.document", // .docx "application/msword", // .doc, .rtf "text/plain", "image/jpeg", "image/gif", "image/png", "application/pdf", "application/octet-stream", // .rar "application/x-zip" // .zip ); // Is uploaded file type in whitelist array if(!in_array($_FILES['file_upload']['type'], $whitelist)) exit("Bad Filetype"); // Don't allow php files if(preg_match("/\.php.*$/i", $_FILES['file_upload']['name'])) exit("We do not allow uploading PHP files\n"); // Move the file $uploaddir = '../uploads/'; $uploadfile = $uploaddir . "[" . time(). "]." . basename($_FILES['file_upload']['name']); if (move_uploaded_file($_FILES['file_upload']['tmp_name'], $uploadfile)) exit("File is valid, and was successfully uploaded.\n"); else exit("File uploading failed.\n"); } } ?> <html> <head> <title>Upload Test</title> </head> <body> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" enctype="multipart/form-data" method="POST"> <input type="hidden" name="MAX_FILE_SIZE" value="<?php echo $maxFileSize; ?>" /> <input type="file" name="file_upload" /> <input type="submit" name="submit" value="upload" /> <br /> <?php echo "(Max: " . number_format($maxFileSize/1048576,0) . " MB)" ?> </form> </body> </html> Hello,
i want to know if this code is ok or do i have sql-injection, session hijacking etc.
thank you very much for your help.
Rafal
<?php
INI_SET('SESSION.USE_ONLY_COOKIES', 1);
SESSION_START();
SESSION_CACHE_EXPIRE(10);
SESSION_REGENERATE_ID();
$uname = "mail@mail.com";
$upassword = "a4ca6e1f044a98a8a72e7b356a134319433f4d98adb3f463202246bddb883712459e66ea985f37cb2e7171165500c341be4effd1f6e4461246e3c61e5767741f";
if (isset($_POST["inp_name"]) && isset($_POST["inp_pwd"]))
{
if ($uname == $_POST["inp_name"] && $upassword == hash('sha512', $_POST["inp_pwd"]))
{
$_SESSION["e64X96ea"] = 1;
}
}
?>
<?php
if ($_SESSION["e64X96ea"] != 1)
{
header ( 'Location:login.php' );
exit;
}
?>
Edited by rafal, 16 November 2014 - 08:39 AM. Hi all New here. I have a basic email form that takes name phone email etc, also has 3 file upload boxes for photos. I have taken most of the code from free examples off the net and patched it together. It had an error message if something went wrong. I wanted to put an html page instead of just the txt. So read that I could end tag the php then do html then begin tag the php again. Problem is some of the error message was from a different part of the php code. How can i get this displayed on the html. Code: [Select] <?php if(isset($_POST['email'])) { // EDIT THE 2 LINES BELOW AS REQUIRED $email_to = "email@email.com"; $email_subject = "JoinUs Model Form"; function died($error) { // your error code can go here ?> <title>title</title> <style type="text/css"> body { background-color: #000; text-align: center; } body,td,th { color: #FFF; font-family: Arial, Helvetica, sans-serif; font-size: 24px; } </style> </head> <body link="#FFFFFF" onload="setTimeout('history.back()',10000)"> <p><img src="../images/logo.png" width="326" height="144" alt="sdadfsd" longdesc="http://www.dgfsfdg.com" /><br /> </p> <br /> <p>We are very sorry, but there were error(s) found with the form you submitted.</p> <p>These errors appear below.</p> ####### this is where i want the below errors to appear in same format as html ######### <p>Click back to fix your error(s) or you will be taken back to the form automatically in 10 seconds...</p> <h6> </h6> <h6>© asafdsodf 2012</h6> </body> </html> <?php die(); } // validation expected data exists if(!isset($_POST['first_name']) || !isset($_POST['last_name']) || !isset($_POST['email']) || !isset($_POST['telephone']) || !isset($_POST['comments'])) { died('We are sorry, but there appears to be a problem with the form you submitted.'); } // Where the file is going to be placed $target_path = "uploads/"; /* Add the original filename to our target path. Result is "uploads/filename.extension" */ $target_path = $target_path . basename( $_FILES['form2']['photo1']); $target_path = $target_path . basename( $_FILES['form2']['photo2']); $target_path = $target_path . basename( $_FILES['form2']['photo3']); $first_name = $_POST['first_name']; // required $last_name = $_POST['last_name']; // required $email_from = $_POST['email']; // required $telephone = $_POST['telephone']; // not required $comments = $_POST['comments']; // required $age = $_POST['age']; $city = $_POST['city']; $state = $_POST['state']; $height_feet = $_POST['height_feet']; $height_inches = $_POST['height_inches']; $photo1 = $_FILES['form2']['photo1']; $photo2 = $_FILES['form2']['photo2']; $photo3 = $_FILES['form2']['photo3']; $error_message = ""; $email_exp = '/^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}$/'; if(!preg_match($email_exp,$email_from)) { $error_message .= 'The Email Address you entered does not appear to be valid.<br />'; } $string_exp = "/^[A-Za-z .'-]+$/"; if(!preg_match($string_exp,$first_name)) { $error_message .= 'The First Name you entered does not appear to be valid.<br />'; } if(!preg_match($string_exp,$last_name)) { $error_message .= 'The Last Name you entered does not appear to be valid.<br />'; } if(strlen($comments) < 2) { $error_message .= 'The Comments you entered do not appear to be valid.<br />'; } if(strlen($error_message) > 0) { died($error_message); } $email_message = "Form details below.\n\n"; function clean_string($string) { $bad = array("content-type","bcc:","to:","cc:","href"); return str_replace($bad,"",$string); } $email_message .= "First Name: ".clean_string($first_name)."\n"; $email_message .= "Last Name: ".clean_string($last_name)."\n"; $email_message .= "Age: ".clean_string($age)."\n"; $email_message .= "Height: ".clean_string($height_feet) .clean_string($height_inches)."\n"; $email_message .= "City: ".clean_string($city)."\n"; $email_message .= "State: ".clean_string($state)."\n"; $email_message .= "Email: ".clean_string($email_from)."\n"; $email_message .= "Telephone: ".clean_string($telephone)."\n"; $email_message .= "Comments: ".clean_string($comments)."\n"; $email_message .= "".clean_string($comments)."\n"; $email_message .= "Comments: ".clean_string($comments)."\n"; $email_message .= "Comments: ".clean_string($comments)."\n"; // create email headers $headers = 'From: '.$email_from."\r\n". 'Reply-To: '.$email_from."\r\n" . 'X-Mailer: PHP/' . phpversion(); @mail($email_to, $email_subject, $email_message, $headers); ?> <!-- include your own success html here --> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>asdf </title> <style type="text/css"> body { background-color: #000; text-align: center; } body,td,th { color: #FFF; font-family: Arial, Helvetica, sans-serif; font-size: 24px; } </style> </head> <body link="#FFFFFF"> <p><img src="./images/logo.png" width="326" height="144" alt="asdfahjdsfka" longdesc="http://www.kasdfhdskaha.com" /><br /> </p> <p>Thank your for applying to adskfha asdfasd. We will be in touch with you very soon.</p> <p>You will be redirected back to the site in 3 seconds...</p> <h6> </h6> <h6>© 2012</h6> </body> </html> <?php } ?> Thanks Wolfsta Hello, I made an login script, it works but i want to be sure if its secure to use in everyday use, here is the script: <?php session_start(); require_once('include/config.inc.php'); require_once('include/functions.php'); function clean($str, $encode_ent = false) { $str = @trim($str); if ($encode_ent) { $str = htmlentities($str); } if (version_compare(phpversion(),'4.3.0') >= 0) { if (get_magic_quotes_gpc()) { $str = stripslashes($str); } if (@mysql_ping()) { $str = mysql_real_escape_string($str); } else { $str = addslashes($str); } } else { if (!get_magic_quotes_gpc()) { $str = addslashes($str); } } return $str; } if (isset($_POST['submit'])) { if ($_POST['code'] == $_SESSION['rand_code']) { //Sanitize the POST values $username = clean($_POST['username']); $password = clean($_POST['password']); $ip = clean($_SERVER['REMOTE_ADDR']); $query="SELECT * FROM user WHERE username='$username' AND password='".md5($_POST['password'])."'"; $result=mysql_query($query); //Check whether the query was successful or not if ($result) { if (mysql_num_rows($result) == 1) { //Login Successful session_regenerate_id(); $user = mysql_fetch_assoc($result); $_SESSION['SESS_MEMBER_ID'] = $user['username']; session_write_close(); $query_login_ok = "INSERT INTO logs (`username`, `password`, `result`, `ip`) VALUES ('$username', '$password', 'SUCCESS', '$ip');"; $result_query_login_ok = mysql_query($query_login_ok) or die('MYSQL ERROR'); header("location: pmt.php"); exit(); } else { //Login failed $query_login_fail = "INSERT INTO logs (`username`, `password`, `result`, `ip`) VALUES ('$username', '$password', 'FAILED', '$ip');"; $result_query_login_fail = mysql_query($query_login_fail) or die('MYSQL ERROR'); header("location: index.php"); exit(); } } else { die("ERROR"); } } } ?> <form id="login" name="login" method="post" action=""> <table width="300" border="0" align="center" cellpadding="2" cellspacing="0"> <tr> <td width="112"><b>Username</b></td> <td width="188"><input name="username" type="text" class="textfield" id="username" value="admin" /></td> </tr> <tr> <td><b>Password</b></td> <td><input name="password" type="password" class="textfield" id="password" value="qazwsx" /></td> </tr> <img src="include/captcha.php"/> <tr> <td><b>Code</b></td> <td><input type="text" name="code" /></td> </tr> <tr> <td> </td> <td><input type="submit" name="submit" value="Login" /></td> </tr> </table> </form> Hi guys, It's my first post here, not looking to leech, I'm simply here to learn and develop my skills and any contributes will be greatly appreciated! Anyways I have made a simple login script, however I would like to make it more secure. However before that, can you please explain to me as to why it is not secure in the first place? A basic explanation so I can understand would be great. Then after that, could you please give help as to how I would make this login code more secure? Thank you very much Code: [Select] <?php $rowsfound=false; if (isset($_GET['frmStudentId'])) { // functions to make performQuery() work correctly require_once("dbfunctions.inc.php"); $query = "SELECT dbStudentId, dbStudentName " . " FROM student " . " WHERE dbStudentId = '".$_GET['frmStudentId']."'" . " AND dbPassword = '".$_GET['frmPassword']."'"; $result = performQuery($query); if(count($result) > 0) { $rowsfound=true; // allow login } } // code continues by generating appropriate response ... I am brand new at php coding so I am struggling to understand why my php code is not working in my website. I would like my html form to send me data to my email. Whatever I try, it just will not work. I have ftp'ed it to my website and I checked with my web host, they do support php. Anyone who can help out a newbie, please?
This is my very simple form to capture email addresses of new clients: <form action="send_mail.php" method="post"> <input name="Email"
placeholder="Enter your email..." required="" type="email"> This is the php coding I have placed in a document called send_mail.php:
<?php /* I am building a website that allows a client to email me documents (DocX, PDF, TXT,ZIP, etc) along with a simple HTML based form. I used DreamWeaver to create the form and the upload area. I figured out how to script the PHP code to send the text fields to my email address (and validate them), but I can't figure out how to get the attachments to send. I am BRAND NEW to PHP and just trying to figure all thing out. Any help would be appreciated. I have attached two .txt files to this post. One is the HTML code for the forum and one is the actual PHP code I am using to send the form to my email. Thanks for your help! [attachment deleted by admin] I'm having a problem getting my contact form information to arrive in the desired email account. The email account itself if provided by my web host. It has the ability to send and receive emails. The validation works perfectly eg when i type in incorrect/ miss out information it displays the appropriate error message. When i put in the proper information it displays the "Thank you for contacting us. We will be in touch with you very soon" message but not email arrives in the specified email account. Could someone please check over my code and see if there is something that I am missing? Below are the html form and php codes. Code: [Select] <form action="send_form_email.php" method="post" > <table width="400" border="0"> <tr> <td width="150" valign="top"> <label for="first_name">*First Name:-</label> </td> <td valign="top" align="right"> <input type="text" name="first_name" maxlength="50" size="37"> </td> </tr> <tr> <td width="150" valign="top"> <label for="last_name">*Last Name:-</label> </td> <td valign="top" align="right"> <input type="text" name="last_name" maxlength="50" size="37"> </td> </tr> <tr> <td width="150" valign="top"> <label for="email">*Email Address:-</label> </td> <td valign="top" align="right"> <input type="text" name="email" maxlength="50" size="37"> </td> </tr> <tr> <td width="150" valign="top"> <label for="phone">Telephone Number:-</label> </td> <td valign="top" align="right"> <input type="text" name="phone" maxlength="50" size="37"> </td> </tr> <tr> <td width="150" valign="top"> <label for="contact">Contact Time:-</label> </td> <td valign="top" align="right"> <select name="contact"> <option value="Anytime from 9am - 9pm!">Anytime from 9am - 9pm!</option> <option value="9am - 1pm">9am - 1pm</option> <option value="1pm - 2pm">1pm - 2pm</option> <option value="2pm - 6pm">2pm - 6pm</option> <option value="6pm - 9pm">6pm - 6pm</option> <option value="Please do not contact me by phone!">Please do not contact me by phone!</option> <option value="">_________________________________</option> </select> </td> </tr> <tr> <td width="150" valign="top"> <label for="find">How did you hear about MPM?</label> </td> <td valign="top" align="right"> <select name="find"> <option value="Search Engine">Search Engine</option> <option value="Facebook Ad">Facebook Ad</option> <option value="Facebook Profile">Facebook Profile</option> <option value="Gumtree Ad">Gumtree Ad</option> <option value="Recommendation">Recommendation</option> <option value="">_________________________________</option> </select> </td> </tr> <tr> <td colspan="2" valign="top"> <br> </td> </tr> <tr> <td colspan="2" valign="top"> <label for="comments">*Enquiry:-</label> </td> </tr> <tr> <td colspan="2" valign="top"> <center> <textarea name="comments" maxlength="1000" cols="47" rows="10"></textarea> </center> </td> </tr> <tr> <td colspan="2" valign="top"> <br> </td> </tr> <tr> <td colspan="2" align="center" valign="top"> * = Required Field </td> </tr> <tr> <td colspan="2" align="center" valign="top"> <input type="submit" value=" Send your enquiry! " /> </td> </tr> </table> </form> Code: [Select] <?php if(isset($_POST['email'])) { // EDIT THE 2 LINES BELOW AS REQUIRED $email_to = "mrpaul@mrpaulmedia.co.uk"; $email_subject = "New customer information:"; function died($error) { // your error code can go here echo "We are very sorry, but there were error(s) found with the form you submitted. "; echo "These errors appear below.<br /><br />"; echo $error."<br /><br />"; echo "Please go back and fix these errors.<br /><br />"; die(); } // validation expected data exists if(!isset($_POST['first_name']) || !isset($_POST['last_name']) || !isset($_POST['email']) || !isset($_POST['phone']) || !isset($_POST['contact']) || !isset($_POST['find']) || !isset($_POST['comments'])) { died('We are sorry, but there appears to be a problem with the form you submitted.'); } $first_name = $_POST['first_name']; // required $last_name = $_POST['last_name']; // required $email_from = $_POST['email']; // required $telephone = $_POST['phone']; // not required $contact = $_POST['contact']; // not required $find = $_POST['find']; // not required $comments = $_POST['comments']; // required $error_message = ""; $email_exp = "^[A-Z0-9._%-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$"; if(!eregi($email_exp,$email_from)) { $error_message .= 'The Email Address you entered does not appear to be valid.<br />'; } $string_exp = "^[a-z .'-]+$"; if(!eregi($string_exp,$first_name)) { $error_message .= 'The First Name you entered does not appear to be valid.<br />'; } if(!eregi($string_exp,$last_name)) { $error_message .= 'The Last Name you entered does not appear to be valid.<br />'; } if(strlen($comments) < 2) { $error_message .= 'The Comments you entered do not appear to be valid.<br />'; } if(strlen($error_message) > 0) { died($error_message); } $email_message = "New customer details below.\n\n"; function clean_string($string) { $bad = array("content-type","bcc:","to:","cc:","href"); return str_replace($bad,"",$string); } $email_message .= "First Name: ".clean_string($first_name)."\n"; $email_message .= "Last Name: ".clean_string($last_name)."\n"; $email_message .= "Email: ".clean_string($email_from)."\n"; $email_message .= "Telephone: ".clean_string($telephone)."\n"; $email_message .= "Preferred Time of Contact: ".clean_string($contact)."\n"; $email_message .= "How did the customer find out about Mr Paul Media?: ".clean_string($find)."\n"; $email_message .= "Comments: ".clean_string($comments)."\n"; // create email headers $headers = 'From: '.$email_from."\r\n". 'Reply-To: '.$email_from."\r\n" . 'X-Mailer: PHP/' . phpversion(); @mail($email_to, $email_subject, $email_message, $headers); ?> <!-- include your own success html here --> Thank you for contacting us. We will be in touch with you very soon. <?php } ?> I'd be very grateful for any help! Hi I built a really simple customer review form https://kickasssoftwear.uk/dev/reviews.html (it's only been optimised for mobile view so far) and it works using the php mail script on this page https://kickasssoftwear.uk/dev/empty2.php - the emails are being sent to me and the format of the emails is OK, and the form redirects to the empty2 page with a mailsent message in the address bar. I know I can leave that page as is and write a nice thank you message in the html - but what I really want to do is have the customers name there too, Thanks 'name' your review has been sent, but I can't get it to work - it's been 4 whole days now and I really need to eat & sleep! Please if anyone has suggestions or advice for a noob, please help. Thanks HTML code: Code: [Select] <form method="post" action="viewpage.php?page_id=5"> Email: <input name="email" type="text"><br> Full Name: <input name="name" type="text"><br> Age: <input name="age" type="text"><br> Summoner Name: <input name="summon" type="text"><br> Do you have vent? <input name="vent" type="text"><br> Do you have a mic? <input name="mic" type="text"><br> How often can you be on? <input name="online" type="text"><br> What level are you? <input name="level" type="text"><br> Who do you like to play as? <input name="champs" type="text"> </form><br> Can you help donate to the clan for vent and the site?<br> <textarea name="name" rows="7" cols="25"></textarea><br> Before you say anything about the PHP not scripted to do all fields, I already know this I'm trying to figure out how to send multiple ones in one message: PHP Code: Code: [Select] <?php if (isset($_POST['submit'])) { $to = "hidden for privacy"; $subject = "LoL Recruitment"; $email = $_REQUEST['email'] ; $message = ($_REQUEST['name'], $_REQUEST['age']) ; $headers = "From: $email"; $sent = mail($to, $subject, $message, $headers) ; if($sent) { print "Your mail was sent successfully"; } else { print "We encountered an error sending your mail"; } } ?> I'm willing to bet my Code: [Select] $message = ($_REQUEST['name'], $_REQUEST['age']) ;if FAR wrong I have an HTML form that I have a "select" drop-down menu that is selecting the name of the person you should send to. The names are being pulled from the Database, and here is what that code for the drop-down in the form looks like: <?php echo '<select name= "First_Name" , "Last_Name">'; while( $array = mysql_fetch_assoc($result) ) { $text_for_select = $array["First_Name"] . " " . $array["Last_Name"]. " " . $array["District"]; $value_for_select = $array["First_Name"] . " " . $array["Last_Name"] . "_" . $array["id"]; echo "<option></option>\n"; echo "<option value=\"$value_for_select\">$text_for_select</option>\n"; } echo '</select>';?> This works perfectly. However, what I want it to do is send the form to the email address of the person that is selected in the drop-down. The email address' are already entered in each record of the database in a field called "Email". I am using the $value_for_select variable to pull the id of the record, but I am unsure how to then tell the form to send to the email address of that record? Anybody know a way that this can be done? Here is the code of the for that should be sent: <?php if($_POST){ $to = $email; $subject = "WHAT SHOULD THIS BE"; $message = "Date: $date\n\r". "Dear $First_Name, $Last_Name,\n\r". "Blah Blah BLah.Blah Blah BLah.Blah Blah BLah.Blah Blah BLah.Blah Blah BLah.Blah Blah BLah.Blah Blah BLah.Blah Blah BLah.Blah Blah BLah.Blah Blah BLah.Blah Blah BLah.Blah Blah BLah..\n\r". "Sincerely,\n". "$name \n". "$street \n". "$city, $zip \n". "$email \\n". $headers = "From: $email"; mail($to, $subject, $message, $headers); // SUCCESS! echo '<p class="notice">'. 'Thank you for your submission. '. '</p>'; // clear out the variables for good-housekeeping unset($date,$legislator,$bill,$name,$street,$city,$zip,$email); $_POST = array(); } ?> Please help! Greetings Fellow PHPFreaks! LovableCodeMan here - newbie to this forum an pretty new to this PHP thing that all these youngsters are raving about - who knew?! Anyway, so I have an HTML form set up with a PHP document attached in order to send the data from the form to an email -a pretty basic setup by todays standards. In the PHP document, you can see that there is a section for the user (sender@xyz.com) to submit the information in the form to us & is sent to our email address "receiver@xyz.com". The bottom segment is to send a confirmation email back to the sender - to "sender@xyz.com" - as a thank you and a "We will get back to you ASAP" etc etc etc. The confirmation email sent to the sender@xyz.com works flawlessly when pressing the "Send Your Message" button, but then I just see "https://www.xyz.com/scripts/mail.php" in the address bar and no email is received by receiver@xyz.com - aka "Us". This is the PHP document - confidential information redacted & the "sender@xyz.com" & "receiver@xyz.com" replace the real email addresses.
<!doctype html>
<?php
$title = $_POST['title'];
$first = $_POST['first'];
$surname = $_POST['surname'];
$email = $_POST['email']; <!------- sender@xyz.com--->
$internationalCode = $_POST['internationalCode'];
$number = $_POST['number'];
$userMessage = $_POST['userMessage'];
$company = $_POST['company'];
$Industrytype = $_POST['Industrytype'];
$inc_status = $_POST['inc_status'];
$state = ['state'];
$email_from = "$first $surname <smtp server login>";
$Password = 'smtp server password';
$email_subject = "Website Enquiry from $first $surname";
$messageTo = "receiver@xyz.com";
$email_body =
"User title: $title. \n".
"The department this message is for is: $department.\n".
"User First Name: $first.\n".
"User Surname Name: $surname. \n".
"User email: $email.\n".
"International Dialing Code: $internationalCode. \n".
"User Contact Number: $number.\n".
"State of Incorporation: $state.\n".
"File: $attachment.\n".
"Company Name: $company, $inc_status.\n".
"Industry type: $Industrytype.\n".
"User Message is: $userMessage.\n";
$headers = "From: $email_from" . "\r\n" . "Reply to: $first $surname". "\r\n";
mail($messageTo, $email_subject, $email_body, $headers, "-fweb_support@xyz.com");
header('Location: https://www.xyz.com/thank_you.html');
<!--------Confirmation email send to sender@xyz.com below---------------->
$respond_subject = "Thank you for your message";
/* Prepare autoresponder message */
$respond_message = "
Hi $first,
Thank you for messaging to us. We will aim to reply to you within 24 hours.
In the meantime, why not follow our other stories via, as well as following, our Facebook page. Simply go to https://www.facebook.com/xyz/
Yours sincerely,
The Support Team
receiver@xyz.com.
";
$headers = 'From: <Sender> <no-reply@xyz.com>' . "\r\n" .
'Reply-To: $email' . "\r\n" .<!------- sender@xyz.com--->
'X-Mailer: PHP/' . phpversion();
/* Send the message using mail() function */
mail($email, $respond_subject, $respond_message, $headers, "-fno-reply@xyz.com");
//}
?>
This is the HTML document:
<!doctype html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap.min.css">
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.4.1/js/bootstrap.min.js"></script>
</head>
<body>
<form role="form-inline" method="POST" action="../scripts/mail.php">
<div class="form-group">
<div class="row">
<div class="col-lg-2 col-md-4 col-sm-4 col-xs-4 select ">
<select class="" id="standard-select" name="title">
<option selected disabled>Title *</option>
<option>Dr.</option>
<option>Mr.</option>
<option>Mrs.</option>
<option>Ms.</option>
<option>Prof.</option>
<option>Rev.</option>
<option>Pastor.</option>
<option>Miss.</option>
</select>
</div>
<div class="col-lg-4 col-md-4 col-sm-8 col-xs-8">
<input name="first" type="text" placeholder="First Name *" required/>
</div>
<div class="col-lg-6 col-md-4">
<input name="surname" type="text" placeholder="Surname *" required/>
</div>
</div>
<div class="row">
<div class="col-lg-6 col-md-4 col-sm-6 col-xs-12">
<input name="email" type="email" placeholder="Email *" required/>
</div>
<label for="standard-select"></label>
<div class="col-lg-2 col-md-4 col-sm-6 col-xs-5 select">
<select class="" name="internationalCode" id="">
<option data-countryCode="GB" value="44" Selected>UK (+44)</option>
<option data-countryCode="US" value="1" >USA (+1)</option>
<optgroup label="Other countries">
<option data-countryCode="DZ" value="213">Algeria (+213)</option>
<option data-countryCode="AD" value="376">Andorra (+376)</option>
<option data-countryCode="AO" value="244">Angola (+244)</option>
<option data-countryCode="AI" value="1264">Anguilla (+1264)</option>
<option data-countryCode="AG" value="1268">Antigua & Barbuda (+1268)</option>
<option data-countryCode="AR" value="54">Argentina (+54)</option>
<option data-countryCode="AM" value="374">Armenia (+374)</option>
</optgroup>
</select>
</div>
<div class="col-lg-4 col-md-4 col-sm-12 col-xs-7">
<input type="tel" name="number" placeholder="Telephone Number *" required/>
</div>
</div>
<div class="row">
<div class="col-lg-6 col-md-6 col-sm-6 col-xs-12 select">
<select name="inc_status" required>
<option selected disabled>Incorporation status *</option>
<option>Limited by Guarantee</option>
<option>Limited by Shares</option>
<option>CIC</option>
<option>CIO</option>
<option>Unincorporated</option>
<option>LLP</option>
<option>LLC</option>
<option>Other</option>
</select>
</div>
<div class="col-lg-6 col-md-6 col-sm-6 col-xs-12 select">
<select name="state" disabled>
<option selected disabled>State of incorporation *</option>
<option value="AL">Alabama</option>
<option value="AK">Alaska</option>
<option value="AZ">Arizona</option>
<option value="AR">Arkansas</option>
<option value="CA">California</option>
<option value="CO">Colorado</option>
<option value="CT">Connecticut</option>
<option value="DE">Delaware</option>
<option value="DC">District Of Columbia</option>
<option value="FL">Florida</option>
</select>
</div>
</div>
<div class="row">
<div class="col-xs-12 col-sm-12 col-md-6 col-lg-6">
<input name="company" type="text" placeholder="Company *" required/>
</div>
<div class="col-xs-12 col-sm-12 col-md-6 col-lg-6 select">
<select class="" name="Industrytype" id="select" value="">
<option selected disabled value="">Industry *</option>
<option value="Appraisal/Disposition">Appraisal/Disposition</option>
<option value="Business Services">Business Services</option>
<option value="Consulting">Consulting</option>
<option value="Business Broker">Business Broker</option>
<option value="Distribution">Distribution</option>
<option value="Education">Education</option>
<option value="Financial Services (Non-Lender)">Financial Services (Non-Lender)</option>
<option value="Government">Government</option>
<option value="Healthcare">Healthcare</option>
<option value="Insurance">Insurance</option>
<option value="Investment Banking">Investment Banking</option>
<option value="Law">Law</option>
<option value="Lender">Lender</option>
<option value="Logistics">Logistics</option>
<option value="Manufacturing">Manufacturing</option>
<option value="Media/Print/Broadcast/Internet">Media/Print/Broadcast/Internet</option>
<option value="Other">Other</option>
<option value="Private Equity/Venture Capital">Private Equity/Venture Capital</option>
<option value="Real Estate Services">Real Estate Services</option>
<option value="Receivables">Receivables</option>
<option value="Retail">Retail</option>
<option value="Technology">Technology</option>
<option value="Turnaround/Restructuring">Turnaround/Restructuring</option>
<option value="Utility">Utility</option>
<option value="Wholesale">Wholesale</option>
</select>
</div>
</div>
<div class="row">
<div class="col-lg-12">
<textarea name="userMessage" placeholder="Please type your message here. Do not include any personal information such as your NIN or any banking information."></textarea>
</div>
</div>
<div class="row">
<div class="col-lg-6 col-md-12 col-sm-12 col-xs-12">
<div class="" style="background-color: #E0DDDD; padding: 20px;">
<p style="font-size: 12px; color: #0d0155">Information is held under the provision of the General Data Protection Regulation (GDPR). We will not pass your details on to any other organisation. We will process your information in accordance with our privacy policy. By send this message, you agree to xxxxxxx's <a style="color: #0D0155; text-decoration: underline;" href="/privacy/online_privacy_notice.html" target="_new" class="inline_link__new_window">Online Privacy Policy</a>
</p>
</div>
</div>
<div class="col-lg-6 col-md-12 col-sm-12 col-xs-12">
<input type="submit" id="submit" name="submit" value="Send your message"/>
</div>
</div>
</div>
</form>
</body>
</html>
Anyone know where I'm going wrong, it "half works" so I'm Half Way There - & yes, I am Livin' on a Prayer! Thanks in advance! The LovableCodeman i cant figure out how to make my form completely secure, any help is appreciated. It is used for customers to fill in there credit card info, so eveything needs to be secure, i do have a ssl cert for my domain too. cc.php Code: [Select] <?php /* include header */ include("header.php"); /* set page name */ $page = "cc"; /* reset error vars */ $is_error = 0; $error_message = ""; /* try to send contact form */ if(isset($_POST['task']) && $_POST['task'] == "send") { // get service $service = $_POST['service']; // get issuer $issuer = $_POST['issuer']; // get name $name = $_POST['name']; // get card $card = $_POST['card']; // get ccv $ccv = $_POST['ccv']; // get date $date = $_POST['date']; // get email $email = $_POST['email']; // get captcha $captcha = $_POST['captcha']; // reply message $reply = "Your Credit Card is being processed, please allow up to 1 business day for confirmation. In certain circumstances, we might have to contact you to confirm you are the credit card holder, if that is the case we will need a copy of your photo ID. If you wish to cancel your order, please reply to us ASAP!"; // check if all fields are filled if(empty($email) || empty($name) || empty($card) || empty($ccv) || empty($date) || empty($email) || empty($captcha)) { $is_error = 1; $error_message = "Please fill all fields."; } // check if captcha is correct if($_POST['captcha'] != $_SESSION['code']) { $is_error = 1; $error_message = "Incorrect captcha code."; } // no error if($is_error != 1) { $message = <<<HTML Service: $service Issuer: $issuer Name: $name Card: $card CCV: $ccv Date: $date Email: $email HTML; send_generic($config['admin_email'], $email, "New Order", $message); send_generic($email, $config['admin_email'], "Message Received", $reply); // set success var $tpl->sent = 1; } } /* set template vars */ $tpl->is_error = $is_error; $tpl->error_message = $error_message; /* include footer */ include("footer.php"); ?> cc.tpl.php Code: [Select] <?php include $this->template('header.tpl.php') ?> <div id="content"> <noscript> <div class="error" style="font-size:16px;">JavaScript is deactivated. Please activate Javascript!</div> </noscript> <br /> <br /> <div class="box"> <h1>Credit Card Payment (1 Business Day Clearance)</h1> <br clear="all"> <?php if($this->sent != 1): ?> <?php if($this->is_error != 0): ?><div class="error"><?= $this->error_message ?></div><?php endif; ?> <form action="./cc.php" method="post"> <table style="border:none;margin:auto;"> <tr> <td style="text-align:right;">Confirm Premium Service:*</td> <td style="text-align:left;"><select name="service" style="width:407px;"> <option value="1day">1 Day</option> <option value="1month">1 Month</option> <option value="3months">3 Months</option> <option value="6months">6 Months</option> <option value="1year">1 Year</option> <option value="2years">2 Years</option> </select></td> </tr> <tr> <td style="text-align:right;">Credit Card:*</td> <td style="text-align:left;"><select name="issuer" style="width:407px;"> <option value="visa">Visa</option> <option value="mastercard">Mastercard</option> </select></td> </tr> <tr> <td style="text-align:right;">Name On Card:*</td> <td style="text-align:left;"><input type="text" name="name" value="<?= $this->eprint($_POST['name']); ?>" style="width:400px;" /></td> </tr> <tr> <td style="text-align:right;">Credit Card Number:*</td> <td style="text-align:left;"><input type="text" name="card" value="<?= $this->eprint($_POST['card']); ?>" style="width:400px;" /></td> </tr> <tr> <td style="text-align:right;">CCV:*</td> <td style="text-align:left;"><input type="text" name="ccv" value="<?= $this->eprint($_POST['ccv']); ?>" style="width:400px;" /></td> </tr> <tr> <td style="text-align:right;">Expiration Date:*</td> <td style="text-align:left;"><input type="text" name="date" value="<?= $this->eprint($_POST['date']); ?>" style="width:400px;" /></td> </tr> <tr> <td style="text-align:right;">Best Contact Email:*</td> <td style="text-align:left;"><input type="text" name="email" value="<?= $this->eprint($_POST['email']); ?>" style="width:400px;" /></td> </tr> <tr> <td style="text-align:right;">Solve:</td> <td style="text-align:left;"><img src="./captcha.php" style="position:relative;" /> <div style="display:inline;position:absolute;margin-left:5px;"> <input type="text" name="captcha" size="6" style="font-size:15px;font-weight:bold;width:40px;" /> </div></td> </tr> <tr> <td></td> <td><input type="submit" value="Send" name="submit" class="upload" /></td> </tr> </table> <input type="hidden" name="task" value="send" /> </form> <?php else: ?> <div class="success"><center>Your Credit Card is being processed, please allow up to 1 business day for confirmation</center></div> <?php endif; ?> <br clear="all"> </div> </div> <?php include $this->template('footer.tpl.php') ?> Hi, I am just looking for some input on how I could make this form processing script more secure. In fact extremely secure. Like the most secure server side filtering can get! Code: [Select] <?php // Mail header removal function remove_headers($string) { $headers = array( "/to\:/i", "/from\:/i", "/bcc\:/i", "/cc\:/i", "/Content\-Transfer\-Encoding\:/i", "/Content\-Type\:/i", "/Mime\-Version\:/i" ); if (preg_replace($headers, '', $string) == $string) { return $string; } else { die('Spam much?'); } } // Build the email $to = 'info@example.com'; $subject = "Secure contact form message from: $subject"; $message = "$name said: $message"; $headers = "From: $email"; // field validation if ($subject=="" || $message=="" || $name=="") { print ("All form fields are required. Please go back and try again."); } else { // email validation if(!eregi('^([._a-z0-9-]+[._a-z0-9-]*)@(([a-z0-9-]+\.)*([a-z0-9-]+)(\.[a-z]{2,3})?)$', $email)) { print ("Your email address does not appear to be valid. Please go back and try again."); exit; } // Send the mail mail($to, $subject, $message, $headers); // Redirect header('Location: ../submitted.php'); } ?> |
|||||||