Jump to content

codernoob

New Members
  • Posts

    7
  • Joined

  • Last visited

codernoob's Achievements

Newbie

Newbie (1/5)

0

Reputation

  1. its ok. I fixed it myself thanks. If anyone wants a form script, just let know. Thanks!
  2. can someone confirm if this is correct?? many thanks!
  3. Ok , i did some looking around and made some modifications, Can you check and let me know if my sanitization is good enough for the back end php? <?php $title = $_POST['title']; $name = $_POST['name']; $email = $_POST['email']; $phone = $_POST['phone']; $message = $_POST['message']; $recipient = "queries@xyz.com"; $subject = "contact"; $dodgy_strings = array( "content-type:" ,"mime-version:" ,"multipart/mixed" ,"bcc:" ); function is_valid_email($email) { return preg_match('#^[a-z0-9.!\#$%&\'*+-/=?^_`{|}~]+@([0-9.]+|([^\s]+\.+[a-z]{2,6}))$#si', $email); } function contains_bad_str($str_to_test) { $bad_strings = array( "content-type:" ,"mime-version:" ,"multipart/mixed" ,"Content-Transfer-Encoding:" ,"bcc:" ,"cc:" ,"to:" ); foreach($bad_strings as $bad_string) { if(eregi($bad_string, strtolower($str_to_test))) { echo "$bad_string found. Suspected injection attempt - mail not being sent."; exit; } } } function contains_newlines($str_to_test) { if(preg_match("/(%0A|%0D|\\n+|\\r+)/i", $str_to_test) != 0) { echo "newline found in $str_to_test. Suspected injection attempt - mail not being sent."; exit; } } if($_SERVER['REQUEST_METHOD'] != "POST"){ echo("Unauthorized attempt to access page."); exit; } if (!is_valid_email($email)) { echo 'Invalid email submitted - mail not being sent.'; exit; } contains_bad_str($email); contains_bad_str($name); contains_bad_str($phone); contains_bad_str($message); contains_newlines($email); contains_newlines($subject); $formcontent=" From: \n $title $name \n Email: $email \n Phone: $phone \n Message: $message"; $mailheader = "From: $email \r\n"; mail($recipient, $subject, $formcontent, $mailheader); if (isset($_POST['email'])) { header("Location: thanks.html");} ?>;
  4. Thanks again. Actually I have both 1 and 2. The front end html is fine and I have added JS validation to it - which I know is not fool proof. But thats fine if i have part two right. The part 2 - is where am having the problem. The PHP code i posted is my back-end processor. But I havent been able to set it up right to sanitize my data. Do you think, adding this will work? - filter_var($value, FILTER_SANITIZE_NUMBER_INT); to all my inputs on my PHP form? Sorry, may be am doing it all wrong and getting your inputs wrong!
  5. Thanks Andy, I actually have the PHP form processor in a separate file which is called by form action. there is a separate JS script that does the check and throws errors (hopefully 99% of users have js enabled). Honestly am a tad unsure about using php form within an html page (one reason I am using js to do the client side validation) - you can check it working here : http://quadimensionevents.com/contacts.html So using your logic, is it fair to say that, the below edited form would work? <?php $name = htmlentities (isset($_POST['name'])); $email = htmlentities (isset($_POST['email'])); $phone = htmlentities (isset($_POST['phone'])); $message = htmlentities (isset($_POST['message'])); $formcontent=" From: $name \n Email: $email \n Phone: $phone \n Message: $message"; $recipient = "queries@xxxx.com"; $subject = "Contact Form"; $mailheader = "From: $email \r\n"; mail($recipient, $subject, $formcontent, $mailheader) or die("Error!"); if (isset($_POST['email'])) { header("Location: thanks.html"); } ?> Apologies if this is way too stupid, I checked around on the web but couldnt really get a tut that really explains the basics.. thanks again for all the help
  6. Thanks for the response.. I get mails with empty fields in the mail set for the form + there are certain mails which have <script><xssv...></script>. Although that could be sitelock's way of telling me about the issue. But is it possible to have the validation done on this form (the code above) without throwing an error to the page? I was hoping to keep the webpage HTML/CSS form separate from my backend PHP form processor. Thanks. Does it mean that I need to use function on the backend PHP form?
  7. Hi, I am completely new to PHP.. and have been trying to build a webform for a website. I have set the form using HTML/CSS right and have added a JS script to validate it on the client side (it basically throws an error if the input isnt correct) on the website. But the issue is my PHP back-end form processor aint working right .. I think am getting XSS attacks .. and would like some help to edit my current PHP form. Can someone help me with it? The pHp code is below: <?php $title = $_POST['title']; $name = $_POST['name']; $email = $_POST['email']; $phone = $_POST['phone']; $designation = $_POST ['jobt']; $company = $_POST['cname']; $event = $_POST['event']; $purpose = $_POST['purpose']; $message = $_POST['message']; $TandC = $_POST['TandC']; $formcontent=" From: \n Name: $title $name \n Email: $email \n Phone: $phone \n Designation: $designation \n Company: $company \n event: $event \n Interested in being a: $purpose \n Message: $message"; $recipient = "brochure@xyz.com"; $subject = "Brochure Request"; $mailheader = "From: $email \r\n"; mail($recipient, $subject, $formcontent, $mailheader) or die("Error!"); if (isset($_POST['email'])) { header("Location:thanks.html"); } ?>
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.