digitalecartoons

I've made a flash form which uses this script to send the input by mail: <?php // initialize variables for To and Subject fields $to = 'info@testing.nl'; $subject = 'Een testmail'; $from = $_POST["from"]; $email = $_POST["email"]; $comments = $_POST["comments"]; // build message body from variables received in the POST array $message = "Van: $from \n\n"; $message .= "Email: $email \n\n"; $message .= "Bericht: $comments"; $message = stripslashes($message); //convert flash line breaks $message= str_replace("\r", "\n", $message); $message=nl2br($message); // add additional email headers for more user-friendly reply $additionalHeaders = "From: $from <".$email.">\r\n"; $additionalHeaders .= "Reply-To: ".$email."\r\n"; $additionalHeaders .= "MIME-Version: 1.0\r\n"; $additionalHeaders .= "Content-type: text/html; charset=utf-8\r\n"; // send email message $OK = mail($to, $subject, $message, $additionalHeaders); // let Flash know what the result was if ($OK) { echo 'sent=OK'; } else { echo 'sent=failed&reason='. urlencode('Er is een probleem met de server. Probeer het later nog eens.'); } ?> Works a bit besides accented characters like é ë ä ó ö ú etc. For example: when I use 'René' in the From field it arrives like 'RenX', but in text mode as in html mode. The From fiels displays 'RenX' I mean. When in text mode, the body text of the email displays 'René' however. When I view the mail in html mode, it also displays 'RenX' in the From field, but the body text displays 'rené'. How to I make it display René both in the From field and the body text? And both in text mode as in html mode?

Could I leave it out (since as far as I know 7 bit is default), or is there some reason why that line is often present in html mail scripts? Here's an article by Kevin Yank about mixed html/text php mailing which also contains several 'content-transfer-encoding: 7-bit' lines: http://www.sitepoint.com/article/advanced-email-php/4

$email_message .= "This is a multi-part message in MIME format.\n\n" . "--{$mime_boundary}\n" . "Content-Type:text/plain; charset=\"iso-8859-1\"\n" . "Content-Transfer-Encoding: 7bit\n\n" . $email_txt . "\n". "--{$mime_boundary}\n" . "Content-Type:text/html; charset=\"iso-8859-1\"\n" . "Content-Transfer-Encoding: 7bit\n\n" . $email_htm ; This is part of a html mail with alternative text version. I often see this Content-Transfer-Encoding: 7bit line in scripts like these and I'm wondering if it's necessary since 7bit is default? So why do a lot of people put it in?

Reading it again still puzzles me. I get it that the [ must be escaped by a backslash, but why would double backslashes be necessary here? This should work the same: $joketext = eregi_replace('\[ b ]', '<strong>', $joketext); The single backslash sees to it that [ b ] is taken literally and not as a regex code only allowing 'b'. What am I missing? (ps, the [ b ] should be without the spaces before/after the b, but that's a bold code in here)

Im using this line to send variables to Flash: echo "&myVar=$myVar&"; Just because I noticed that on some php servers this doesn't work: echo "myVar=$myVar"; But again, on some it does work. What's the purpose of putting "&" characters in front and after the variable declarations? And what php server setting wants them to be there and which doesn't?

But so it first searches for the 1st part \r\n then for the 2nd and finaly 3rd? I mean when there are 3 OR options a|b|c it first does a, then b, then c in that order?

So how does that work exactly with preg_replace? Is there some kind of order? Lets take part of this text as string: "occurrence of \r\n into TWO line break" so when using: $message = preg_replace('~\r\n|\r|\n~', "\r\n", $message); to turn things into proper \r\n newline codes it first searches for \r\n, making it \r\n so it would remain: "occurrence of \r\n into TWO line break" then it would replace \r for \r\n, making it "occurrence of \r\n\n into TWO line break" finally it would replace \n for \r\n making it "occurrence of \r\r\n\r\n into TWO line break" Thats the way I see it , but it probably doesn't work that way with preg_replace and those 3 options seperated by an OR character?

That doesn't work cause the newlines are allready replaced, think because of stripslashes. I want to have flash send a mail as plain text mail. Certain characters in the message part will be escaped. Magic quotes like ' will become \'. Zo normally, when I would submit a text like Mike O'Brien, it would appear as Mike O/'Brien in the plain text mail php sends. I want to get rid of that so I though of using stripsslashes. But that also erases things like newlines \n So it appears because when I send myself a text with several paragraphs, the plain text mail puts all those paragraphs behind each other insteas of beginning each paragraph on a new line. How should I do it otherwise?

I think it's because I've used stripslashes, but I've use that so that entered names like O'Brien don't appear as O\'Brien in the mail message. How can I fix this?

I'm having my flash form send it's data as plain text mail. When I enter a couple of paragraphs in the message field and receive the plain text mail, all paragraphs are put in a row instead that every paragraph starts at a new line. So I get this: Bericht: Dit is een nieuwe alineaDit zou op een nieuwe regel moeten beginnenDeze regel eigenlijk ook Instead of this: Bericht: Dit is een nieuwe alinea Dit zou op een nieuwe regel moeten beginnen Deze regel eigenlijk ook Can't use nl2br cause I'm using plain text mail, but what should I do to fix this? Actionscript: Versturen.onRelease = function() { mySendVars = new LoadVars(); myLoadVars = new LoadVars(); mySendVars.naam = naam.text; mySendVars.email = email.text; mySendVars.bericht = bericht.text; mySendVars.sendAndLoad("mailform.php", myLoadVars, "POST"); gotoAndStop(2); PHP code: $naam = stripslashes(utf8_decode($_POST["naam"])); $email = stripslashes(utf8_decode($_POST["email"])); $bericht = stripslashes(utf8_decode($_POST["bericht"])); $message = "Naam:\r\n".$naam."\r\n\r\n"; $message .= "Emailadres:\r\n".$email."\r\n\r\n"; $message .= "Bericht:\r\n".$bericht."\r\n"; $headers = "MIME-Version: 1.0\r\n"; $headers .= "Content-type: text/plain; charset=iso-8859-1\r\n"; $headers .= "From: ".mb_encode_mimeheader($naam, "iso-8859-1", "Q")." <".$email.">\r\n"; mail($to, $subject, $message, $headers); }

Ok, so the quote "PHP assumes that strings are ISO-8859-1" like someone told me isn't completely true? Can you explain this: when I have a php file which only echoes the é character, the browser defaults to iso-8859-1. When I change the browser charset to unicode it displays a question mark instead, but when I refresh the page or type in the php link again, it switches back to iso 8859 again. Even though I haven't specifically set it as such.

Where does it say that on php.net, that iso8859 is the default charset for strings? Can't find anything about it.

What I'm trying to do is allowing my mailform.php script only to be access if the user is on my website and submitting it's form. What I don't want to allow: 1. typing www.test.com/mailform.php... it should echo an error message 2. using my mailform.php script in another website 3. a user first setting the session id by visiting my site and then do point 1 or 2 I thought that that's was what sessions are all about, but I was able to bypassing in by doing point 3 Here's where I've learned about sessions and protecting my php script: http://apptools.com/phptools/forms/forms7.php

You're right, it doesn't end upon changing a website. But I now don't completely understand how to use session for securing a form script. This is what I've got now: <?php session_start(); $_SESSION["domino"] = true; ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> //rest of page showing flash movie This sets the session upon visiting my site. When the form sends its data to the mailform.php: <?php session_start(); if(!isset($_SESSION["domino"])){ //error message 'forbidden access' exit; } else { session_destroy(); unset ($_SESSION["domino"]); //rest of script: processing the form input } This checks for the session-id. This should verify that the user sent the form through my website. According to tutorials and the use of sessions in mailforms anyway. But I've found a way to bypass this. If I know the mailform is at www.test.com/mailform.php, I wouldn't get access to it accessing it directly. As it shouldn't. But when I know it's at www.test.com/mailform.php, all I have to to is type www.test.com (or www.test.com/index.php) to have the session set. Then I could do anything I want, visit other sites, whatever. As long as I don't close the browser. And finally, to abuse the mailform.php file, I just have to type in www.test.com/mailform.php and I get access, cause the session is still set. That way I could always make use of the php script even when I'm not supposed to. Am I using session not correctly? I thought session-id's should prevent such a thing?

"A session ends when the user loses the browser or after leaving the site, the server will terminate the session after a predetermined period of time, commonly 30 minutes duration" The 'session ends after user leaves the site' part doesn't work with me In the starting page, setsession.php, the session is first set. <?php session_start(); $_SESSION["domino"] = true; ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head>rest document </html> The php script, getsession.php, checks for the existance of this session id: <?php session_start(); if(!isset($_SESSION["domino"])){ echo "session is unset"; exit; } else { echo "sessionis is set"; rest php script } ?> When typing getsession.php into the address bar, I get a 'session is unset', which is ok since the session hasn't been set yet. On visiting setsession.php and typing getsession.php again, I get a 'session is set', which is ok too cause the session has been set in setsession.php But when I do the following in the exact same order: - go to setsession.php (session is set) - go to any other page e.g. www.startrek.com - type in getsession.php in the address bar Then I still get a 'session is set' as if the session id hasn't ended on leaving the website. How is this possible?

"Remember sessions are destroyed automatically after user leaves your website" Tested it but it isn't true. When I access the php script directly I get an error message When I enter my site the session id is set When I access the php script again I don't get an error message and can access it When I leave my site to visit another and again access my php script, I still get access ...so this automatically destroying of the session after leaving the website isn't true?

Just didn't understand what you mean by "if you link to another site then its possible for them to get the session id, but after you leave the site your session is gone.." and how that could be a problem. Or was I reading you incorrectly? I mean: 1. entering site: setting session 2. leaving site: unsetting session 3. closing site: unsetting session 4. having a link inside your site, clicking it to go to new site: unsetting session That's what happening, right?

But that would be ok I guess? I want them only to be able to access my php script if they are on my site showing the flash mailform. If they leave my site the session would indeed be gone. But what would be the downside of that then? "if you link to another site then its possible for them to get the session id, but after you leave the site your session is gone.." Isn't that what should happen I mean?

From a site about session id's: http://www.php-learn-it.com/php_sessions.html "Remember sessions are destroyed automatically after user leaves your website or closes the browser, but if you wish to clear a session variable yourself, you can simple use the unset() function to clean the session variable" This would mean I could easily delete those two unset/destroy lines? Because after leaving index.php or closing the browser it is destroyed anyway? So it doesn't make my php script less secure after all? Am I correct?

Ok, sorry for not immediately understanding it , I'm relatively new to this. So you're saying that when I show the form, the session id is set and as long as it's not unset, others could theoraticlly get hold of it? So in that respect it would be better to unset it as quickly as possible, which now happens after I submit the form? And deleting those unset/destroy lines would keep the session id set, vulnerable for others to get it? Just in theory Am I understanding you correctly so far?

ok, but in theory... would it be really necessary for security reasons to unset the session id immediately after sending form output? Because someone said to me "always unset the session when finished using the data to keep it from being hijacked no need for the browser to remember the data when the user browses to a site other than yours" or would it be perfectly safe without it?

the session id is to make sure that no one can access the php script directly or through another website. Only the site containing the form and which sets the session id is allowed access to the php script. Otherwise an error message is echoed.

How would that solve my problem? When I use only unset: <?php session_start(); if(!isset($_SESSION["domino"])){ //error message 'forbidden access' exit; } else { unset ($_SESSION["domino"]); //rest of script: processing the form input } ... the session id 'domino' is still cleared. And upon re-submitting the flash form, the php script still sees the 'domino' session id as non-existent, exiting the script

It's to make sure that the form processing php is accessed from the flash website itself. So I've set the session id in the index.php. Then, when the flash form is filled in and 'send' is clicked, the form processing script 'sees' that it is accessed from index.php, which is ok. My code worked in my html form because after sending it unset the session id and upon return to the form it was set again. But in my flash page it of course doesn't change location. So I thought, is unsetting it really necessary. Without it it works fine: upon resending a flash form from my site, the session id is still there (until the browser is closed). But then someone told me: "always unset the session when finished using the data to keep it from being hijacked no need for the browser to remember the data when the user browses to a site other than yours" What's true about that? Should I still keep on using unset/destroy?

Can someone help me with my mailform? It uses a Flash mailform, together with php and session id. First things first: in the index.php page it starts by setting the session: <?php session_start(); $_SESSION["domino"] = true; ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> //rest of page showing flash movie When inputed the flash form and clicking send the php script processes the data by first checking for the existence of this session id. If it's not ok, an error message returns. If everything is ok and a session id is present, the session id itself is unset. I've been told that you should immediatelly unset a session id after using it for security reasons. <?php session_start(); if(!isset($_SESSION["domino"])){ //error message 'forbidden access' exit; } else { session_destroy(); unset ($_SESSION["domino"]); //rest of script: processing the form input } But now, when I input the flash form once more and click send, of course nothing happens because the session id is cleared. And I can't set the session id in Flash itself I think. Is there any way to fix this?