Jump to content

Help with PHP form

barn07

By barn07
in PHP Coding Help

 Share

Recommended Posts

barn07 Newbie

barn07

Posted
Posted

I am working on a website for a church. They want a prayer request form on their page. I am writing it in php. I have it all working, but I need when they hit submit on the form and it comes to the specified inbox that it shows up from the name they gave on the form. Right now the form emails fine and all the content is within the email but it comes up as anonymous@server310.com. Can anyone please help me! I have posted the HTML and PHP code below:

 

HTML

:

 

<form method="POST" action="contact.php">

  <p>Name:

    <input type="text" name="name" size="19">

    <br>

    <br>

E-Mail:

<input type="text" name="email" size="19">

<br>

<br>

 

<input type="checkbox" name="check[]" value="Please list this in the bulletin">

I would like to have my prayer<br>

request listed in the weekly bulletin. <br>

    <br>

    Message:<br>

    <textarea rows="9" name="message" cols="30"></textarea>

    <br>

    <br>

    <input type="submit" value="Submit" name="submit">

  </p>

</form>

 

 

 

PHP:

 

<?php

if(isset($_POST['submit'])) {

 

 

$to = "myaddress@gmail.com";

$subject = "Prayer Request Form";

$name_field = $_POST['name'];

$email_field = $_POST['email'];

$message = $_POST['message'];

 

foreach($_POST['check'] as $value) {

 

$check_msg .= "Checked: $value\n";

 

}

 

$body = "From: $name_field\n E-Mail: $email_field\n Message:\n $message\n $check_msg";

 

echo "Data has been submitted to $to!";

mail($to, $subject, $body);

 

 

} else {

 

echo "the form was not submitted correctly!";

 

}

?>

 

 

 

 

Link to comment
Share on other sites
DavidAM Member

DavidAM

Posted
Posted

You are basically talking about faking the From address of the email.  Most servers will not allow this.  Your server may refuse to send the message because the email address it is stated to be coming from does not belong to the server (it was forged).  Other servers may refuse to deliver the email for the same reason.

 

One way to work around this is to add an additional header called: ReplyTo (or maybe Reply-To, I can't remember if it has a dash or not).  The mail() function allows a fourth parameter for additional headers.  The email clients that I have used will use this address when the receiver chooses to send a reply to the message.

 

Link to comment
Share on other sites
barn07 Newbie

barn07

Posted
  • Author
Posted

This is what my code looks like now after messing around with it:

 

<?php

$to = "myemail@gmail.com";

$subject = "Prayer Request Form";

$name = $_REQUEST['name'] ;

$email = $_REQUEST['name'] ;

$email1 = $_REQUEST['email'];

$message = $_REQUEST['message'] ;

$headers = "From: $name";

$sent = mail($subject, $message, $headers) ;

 

foreach($_POST['check'] as $value) {

 

$check_msg .= "Checked: $value\n";

 

}

 

$body = "From: $name\n E-Mail: $email1\n Message:\n $message\n $check_msg";

 

echo  "Data has been submitted to $to!";

mail($to, $subject, $body, $headers, $sent);

 

?>

 

 

When I use that, it now will say in the "From" section of my gmail that now gives me the first "word" that the user puts into the name form section. It now says Name@server301.com instead of anonymous and says "Name" in the "From" section of my inbox, next question is how to get it to say first and last.

Link to comment
Share on other sites
DavidAM Member

DavidAM

Posted
Posted

You assigned a REAL name to the From: header.  Your server "assumes" that the name you supplied is a local mailbox and adds your server's address.  So specifying "From: Frank" you end up with "From: Frank@myserver.com"

 

However, that does NOT generate a VALID email address for the From: header.  If you are wanting to show the submitted name in the inbox list, you can assign the value to be displayed by formatting the header as: From: Real Name<website@myserver.com> (where website@myserver.com) is a valid email address for the server.  Be aware that if the person reading the message hits REPLY, it will send to that address (which is not the person who submitted the prayer request).  So add the Reply-To header I mentioned before: Reply-To: Real Name<theirEmail@theirserver.com>

 

so you end up with something like this (UNTESTED CODE)

$to = "myemail@gmail.com";
$subject = "Prayer Request Form";
$name = $_REQUEST['name'] ;
$email = $_REQUEST['name'] ;
$email1 = $_REQUEST['email'];
$message = $_REQUEST['message'] ;
$headers = "From: $name" . <website@webserver.com>\nReply-To: " . $name . "<" . $email1 . ">\n";

 

By the way - and this is IMPORTANT - you really need to sanitize the user input before putting it in the email like that.  If you are not doing so, you are setting yourself up for XSS attacks and so forth.

Link to comment
Share on other sites
oni-kun Member

oni-kun

Posted
Posted
By the way - and this is IMPORTANT - you really need to sanitize the user input before putting it in the email like that.  If you are not doing so, you are setting yourself up for XSS attacks and so forth.

 

Why do you condone the use of $_REQUEST instead of $_POST when it is that much more suseptable to XSS injection itself?  ::)

Link to comment
Share on other sites
DavidAM Member

DavidAM

Posted
Posted

Well, excuse me for not mentioning the $_POST vs. $_REQUEST issue.  I guess I was tunnel-visioned on helping the OP SOLVE HIS PROBLEM.

 

I am not a Doctor, I didn't even stay in a Hotel last night.

 

Disclaimer: Nothing in this post, or any other post, provided by me in this forum, or any other forum, whether on this website or any other website, whether quoted by some other individual, company, administrator, hacker, tracker, trucker, or sleeper, does not imply approval of or dis-approval of the way the original poster, or any respondent to the original poster, or any respondent to any other respondent, coded, tested, tried to code, failed to test, held their head, feet or hands during their post, or any particular function, feature, setting, or expression, used in the post or suggested by the post or omitted from the post.  No warranty is expressed or implied by me posting or failing to post on this site or any other site.  Anyone reading my post in whole or in part, including but not limited to reading my mind, accepts full responsibility for any action they take or fail to take and the results, lack of results, or phase-shifting that may occur.

Link to comment
Share on other sites
oni-kun Member

oni-kun

Posted
Posted

Well, excuse me for not mentioning the $_POST vs. $_REQUEST issue.  I guess I was tunnel-visioned on helping the OP SOLVE HIS PROBLEM.

 

It was just ironic how you quote about XSS injection when you are giving him a key to the door for it.

Link to comment
Share on other sites
barn07 Newbie

barn07

Posted
  • Author
Posted

$to = "myemail@gmail.com";

$subject = "Prayer Request Form";

$name = $_REQUEST['name'] ;

$email = $_REQUEST['name'] ;

$email1 = $_REQUEST['email'];

$message = $_REQUEST['message'] ;

$headers = "From: $name" . <website@webserver.com>\nReply-To: " . $name . "<" . $email1 . ">\n";

 

I now try that and I get "Parse error: syntax error, unexpected '<' in /home/faith/www/www/contact.php  on line 8" error. I have tried removing the < in front of website and email and then it just says the same error but with an @ sign instead of a '<'

 

Can anyone help, thanks in advance

Link to comment
Share on other sites
barn07 Newbie

barn07

Posted
  • Author
Posted

Thanks for your response.  The form works and everything comes into my e-mail listing as I want it, but if I were to leave the check box unchecked I get this error after I hit submit:

 

Warning: Invalid argument supplied for foreach() in /home/faith/www/www/contact.php  on line 10

Your prayer request form has been successfully submitted.

 

My code this far looks like this for the php side of it:

 

<?php

$to = "myemail@gmail.com";

$subject = "Prayer Request Form";

$name = $_REQUEST['name'] ;

$email = $_REQUEST['email'] ;

$email1 = $_REQUEST['email'];

$message = $_REQUEST['message'] ;

$headers = "From: $name <website@server.org>\nReply-To: $name <$email1>\n";

 

foreach($_POST['check'] as $value) {

 

$check_msg .= "Checked: $value\n";

 

}

 

$body = "From: $name\n E-Mail: $email\n Message:\n $message\n $check_msg";

 

echo  "Your prayer request form has been successfully submitted.";

mail($to, $subject, $body, $headers, $sent);

 

?>

Link to comment
Share on other sites
Ruzzas Newbie

Ruzzas

Posted
Posted 

<?php
$value = $_POST['check'];
$to = "myemail@gmail.com";
$subject = "Prayer Request Form";
$name = $_REQUEST['name'] ;
$email = $_REQUEST['email'] ;
$email1 = $_REQUEST['email'];
$message = $_REQUEST['message'] ;
$headers = "From: $name <website@server.org>\nReply-To: $name <$email1>\n";

foreach($_POST['check'] as $value) {

$check_msg .= "Checked: $value\n";

}

$body = "From: $name\n E-Mail: $email\n Message:\n $message\n $check_msg";
if (mail($to, $subject, $body, $headers, $sent)){
  echo   "Your prayer request form has been successfully submitted.";
}else{
  echo   "Your prayer request form has been unsuccessfully submitted. Contact an admin or try again";
}

?>

 

Try this

Link to comment
Share on other sites
barn07 Newbie

barn07

Posted
  • Author
Posted

I now get this error when I copied and pasted the code you wrote:

 

Warning: Invalid argument supplied for foreach() in /home/faith/www/www/contact.php  on line 11

Your prayer request form has been successfully submitted.

 

Although, I do get an email with the form contents.

Link to comment
Share on other sites
DavidAM Member

DavidAM

Posted
Posted

If the checkbox is not checked, then it does not get posted.  So, you have to check to see if it is there before processing the array. 

 

<?php
//$value = $_POST['check'];  // THIS LINE CAUSES AN ERROR IF NOTHING IS CHECKED
$to = "myemail@gmail.com";
$subject = "Prayer Request Form";
$name = $_REQUEST['name'] ;
$email = $_REQUEST['email'] ;
$email1 = $_REQUEST['email'];
$message = $_REQUEST['message'] ;
$headers = "From: $name <website@server.org>\nReply-To: $name <$email1>\n";

// Right here - check to see if any checkboxes are checked
$check_msg = '';  // ASSIGN an empty string so we don't get an error referencing it later
if (isset($_POST['check'])) {  // CHECK TO SEE IF ANYTHING IS CHECKED
    foreach($_POST['check'] as $value) {

        $check_msg .= "Checked: $value\n";

    }
}  // END IF (isset($_POST['check']

$body = "From: $name\n E-Mail: $email\n Message:\n $message\n $check_msg";
if (mail($to, $subject, $body, $headers, $sent)){
  echo   "Your prayer request form has been successfully submitted.";
}else{
  echo   "Your prayer request form has been unsuccessfully submitted. Contact an admin or try again";
}

?>

 

Note:  There are other issues you need to address.

1) Replace $_REQUEST with $_POST -- $_REQUEST looks in $_GET, $_POST, $_COOKIES for the array element.  Which means I can spoof your form very easily.  You were using $_POST in your original post, so go back to it.

 

2) You MUST sanitize the values that are coming from the user.  Even if you switch to $_POST, you still need to prevent injection attacks and to prevent spammers from using your form to send out tons of garbage.

 

Link to comment
Share on other sites
DavidAM Member

DavidAM

Posted
Posted

Glad to help.  On the injection attacks, you should be able to find several postings on the forum that cover it.  But let me give you an example. 

 

Since you are adding additional headers that contain a field the user enters, we will start with $email.  If I enter the following as my email address:

Innocent@victims.net>\nTo: victim1@victims.net\nTo: <victim2@victims.net

 

your $headers will read:

From: SenderName <website@server.org>\nReply-To: SenderName <Innocent@victims.net>\nTo: victim1@victims.net\nTo: <victim2@victims.net>\n

 

which causes copies to be sent to victim1 and victim2.  Of course, then I type some kind of Viagra message or something, NOT a prayer request.  If you try to track down the sender, you find Innocent@victims.net, who is obvisouly NOT the spammer.  If I change "To:" to "BCC:" your Pastor or Prayer Minister will not even know that the message went to others.  He will be getting spam from his own site and will not know why.  At the very least, you should reject any posting that has a newline (\n) in the email address.  It is not a valid character for an email address and there is no reason for your target users to be entering it.  I am no expert on injection, so I am sure that there are other issues to look for, this is just an example.

 

$to and $subj are hard-coded in your script, so they seem to be pretty safe.

 

$body may need to be modified slightly.  Some older mail processors may interpret your first lines as another header because they look like headers (starts with the word From: in the first position followed by a space).  I would add a text line at the top of $body just to be safe. Something like:

$body = "A prayer request has been submitted at the website\n\nFrom: $name\n E-Mail: $email\n Message:\n $message\n $check_msg";

 

Also, the mail() function has four parameters.  I don't know where $sent is coming from, it is not defined in your code (that I can see), but it should not be in the function call.

 

Once you get it online, you can go to the Website Critique forum and post a topic asking people to review it.  There are those who will try various attacks and let you know what succeeded and how to fix it.  You might want to have the messages going to you and not the Pastor during the test (unless you want him to know how difficult this can be).

Link to comment
Share on other sites
DavidAM Member

DavidAM

Posted
Posted

That would be one way to do it.  However, it leaves the user on an error page, and they will have to navigate back to the form page and re-type everything to try again.

 

If the form is in a separate file from the processing, then that is pretty much what you are stuck with (unless you want to do a lot of work to get the fields back to the original page).  However, to make it more user friendly, you can put everything in one file and have it all.  Let's call that file prayerReq.php (or whatever you want).  It would look something like this (THIS IS NOT A WORKING CONTACT FORM, IT IS BASICALLY A TEMPLATE):

 

<?php

$errMsg = array();	// An empty array for error messages

// Empty variables so we can redisplay user's entry if there is an error
$name = '';
$email = '';
$message = '';

if (isset($_POST['submit'])) {  // Did the user submit the form?
  	if (isset($_POST['name'])) {
  		$name = $_POST['name'];  // BE SURE TO SANITIZE THIS FIELD
  	} else {
  		$errMsg[] = 'Your Name is Required.';
  	}
  	if (isset($_POST['email'])) {
  		$email = $_POST['email'];  // BE SURE TO SANITIZE THIS FIELD
  	} else {
  		$errMsg[] = 'Your Email Address is Required.';
  	}
  	if (isset($_POST['message'])) {
  		$message = $_POST['message'];  // BE SURE TO SANITIZE THIS FIELD
  	} else {
  		$errMsg[] = 'Some type of message is Required.';
  	}
  	if (empty($errMsg)) {	// If there are no error messages we can send the email
  		// compose the mail parameters here
  		if (mail(...)) {
  			$errMsg[] = "Your prayer request has been submitted.";
  		} else {
  			$errMsg[] = 'Error sending email.  Try again later ';
  		}
  	}
}

?>


<form method="POST" action="">
  <p>Name:
    <input type="text" name="name"  size="19"
	value="<?php echo $name; /* Show what the user typed the first time */ ?>">
    <br>
    <br>
E-Mail:
<input type="text" name="email" size="19" 
value="<?php echo $email; /* Show what the user typed the first time */ ?>">
<br>
<br>

<input type="checkbox" name="check[]" value="Please list this in the bulletin">
I would like to have my prayer<br>
request listed in the weekly bulletin. <br>
    <br>
    Message:<br>
    <textarea rows="9" name="message" cols="30"><?php echo $message; /* Show what the user typed the first time */ ?></textarea>
    <br>
    <br>
    <input type="submit" value="Submit" name="submit">
<?php
if (! empty($errMsg)) {
	foreach ($errMsg as $msg) {
		echo $msg . '<BR>';
	}
}
?>
  </p>
</form>

 

You will note that within the form, we echo the user's original entries.  If the page was NOT POSTed (user's first time to the page) these fields are empty (we set them at the top).  If the page was POSTed, these fields contain whatever we got from the user and fill the field in so they do not have to re-type it.  You will have to look at magic_quotes_runtime(), stripslashes(), and some other stuff to make sure you show what they typed.  At the bottom of the form, we display the error messages (if any) so the user can fix the problems and try again.

 

The page name has to have the .php extension (or some other extension that your server will process as php).  So you may have to change links on other pages that send the user here.

 

 

EDIT:  I know that may require significant changes.  If you are close with what you have, then post your files (be sure to use code tags) and we can help finish what you've got.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.