Jump to content

Archived

This topic is now archived and is closed to further replies.

pinheadgunpowdr9

How do I secure this HTML Form and Email Script?

Recommended Posts

Hi guys, sorry for such a newbish question.  Any help would be greatly appreciated.

 

HTML FORM:

<form action="form.php" method="post" onsubmit="return validateForm()" name="form">
<b>First Name:*</b>
<input type="text" name="first_name" size="50" />
<b>Last Name:*</b>
<input type="text" name="last_name" size="50" />
<b>Phone:*</b>
<input type="text" name="phone" size="50" />
<b>Email:*</b>
<input type="text" name="email" size="50" />
<p><b>What is your favorite color?*</b></p>
<p align="left">
<select name="se">
<option value="W">White</option>
<option value="G">Green</option>
<option value="Y">Yellow</option>
</select>
<input type="submit" value="Submit"/>
</form>

 

 

FORM.PHP script

<?php
$se = $_POST['se'];
$seURL = '';
switch ($se) {
  case 'W':
    $seURL = "http://url1.com";
    break;
  case 'G':
    $seURL = "http://url2.com";
    break;
  case 'O':
    $seURL = "http://url3.com";
    break;
  default:
    $seURL = "";
}
if ($seURL != "") {
/* Redirect browser */
/* make sure nothing is output to the page before this statement */
header("Location: " . $seURL);
}

// get posted data into local variables
$EmailFrom = "noreply@domain.com";                           
$EmailTo = "email@domain.com";                       
$Subject = "Form";                                         
$first_name = Trim(stripslashes($_POST['first_name'])); 
$last_name = Trim(stripslashes($_POST['last_name'])); 
$phone = Trim(stripslashes($_POST['phone'])); 
$email = Trim(stripslashes($_POST['email'])); 

// validation
$validationOK=true;
if (!$validationOK) {
  print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">";
  exit;
}

// prepare email body text
$Body = "";
$Body .= "first_name: ";
$Body .= $first_name;
$Body .= "\n";
$Body .= "last_name: ";
$Body .= $last_name;
$Body .= "\n";
$Body .= "phone: ";
$Body .= $phone;
$Body .= "\n";
$Body .= "email: ";
$Body .= $email;
$Body .= "\n";
$Body .= "color: ";
$Body .= $se;
$Body .= "\n";

// send email 
$success = mail($EmailTo, $Subject, $Body, "From: <$EmailFrom>");

// send email to user
if ($se=="W")
$EmailFrom = "noreply@domain.com";
$to = $email;
$subject = "form email";
$body = "thank you for filling out our form";
if (mail($to, $subject, $body, "From: <$EmailFrom>")) {
  echo("<p>Message successfully sent!</p>");
} else {
  echo("<p>Message delivery failed...</p>");
}

?>
[code]


MOD EDIT: [nobbc][code] . . . 
[/nobbc] tags added . . .[/code]

Share this post


Link to post
Share on other sites

Also, is there any server side scripting I can do to only let the script run if data is submitted from the form?  Thus preventing the script from running and sending a blank email if script is accessed?

Share this post


Link to post
Share on other sites

Hey, honestly I don't think I'd be much help with the security, but I noticed the bit about preventing a blank email from being sent which I think I can help with. I'm assuming you have a js function for validateform() returning true. What I've done with something I've made like this before is have js check the form to make sure it's good, but also use php to make sure none of the fields are left blank. Very simplified compared to what you have, of course, but something like:

 


$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$email = $_POST['email'];

if(isset($first_name) && isset($last_name) && isset($email))
{

     mail($your, $headers, $and, $other_info);

}

 

That way it'll only send if all the variables are set. They could always enter irrelevant gibberish, but at least it wouldn't be a blank email. I hope that helps at least somewhat.

Share this post


Link to post
Share on other sites

Please notice that if you use the method specified above, the user will have to refill all the fields. In order to prevent that you can use:

<input type="text" name="first_name" size="50" value="<?php echo $first_name; ?>"/>

Share this post


Link to post
Share on other sites

Please notice that if you use the method specified above, the user will have to refill all the fields. In order to prevent that you can use:

<input type="text" name="first_name" size="50" value="<?php echo $first_name; ?>"/>

 

Not like this though, as you would get undefined index error's, you need to check to see if the var is there (isset()) but yes, this logic is the right approach...

 

Rw

Share this post


Link to post
Share on other sites

Please notice that if you use the method specified above, the user will have to refill all the fields. In order to prevent that you can use:

<input type="text" name="first_name" size="50" value="<?php echo $first_name; ?>"/>

 

Not like this though, as you would get undefined index error's, you need to check to see if the var is there (isset()) but yes, this logic is the right approach...

 

Rw

 

What do you mean? I always get the wanted result. If an user submitted the form, and that field was empty it will echo 'nothing' -> empty.

Share this post


Link to post
Share on other sites

If you had error reporting / display errors on, you'd see a ton of undefined index/undefined variable warnings.

Share this post


Link to post
Share on other sites

If you had error reporting / display errors on, you'd see a ton of undefined index/undefined variable warnings.

 

Yup. so yours would become this:-

<input type="text" name="first_name" size="50" value="<?php echo (isset($first_name) ? $first_name : ''); ?>"/>

 

This would get rid of those error's IF you had the error reporting on.

 

Rw

Share this post


Link to post
Share on other sites

Going to test that out, another thing learned! Thanks! :)

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.