Jump to content

How do I secure this HTML Form and Email Script?


pinheadgunpowdr9

Recommended Posts

Hi guys, sorry for such a newbish question.  Any help would be greatly appreciated.

 

HTML FORM:

<form action="form.php" method="post" onsubmit="return validateForm()" name="form">
<b>First Name:*</b>
<input type="text" name="first_name" size="50" />
<b>Last Name:*</b>
<input type="text" name="last_name" size="50" />
<b>Phone:*</b>
<input type="text" name="phone" size="50" />
<b>Email:*</b>
<input type="text" name="email" size="50" />
<p><b>What is your favorite color?*</b></p>
<p align="left">
<select name="se">
<option value="W">White</option>
<option value="G">Green</option>
<option value="Y">Yellow</option>
</select>
<input type="submit" value="Submit"/>
</form>

 

 

FORM.PHP script

<?php
$se = $_POST['se'];
$seURL = '';
switch ($se) {
  case 'W':
    $seURL = "http://url1.com";
    break;
  case 'G':
    $seURL = "http://url2.com";
    break;
  case 'O':
    $seURL = "http://url3.com";
    break;
  default:
    $seURL = "";
}
if ($seURL != "") {
/* Redirect browser */
/* make sure nothing is output to the page before this statement */
header("Location: " . $seURL);
}

// get posted data into local variables
$EmailFrom = "noreply@domain.com";                           
$EmailTo = "email@domain.com";                       
$Subject = "Form";                                         
$first_name = Trim(stripslashes($_POST['first_name'])); 
$last_name = Trim(stripslashes($_POST['last_name'])); 
$phone = Trim(stripslashes($_POST['phone'])); 
$email = Trim(stripslashes($_POST['email'])); 

// validation
$validationOK=true;
if (!$validationOK) {
  print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">";
  exit;
}

// prepare email body text
$Body = "";
$Body .= "first_name: ";
$Body .= $first_name;
$Body .= "\n";
$Body .= "last_name: ";
$Body .= $last_name;
$Body .= "\n";
$Body .= "phone: ";
$Body .= $phone;
$Body .= "\n";
$Body .= "email: ";
$Body .= $email;
$Body .= "\n";
$Body .= "color: ";
$Body .= $se;
$Body .= "\n";

// send email 
$success = mail($EmailTo, $Subject, $Body, "From: <$EmailFrom>");

// send email to user
if ($se=="W")
$EmailFrom = "noreply@domain.com";
$to = $email;
$subject = "form email";
$body = "thank you for filling out our form";
if (mail($to, $subject, $body, "From: <$EmailFrom>")) {
  echo("<p>Message successfully sent!</p>");
} else {
  echo("<p>Message delivery failed...</p>");
}

?>
[code]


MOD EDIT: [nobbc][code] . . . 
[/nobbc] tags added . . .[/code]

Link to comment
Share on other sites

Hey, honestly I don't think I'd be much help with the security, but I noticed the bit about preventing a blank email from being sent which I think I can help with. I'm assuming you have a js function for validateform() returning true. What I've done with something I've made like this before is have js check the form to make sure it's good, but also use php to make sure none of the fields are left blank. Very simplified compared to what you have, of course, but something like:

 


$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$email = $_POST['email'];

if(isset($first_name) && isset($last_name) && isset($email))
{

     mail($your, $headers, $and, $other_info);

}

 

That way it'll only send if all the variables are set. They could always enter irrelevant gibberish, but at least it wouldn't be a blank email. I hope that helps at least somewhat.

Link to comment
Share on other sites

Please notice that if you use the method specified above, the user will have to refill all the fields. In order to prevent that you can use:

<input type="text" name="first_name" size="50" value="<?php echo $first_name; ?>"/>

Link to comment
Share on other sites

Please notice that if you use the method specified above, the user will have to refill all the fields. In order to prevent that you can use:

<input type="text" name="first_name" size="50" value="<?php echo $first_name; ?>"/>

 

Not like this though, as you would get undefined index error's, you need to check to see if the var is there (isset()) but yes, this logic is the right approach...

 

Rw

Link to comment
Share on other sites

Please notice that if you use the method specified above, the user will have to refill all the fields. In order to prevent that you can use:

<input type="text" name="first_name" size="50" value="<?php echo $first_name; ?>"/>

 

Not like this though, as you would get undefined index error's, you need to check to see if the var is there (isset()) but yes, this logic is the right approach...

 

Rw

 

What do you mean? I always get the wanted result. If an user submitted the form, and that field was empty it will echo 'nothing' -> empty.

Link to comment
Share on other sites

If you had error reporting / display errors on, you'd see a ton of undefined index/undefined variable warnings.

 

Yup. so yours would become this:-

<input type="text" name="first_name" size="50" value="<?php echo (isset($first_name) ? $first_name : ''); ?>"/>

 

This would get rid of those error's IF you had the error reporting on.

 

Rw

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.