Email form fields as part of the email message

[rcsh]

Hi,

 

I'm new to this forum and also new to PHP I was hoping someone could help me with a little problem.

 

I've created a form with fields such as Name, Email, Phone, Skill sets and a field to upload a resume as an attachment. As of now, it does send me an email but with the subject line blank and only the skill sets field in the body of the text. When a visitor fills up the form and clicks send, I want it to send me an email with the uploaded file as an attachment and also data collected from fields mentioned above in the body of the email.

 

Here is the form code that I have in HTML,

 

<form action="mail2.php" method="POST" enctype="multipart/form-data">

 

<p>Name: <input type="text" name="name" value="" /></p>

<p>Email: <input type="text" name="email" value="" /></p>

<p>Phone: <input type="text" name="phone" value="" /></p>

<p>Skill sets: <input type="text" name="skills" value="" /></p>

<p>Resume: <input type="file" name="fileatt" /></p>

<p><input type="submit" value="Send" /></p>

 

</form>

 

And here is the PHP Code that I have,

 

<?php

// Read POST request params into global vars

$to = "[email protected]";

$name = $_POST['name'];

$email = $_POST['email'];

$phone = $_POST['phone'];

$subject = "Resume from the 'Careers' page";

$skills = $_POST['skills'];

 

// Obtain file upload vars

$fileatt   = $_FILES['fileatt']['tmp_name'];

$fileatt_type = $_FILES['fileatt']['type'];

$fileatt_name = $_FILES['fileatt']['name'];

 

$headers = "From: $email";

 

if (is_uploaded_file($fileatt))

{

  // Read the file to be attached ('rb' = read binary)

  $file = fopen($fileatt,'rb');

  $data = fread($file,filesize($fileatt));

  fclose($file);

 

  // Generate a boundary string

  $semi_rand = md5(time());

  $mime_boundary = "==Multipart_Boundary_x{$semi_rand}x";

 

  // Add the headers for a file attachment

  $headers .= "\nMIME-Version: 1.0\n" .

  "Content-Type: multipart/mixed;\n" .

  " boundary=\"{$mime_boundary}\"";

 

  // Add a multipart boundary above the plain message

  $message = "This is a multi-part message in MIME format.\n\n" .

"--{$mime_boundary}\n" .

"Content-Type: text/plain; charset=\"iso-8859-1\"\n" .

"Content-Transfer-Encoding: 8bit\n\n" .

    $skills . "\n\n";

 

 

  // Base64 encode the file data

  $data = chunk_split(base64_encode($data));

 

  // Add file attachment to the message

  $message .= "--{$mime_boundary}\n" .

  "Content-Type: {$fileatt_type};\n" .

  " name=\"{$fileatt_name}\"\n" .

  //"Content-Disposition: attachment;\n" .

  //" filename=\"{$fileatt_name}\"\n" .

  "Content-Transfer-Encoding: base64\n\n" .

  $data . "\n\n" .

  "--{$mime_boundary}--\n";

 

}

 

 

// Send the message

$ok = @mail($to, $subject, $message, $headers);

if ($ok) {

  echo "<p>Your resume has been sucessfully submitted. We carefully screen resumes received through this channel. Should there be a match between open positions and your resume, we will get in touch with you. Thank you!</p>";

} else {

  echo "<p>Mail could not be sent. Sorry please try again!</p>";

}

?>

 

[LeadingWebDev]

First of all, i already see a vulnerability there.

Filter visitors email with filter_var, as you create a header with and it is vulnerable to external attacks.

for vulnerability explanation read : http://www.php-security.org/MOPB/MOPB-34-2007.html

 

  
          $headers .= "\nSubject: Resume from the 'Careers' page";

          $message = "This is a multi-part message in MIME format.\n\n" .
          "--{$mime_boundary}\n" .
          "Content-Type: text/plain; charset=\"iso-8859-1\"\n" .
          "Content-Transfer-Encoding: 8bit\n\n" .
           $skills . "\n\n" .
           $name . "\n\n" .
           $phone . "\n\n" .
           $email . "\n\n";