meesh2175 Posted November 26, 2012 Share Posted November 26, 2012 Hello, I have a quick question... I have an email form which works great except sometimes when I receive the form, either the Course Address, Lead Educator or Other fields have an exclamation mark (!) contained in it. For example, it will look like this - Course Address: 12!3 Example Street Any ideas why? See my code below: <?php if(isset($_POST['email'])) { $email_to = "example@example.com"; $email_subject = "Form Submitted by:"." ".$_POST['name'] ." (Course Date: ". $_POST['coursedate'].")"; $date = $_POST['date']; // required $name = $_POST['name']; // required $email_from = $_POST['email']; // required $address = $_POST['address']; // required $city = $_POST['city']; // not required $postalcode = $_POST['postalcode']; // not required $coursename = $_POST['coursename']; // not required $coursedate = $_POST['coursedate']; // not required $courseloc = $_POST['courseloc']; // not required $coursehours = $_POST['coursehours']; // not required $mileage = $_POST['mileage']; // not required $courseadd = $_POST['courseadd']; // not required $educator = $_POST['educator']; // not required $other = $_POST['other']; // not required //ERROR MESSAGES $error_message = ""; function clean_string($string) { $bad = array("content-type","bcc:","to:","cc:","href"); return str_replace($bad,"",$string); } //EMAIL MESSAGE $email_message .= "<html>"; $email_message .= "<style type='text/css'>body,td,th {font-family: Arial, Helvetica, sans-serif; font-size: 13px;}</style>"; $email_message .= "<body>"; $email_message .= "<table width='650' border='1' cellspacing='0' cellpadding='5'>"; $email_message .= "<tr>"; $email_message .= "<td colspan='2' bgcolor='#FFB300' style='font-weight: bold;'>FORM</td>"; $email_message .= "</tr>"; $email_message .= "<tr>"; $email_message .= "<td width='237'>Name:</td>"."<td width='393'>".clean_string($name)."</td>"; $email_message .= "</tr>"; $email_message .= "<tr>"; $email_message .= "<td>Email:</td>"."<td>".clean_string($email_from)."</td>"; $email_message .= "</tr>"; $email_message .= "<tr>"; $email_message .= "<td>Mailing Address:</td>"."<td>".clean_string($address)."</td>"; $email_message .= "</tr>"; $email_message .= "<tr>"; $email_message .= "<td>City:</td>"."<td>".clean_string($city)."</td>"; $email_message .= "</tr>"; $email_message .= "<tr>"; $email_message .= "<td>Postal Code:</td>"."<td>".clean_string($postalcode)."</td>"; $email_message .= "</tr>"; $email_message .= "<tr>"; $email_message .= "<td colspan='2' bgcolor='#FFB300' style='font-weight: bold;'>COURSE INFORMATION</td>"; $email_message .= "</tr>"; $email_message .= "<tr>"; $email_message .= "<td>Course Date:</td>"."<td>".clean_string($coursedate)."</td>"; $email_message .= "</tr>"; $email_message .= "<tr>"; $email_message .= "<td>Course Name:</td>"."<td>".clean_string($coursename)."</td>"; $email_message .= "</tr>"; $email_message .= "<tr>"; $email_message .= "<td>Course Location:</td>"."<td>".clean_string($courseloc)."</td>"; $email_message .= "</tr>"; $email_message .= "<tr>"; $email_message .= "<td>Course Hours:</td>"."<td>".clean_string($coursehours)."</td>"; $email_message .= "</tr>"; $email_message .= "<tr>"; $email_message .= "<td>Mileage (if applicable):</td>"."<td>".clean_string($mileage)."</td>"; $email_message .= "</tr>"; $email_message .= "<tr>"; $email_message .= "<td>Course Address:</td>"."<td>".clean_string($courseadd)."</td>"; $email_message .= "</tr>"; $email_message .= "<tr>"; $email_message .= "<td>Lead Educator:</td>"."<td>".clean_string($educator)."</td>"; $email_message .= "</tr>"; $email_message .= "<tr>"; $email_message .= "<td>Other (if applicable):</td>"."<td>".clean_string($other)."</td>"; $email_message .= "</tr>"; $email_message .= "</table><br>"; $email_message .= "<span style='font-size: 11px; font-style: italic;'>Note: This form was submitted on: ".clean_string($date).".</span>"; $email_message .= "</body>"; $email_message .= "</html>"; //HEADERS $headers .= "Content-type: text/html; charset=iso-8859-1\n"; $headers .= 'From: example@example.com'."\r\n". 'Reply-To: '.$email_from."\r\n" . 'X-Mailer: PHP/'. phpversion(); @mail($email_to, $email_subject, $email_message, $headers); ?> Quote Link to comment Share on other sites More sharing options...
Christian F. Posted November 26, 2012 Share Posted November 26, 2012 (edited) Since you've done absolutely no validation of the input, nor shown us where the data is coming from, I'm just going to have to assume that it's a mistype by the user. Though, from looking at the code I can tell you one thing: Your clean_string () function is completely wasted, and doesn't do anything to keep your code safe. Not only that, but since you've failed to validate the $_POST['email'] field, it's completely open to abuse by anyone. In fact, it would be trivial for an attacker to make your script into a spam-bot, which sends their own customized message to whomever they liked. From your e-mail address. That's one of the reasons you always should validate all input. In addition to making sure to use the proper output escaping methods for the external system you're sending the data to, if there are any such methods available. For e-mails there isn't, which only increases the importance of proper validation. PS: Stripping content from a string is not validation. At best it can be considered sanitation/washing, and is almost always an annoyance for the user since it can (and very often do) silently introduce errors in the input data. Edited November 26, 2012 by Christian F. Quote Link to comment Share on other sites More sharing options...
meesh2175 Posted November 26, 2012 Author Share Posted November 26, 2012 Since you've done absolutely no validation of the input, nor shown us where the data is coming from, I'm just going to have to assume that it's a mistype by the user. Though, from looking at the code I can tell you one thing: Your clean_string () function is completely wasted, and doesn't do anything to keep your code safe. Not only that, but since you've failed to validate the $_POST['email'] field, it's completely open to abuse by anyone. In fact, it would be trivial for an attacker to make your script into a spam-bot, which sends their own customized message to whomever they liked. From your e-mail address. That's one of the reasons you always should validate all input. In addition to making sure to use the proper output escaping methods for the external system you're sending the data to, if there are any such methods available. For e-mails there isn't, which only increases the importance of proper validation. PS: Stripping content from a string is not validation. At best it can be considered sanitation/washing, and is almost always an annoyance for the user since it can (and very often do) silently introduce errors in the input data. Holy... my apologies. I am still in the learning stages of php coding hence why I am on a forum. I know my code is not perfect but that is why I am asking for help. As for it being a mistype by the user, obviously I submitted a form myself (without mistyping anything) and it still inserts a !. Quote Link to comment Share on other sites More sharing options...
mrMarcus Posted November 26, 2012 Share Posted November 26, 2012 (edited) Your HTML string is too long. Try appending line-breaks to the end of each line: //EMAIL MESSAGE $email_message .= "<html>\n"; $email_message .= "<style type='text/css'>body,td,th {font-family: Arial, Helvetica, sans-serif; font-size: 13px;}</style>\n"; $email_message .= "<body>\n"; $email_message .= "<table width='650' border='1' cellspacing='0' cellpadding='5'>\n"; // and so on... Alternatively, look into nl2br() with a character limitation of ~70. What is happening is you HTML string is too long and is causing funky characters to be added during processing. EDIT: Just noticed you're casting the email as HTML so the CR LF will not work. Either stick with Content-type: plain/text; or use the nl2br() function to truncate long lines. Edited November 26, 2012 by mrMarcus Quote Link to comment Share on other sites More sharing options...
meesh2175 Posted November 26, 2012 Author Share Posted November 26, 2012 Your HTML string is too long. Try appending line-breaks to the end of each line: //EMAIL MESSAGE $email_message .= "<html>\n"; $email_message .= "<style type='text/css'>body,td,th {font-family: Arial, Helvetica, sans-serif; font-size: 13px;}</style>\n"; $email_message .= "<body>\n"; $email_message .= "<table width='650' border='1' cellspacing='0' cellpadding='5'>\n"; // and so on... Alternatively, look into nl2br() with a character limitation of ~70. What is happening is you HTML string is too long and is causing funky characters to be added during processing. Ah makes sense... thank you so much for your help!! Much appreciated Quote Link to comment Share on other sites More sharing options...
mrMarcus Posted November 26, 2012 Share Posted November 26, 2012 Ah makes sense... thank you so much for your help!! Much appreciated I made an edit to my post. Please see my last post assuming your tests fail. Quote Link to comment Share on other sites More sharing options...
meesh2175 Posted November 26, 2012 Author Share Posted November 26, 2012 I made an edit to my post. Please see my last post assuming your tests fail. It worked - thanks again! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.