PHP Contact form (Help, please)

[NalaMena]

Hello all,

 

It's my first time here, I hope you will be indulgent.

I am trying to create a contact form in php, using something that a former employee at my company has written for another website.

Please note that I have no knowledge whatsoever of php (except what I've learned while creating it...).

 

Here is the code I am working with. Can you go through and let me know if see anything that seems off to you?

Thank you very much!

 

<?php
/*
********************************************************************************************
CONFIGURATION
********************************************************************************************
*/
// destinataire est votre adresse mail. Pour envoyer à plusieurs à la fois, séparez-les par une virgule

$destinataire = 'myemail';

// copie ? (envoie une copie au visiteur)
$copie = 'oui';

// Action du formulaire (si votre page a des paramètres dans l'URL)
// si cette page est index.php?page=contact alors mettez index.php?page=contact
// sinon, laissez vide
$form_action = '';

// Messages de confirmation du mail
$message_envoye = "Votre message nous est bien parvenu. Merci !";
$message_non_envoye = "L'envoi du mail a échoué, veuillez réessayer SVP.";

// Message d'erreur du formulaire
$message_formulaire_invalide = "Vérifiez que tous les champs soient bien remplis et qu'il n'y ait pas d'erreur dans votre adresse courriel.";

/*
********************************************************************************************
FIN DE LA CONFIGURATION
********************************************************************************************
*/

/*
* cette fonction sert à nettoyer et enregistrer un texte
*/
function Rec($text)
{
$text = htmlspecialchars(trim($text), ENT_QUOTES);
if (1 === get_magic_quotes_gpc())
{
$text = stripslashes($text);
}

$text = nl2br($text);
return $text;
};

/*
* Cette fonction sert à vérifier la syntaxe d'un email
*/
function IsEmail($email)
{
$value = preg_match('/^(?:[\w\!\#\$\%\&\'\*\+\-\/\=\?\^\`\{\|\}\~]+\.)*[\w\!\#\$\%\&\'\*\+\-\/\=\?\^\`\{\|\}\~]+@(??:(?:[a-zA-Z0-9_](?:[a-zA-Z0-9_\-](?!\.)){0,61}[a-zA-Z0-9_-]?\.)+[a-zA-Z0-9_](?:[a-zA-Z0-9_\-](?!$)){0,61}[a-zA-Z0-9_]?)|(?:\[(??:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\]))$/', $email);
return (($value === 0) || ($value === false)) ? false : true;
}

// formulaire envoyé, on récupère tous les champs.
$name   = (isset($_POST['name']))   ? Rec($_POST['name'])   : '';
$email  = (isset($_POST['email']))  ? Rec($_POST['email'])  : '';
$tel   = (isset($_POST['tel']))   ? Rec($_POST['tel'])   : '';  
$sujet  = (isset($_POST['sujet']))  ? Rec($_POST['sujet'])  : '';
$message = (isset($_POST['message'])) ? Rec($_POST['message']) : '';

// On va vérifier les variables et l'email ...
$email = (IsEmail($email)) ? $email : ''; // soit l'email est vide si erroné, soit il vaut l'email entré
$err_formulaire = false; // sert pour remplir le formulaire en cas d'erreur si besoin

if (isset($_POST['envoi']))
{
if (($name != '') && ($tel != ''))
{
// les 4 variables sont remplies, on génère puis envoie le mail
//$headers = 'From:'.$name.' <'.$email.'>' . "\r\n";
//$headers .= 'Reply-To: '.$email. "\r\n" ;
//$headers .= 'X-Mailer:PHP/'.phpversion();
   
   
    $headers = "From: " . $name . "\r\n";
    $headers .= "Reply-To: ". $email . "\r\n";
    $headers .= "MIME-Version: 1.0\r\n";
    $headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";

// envoyer une copie au visiteur ?
if ($copie == 'oui')
{
$cible = $destinataire.';'.$email;
}
else
{
$cible = $destinataire;
};

// Remplacement de certains caractères spéciaux
$message = str_replace("'","'",$message);
$message = str_replace("’","'",$message);
$message = str_replace(""",'"',$message);
$message = str_replace('<br>','',$message);
$message = str_replace('<br />','',$message);
$message = str_replace("<","<",$message);
$message = str_replace(">",">",$message);
$message = str_replace("&","&",$message);

// Envoi du mail
$num_emails = 0;
$tmp = explode(';', $cible);
foreach($tmp as $email_destinataire)
{
$msg = '<html><body>';
      $msg .= '<h1>Vous avez reçu une soumission</h1>';
      $msg .= '</body></html>';
      $msg = '<html><body>';
      $msg = '<h3>Formulaire : </h3>';
      $msg .= "<tr><td><strong>Prénom Nom : </strong> </td><td>" . $name . "</td></tr>";
      $msg .= "<tr><td><strong>Courriel : </strong> </td><td>" . $email . "</td></tr>";
      $msg .= "<tr><td><strong>Téléphone : </strong> </td><td>" . $tel . "</td></tr>";
      $msg .= "<tr><td><strong>Sujet : </strong> </td><td>" . $sujet . "</td></tr>";
      $msg .= "<tr><td><strong>Message :</strong> </td><td>" . $message . "</td></tr>";
     
      }
      $msg .= "</table>";
      $msg .= "</body></html>";

      //$msg = $name.'</br>'.$email.'</br>'.$tel.'</br>'.$sujet.'</br>'.$message;
      if (mail($email_destinataire, $name, $msg, $headers))
$num_emails++;
}
}
?>

[Sepodati]

Well, it's all in French.

 

Kind of a loaded question... Are you having problems?

 

I will say that you're not validating $name and $email adequately enough to prevent a malicious user from hijacking this form and crafting their own email messages to anyone they want, with any content they want.

[dalecosp]

Welcome.

 

Here are several things I've noticed in reading the code, not in any particular order and certainly not in order of importance.

 

1. The ending "?>" is extraneous. Also, in PHP, functions don't end with semicolons (although this may not break the parser).

 

2. It counts the number of sent emails ($num_emails), but never uses this variable; in fact, it doesn't report success at all.

 

3. Conversely, it doesn't count the number of failed email attempts or say anything if the mail is NOT sent.

 

4. If the message is being copied, the 1st copy (to $destinaire), will not have correctly formed html because the table ending code is outside the foreach loop.

 

5. More importantly, the message will not be sent to both $destinaire and $email because the send routine (call to mail()) is also outside the loop.

 

6. Error checking is almost nil. The script doesn't check to see if $email has value; it does check if it's valid but if not it doesn't set any error condition and blindly continues on its way. Ditto $sujet and $message, so someone could send an empty subject and empty message.

 

Furthermore, as Sepodati points out, it's likely vulnerable to a header injection attack, which will turn your web form into a way for spammers to send junk email to whomever they wish.

 

I hope you'll get it fixed before it goes public.

[gizmola]

Well, it's all in French.

 

Kind of a loaded question... Are you having problems?

 

I will say that you're not validating $name and $email adequately enough to prevent a malicious user from hijacking this form and crafting their own email messages to anyone they want, with any content they want.

This is great feedback, but useless for a novice if you aren't willing to pull out some specifics or help them figure out how to do it properly.

[ginerjm]

I think it's a pretty useful response.  It should make the OP stop and think about how much he doesn't know about PHP and begin the process of getting the task re-assigned to someone who does.  If not, his manager needs a new perspective on how to best utilize his staff.  OTOH - if the OP is supposed to be able to handle this job, then the response from dalecosp should make him aware of how he has been taking his employer's wages under false pretenses and begin thinking about a new career.