DeclineoftheWest Posted March 25, 2023 Share Posted March 25, 2023 Hi there. I'm working on my first project for a client for html / css, and I've had to learn PHP to finish a contact form for the website. So, I spent some time and finally got a php form to work that sends an email (although in GMAIL it does go to spam). It seems to work on all other web hosts, but with Godaddy it doesn't send any emails. I've tried other php contact forms and they don't work either. Any ideas on what is going on? My forms uses the mail function, and from research a lot of people seem to have this problem, but customer service is useless. Here is the code for my contact form, although, I doubt it will matter since no php form seems to work: <?php $to = 'example@example.com'; $message= ''; $name = $_POST['name']; $email = $_POST['email']; $phone = $_POST['phone']; $city = $_POST['city']; $subject = $_POST['subject']; foreach ($_POST as $key => $value) { $message .= '<strong>' . ucfirst($key) ."\r\n" . '</strong>' . ': ' . $value . '<br>' . PHP_EOL; } $headers = 'Content-type: text/html; charset=iso-8859-1' . "\r\n" . "From:" .$name ."<" .$email ."\r\n"; mail($to, $subject, $message, $headers); header('../index.html'); echo' <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Contact form</title> <link href="https://fonts.googleapis.com/css2?family=Playfair+Display:wght@600&family=Poppins&display=swap" rel="stylesheet"> <link rel="stylesheet" href="style.css"> </head> <body> <div class="container"> <h1>Thank you for contacting us. We will get back to you as soon as possible!</h1> <p class="back">Go back to the <a href="../index.html">homepage</a>.</p> </div> </body> </html> '; ?> Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted March 25, 2023 Share Posted March 25, 2023 except during testing, when you enter your own email address, these emails are NOT being set From the name/email address that is entered in the form. they are being sent from the mail server at the web hosting. the domain in the From email address must either directly correspond to the sending mail server or there must be dns zone records (specifically an SPF record) at the domain in the From email address that indicates your email server can send email for that domain. short-version, use a From email address that exists at the web hosting. Quote Link to comment Share on other sites More sharing options...
DeclineoftheWest Posted March 25, 2023 Author Share Posted March 25, 2023 Not sure what you mean by from address that exists at the web hosting? I changed my code to this. Is this not correct? I'm not very good at coding, by the way: <?php $to = 'example@example.com'; $message= ''; $name = $_POST['name']; $email = $_POST['email']; $phone = $_POST['phone']; $city = $_POST['city']; $subject = $_POST['subject']; foreach ($_POST as $key => $value) { $message .= '<strong>' . ucfirst($key) ."\r\n" . '</strong>' . ': ' . $value . '<br>' . PHP_EOL; } $headers = 'Content-type: text/html; charset=iso-8859-1' . "\r\n" . "From:" .$name ."<" .$email ."\r\n"; $headers = "From: example@example.com\r\n"; mail($to, $subject, $message, $headers); header('../index.html'); echo' <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Contact form</title> <link href="https://fonts.googleapis.com/css2?family=Playfair+Display:wght@600&family=Poppins&display=swap" rel="stylesheet"> <link rel="stylesheet" href="style.css"> </head> <body> <div class="container"> <h1>Thank you for contacting us. We will get back to you as soon as possible!</h1> <p class="back">Go back to the <a href="../index.html">homepage</a>.</p> </div> </body> </html> '; ?> Quote Link to comment Share on other sites More sharing options...
DeclineoftheWest Posted March 25, 2023 Author Share Posted March 25, 2023 (edited) Cool. I got everything to work. One last question, since this is for a client. Do I have to sanitize the php, or add some sort of captcha to prevent people from hacking or malicious code? Thank-you for your help. Edited March 25, 2023 by DeclineoftheWest Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted March 25, 2023 Share Posted March 25, 2023 data ($_POST, $_GET, $_COOKIE, $_FILES, and some $_SERVER variables) submitted to any site can come from anywhere, not just your forms/links/cookies, can be set to anything, and cannot be trusted. you should trim all external data, mainly so that you can detect if it is all white-space characters, validate it, then use it securely in whatever context it is being use as. in a html context, such as an email body or a web page, you should apply htmlentities() to any external, unknown, dynamic values to help prevent cross site scripting. for a value that has a specific format, like an email address, after you have validated that it is not an empty string, you should validate that it is a properly formatted email address. for something like a contact form, where you don't have the ability to limit its use to only known, logged in users, yes, you should use a captcha. your post method form processing code should - if the form and form processing code are not on the same page, they should be. this will allow you to display any validation errors and repopulate the form field values upon a validation error. detect if a post method form has been submitted. this will insure that if the page is ever requested via a get request, that it won't waste time running code when there is no post data to use. keep the form data as a set in an array variable, then use elements in this array variable throughout the rest of the code, i.e. don't write out lines of code copying variables to other variables for nothing. after you do item #3 on this list, you can trim all the data at once using one single line of code. don't unconditionally loop over the $_POST data. hackers can submit 100's of post variables to your code. you should instead define an array of expected fields, then loop over this defining array when validating and using the submitted data. you should not directly accept the subject from external data. if there's a need for different subject values, define them in an array, with a numerical id indexes, then get the actual subject from the submitted numerical id value. you should have error handling logic for the mail() call. if it returns a false value, the email was not accepted by the sending email server. you would setup a general failure message for the user, and you would log everything about the attempted email so that you will both know that it failed and can perhaps see a pattern as to why it may have failed. you would only display the success content if the mail() call returned a true value. after successfully using the submitted form data, with no errors, you should perform a redirect to the exact same url of the current page to cause a get request for that page. this will prevent the browser from resubmitting the form data if the user reloads that page or navigates away from and back to that page. to display a one-time success message, store it in a session variable, then test, display, and clear that session variable at the appropriate location in the html document. don't echo static markup. there's no php code in that success message. just drop our of 'php' mode and put the markup in-line in the file. Quote Link to comment Share on other sites More sharing options...
DeclineoftheWest Posted March 29, 2023 Author Share Posted March 29, 2023 On 3/25/2023 at 5:39 PM, mac_gyver said: data ($_POST, $_GET, $_COOKIE, $_FILES, and some $_SERVER variables) submitted to any site can come from anywhere, not just your forms/links/cookies, can be set to anything, and cannot be trusted. you should trim all external data, mainly so that you can detect if it is all white-space characters, validate it, then use it securely in whatever context it is being use as. in a html context, such as an email body or a web page, you should apply htmlentities() to any external, unknown, dynamic values to help prevent cross site scripting. for a value that has a specific format, like an email address, after you have validated that it is not an empty string, you should validate that it is a properly formatted email address. for something like a contact form, where you don't have the ability to limit its use to only known, logged in users, yes, you should use a captcha. your post method form processing code should - if the form and form processing code are not on the same page, they should be. this will allow you to display any validation errors and repopulate the form field values upon a validation error. detect if a post method form has been submitted. this will insure that if the page is ever requested via a get request, that it won't waste time running code when there is no post data to use. keep the form data as a set in an array variable, then use elements in this array variable throughout the rest of the code, i.e. don't write out lines of code copying variables to other variables for nothing. after you do item #3 on this list, you can trim all the data at once using one single line of code. don't unconditionally loop over the $_POST data. hackers can submit 100's of post variables to your code. you should instead define an array of expected fields, then loop over this defining array when validating and using the submitted data. you should not directly accept the subject from external data. if there's a need for different subject values, define them in an array, with a numerical id indexes, then get the actual subject from the submitted numerical id value. you should have error handling logic for the mail() call. if it returns a false value, the email was not accepted by the sending email server. you would setup a general failure message for the user, and you would log everything about the attempted email so that you will both know that it failed and can perhaps see a pattern as to why it may have failed. you would only display the success content if the mail() call returned a true value. after successfully using the submitted form data, with no errors, you should perform a redirect to the exact same url of the current page to cause a get request for that page. this will prevent the browser from resubmitting the form data if the user reloads that page or navigates away from and back to that page. to display a one-time success message, store it in a session variable, then test, display, and clear that session variable at the appropriate location in the html document. don't echo static markup. there's no php code in that success message. just drop our of 'php' mode and put the markup in-line in the file. I implemented most of the points you suggested, although I am still working on the last three, but my employer seems happy with this first contract, and this is the final step. My only problem now is that I can't get the php contact form to send to the linked Outlook account provided by Godaddy. I can get it to send to the roundcube webmail provided by Godaddy and Gmail accounts, but Outlook is not receiving any emails. From what I've researched, this might have something to do with modifying the DNS or SPF.. although I can't say for certain. Any ideas here on how I can get Outlook to accept the emails from the contact form, if every other client has no problem? Also, I appreciate your long and detailed response. Is there any way to donate to you for your help? Thanks. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.