6 replies to this topic

[Raven-X]

OK, so there's the idea. I have a form I'm working on and validating it with PHP. My goal is for a visitor to be able to visit this contact form and be able to drop their name, email address, and message within the corresponding input areas. Below is the code I'm using for both the html form and the mail headers via PHP.

<?php require "header.php"; ?>

	<div id="contentSplit">
		<!-- Splits the content div and sidebar div from the header -->
	</div> <!-- Content Split -->

		<div id="sidebarEqualizer">

			<div id="contentEqualizer">

				<div id="content">
				
<?php
	$to='coolelemental@yahoo.com';
	$messageSubject='Just Computers Inquiry';
	$confirmationSubject='Your message has been received';
	$confirmationBody='Thank you for contacting us, we will try our best to respond within 48 hours.';
	$name='';
	$email='';
	$body='';
	$displayForm=true;
	if ($_POST) {
	$email=stripslashes($_POST['email']); // No slashes allowed
	$body=stripslashes($_POST['body']); // No slashes allowed
	// Let's validate our e-mail address
	$valid=eregi('^([0-9a-z]+[-._+&])*[0-9a-z]+@([-0-9a-z]+[.])+[a-z]{2,6}$',$email);
	$crack=eregi("(\r|\n) (to:|from:|cc:|bcc:)",$body);
	if ($email && $body && $valid && !$crack){
		if (mail($to,$messageSubject,$body,'From: '.$email."\r\n")
			&& mail($email,$confirmationSubject,$confirmationBody.$body,'From: '.$to."\r\n")){
				$displayForm=false;
				
?>

<h1>Your e-mail has been sent.</h1>
	
		<p>Thank you for contacting us, we will try our best to respond within 48 hours.</p>
		<p>In addition, a confirmation copy was sent to your e-mail address.</p>
		<p>Below is a copy of your message.</p>
		
<?php
	 echo '<div id="messageDisplay"><p>'.htmlspecialchars($body).'</p></div>';
	} else { // Your message could not be sent
?>

<p>
	Something went wrong when the server tried to send your message.
	This is usually due to a server error, and is probably not your fault.
	We apologise for any inconvenience caused.
</p>

<?php
	}
		} else if ($crack) { // Someone is trying to crack
?>

<p><strong>
  Your message contained e-mail headers within the message body.
  This seems to be a cracking attempt and the message has not been sent.
</strong></p>

<?php
	} else { // The form is not complete.
?>
<p><strong>
  Your message could not be sent.
  You must include both a valid e-mail address and a message.
</strong></p>

<?php 
	}
		}
			if ($displayForm) {
?>

<h1>Contact Us</h1>

<!-- Begin Form Elements -->
<fieldset>
	<form action="contactus.php" method="post">	
		<p><strong>Name:</strong> <input type="text" name="name" id="name" /></p>
		
		<p><strong>E-mail:</strong><input type="text" name="email" id="email" 
		value="<?php echo htmlspecialchars($email); ?>" />
		<span class="emailConfirmationMoveOver">(a confirmation e-mail will be sent to you.)</span></p>
		
		<p><strong>Message:</strong><textarea name="body" id="body" rows="" cols="1" wrap="hard"><?php echo htmlspecialchars($body); ?></textarea>
		
	
		<input type="submit" id="submit" value="Send Reply" class="submitButton" /></p>
	</form>
</fieldset>
<!-- End Form Elements -->

<?php
	}
?>
	
				</div> <!-- Content -->

			</div> <!-- End contentEqualizer -->

<?php require "sidebar.php";?>

<?php require "footer.php"; ?>

I'm getting stuck trying to figure out HOW and WHERE to place the $name variable, I want a user to be able to send their name alonside their email address for future reference.

Here is the URL: Website

Functionality is ace, just want to know how to add an additional field, such as a name field. Do note that even though there is a name field on the page, it is not being processed right now. I'd like the name to be a required field as well, so that people can be addressed by their names.

[rc69]

Change your from line to:

From: Name <email@domain.com>
i.e.

$headers = 'From: '.$name.' <'.$email.'>';

Edited by rc69, 22 May 2009 - 05:09 PM.

[Raven-X]

if (mail($to,$messageSubject,$body,'From: '.$name.' <'.$email.'>'."\r\n")
			&& mail($email,$confirmationSubject,$confirmationBody.$body,'From: '.$name.'<'.$to.'>'."\r\n")){
				$displayForm=false;
				
?>

Sweet, a little concatenation (.) symbol was throwing me off at first since I had to keep one close to the ("\r\n") but now I've done it properly so it is finished. Thanks, I'd certainly be older without you (hair pulling xD).

[rc69]

Don't worry, i know how you feel. However, i should probably let you know that you only need the "\r\n" if you are going to have more headers than just the From line. It doesn't hurt to have it there, but if you don't add another header, then it doesn't do anything (other than waste time concatenating an additional piece onto the string).

Edited by rc69, 22 May 2009 - 10:34 PM.

[Raven-X]

$crack=eregi("(\r|\n) (to:|from:|cc:|bcc:)",$body);

That line has those same characters, but I can remove them in that line as well? Here is the tutorial, which actually breaks stuff down: Tutorial

Just want to make it as secure as possible, this tutorial seems to be efficient enough to that end.

Edited by Raven-X, 23 May 2009 - 10:58 AM.

[rc69]

I can't imagine having header injection in the body of the e-mail, but if you want to be 100% sure nothing bad happens then you would want to leave $crack as is. If you really want to make it secure though, then you would want to check $name and $email to make sure they don't have "\r\n" in them either.

Honestly though, that one concatenation won't make a difference in terms of performance (not unless you're counting in nanoseconds, which is kind of hard to do). I am just one of those people who believes in micro-optimization, meaning i wouldn't have the dangling "\r\n" unless i absolutely needed it.

[Raven-X]

Yeah, I'll keep it for the crack and just remove it from the mail parameters.

I think validating the name/email is the best way to go as well. Thanks for the help.