homepage Welcome to WebmasterWorld Guest from 107.20.109.52
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Idiot proof a contact form
php email contacts
brancook




msg:3462794
 3:39 pm on Sep 27, 2007 (gmt 0)

I have to idiot proof the contact form on our website. The contact form uses php, and automatically emails the information the customer supplies to me and one of the salesmen. The email comes from the server. Our sales guy just wants to be able to just click reply in his email to contact the customer back. Is it possible to take the person's email that they supply in the contact form and have that inserted into the "from" of the email?

 

PHP_Chimp




msg:3462805
 3:46 pm on Sep 27, 2007 (gmt 0)

Yes.
$from = $_POST['customer_email']."\r\n";
mail($to, $subject, $msg, "From: $from");

Just make sure that you validate the email address to make sure it doesn't contain anything nasty.

penders




msg:3462809
 3:50 pm on Sep 27, 2007 (gmt 0)

Yes. Presumably you are already supplying some kind of email in the From: field of the email? Simply use the email address as supplied in the form instead, so long as it looks like a valid email address.

brancook




msg:3462850
 4:26 pm on Sep 27, 2007 (gmt 0)

Thanks,

Yes I do validate the email address to make sure it is valid.

eelixduppy




msg:3462888
 5:01 pm on Sep 27, 2007 (gmt 0)

You have to be very careful when you allow user-define headers like shown above. This is open to all sorts of exploits if not handled with absolute care. For instance, someone could add a cc and copy an email to a whole list of people. I usually try to avoid situations where the headers are defined by user variables if I can.

PHP_Chimp




msg:3462899
 5:07 pm on Sep 27, 2007 (gmt 0)

If you are going to use my idea above then when I say validate I didnt mean check that the email address was a real one.
You need to check that there is only 1 address, as at the moment spamming through other people web forms seems to be the thing everyone is into. So allowing people to post cc: or bcc: means that you send all of there spam for them.

brancook




msg:3462966
 5:47 pm on Sep 27, 2007 (gmt 0)

What kind of validation would you recommend? First thing that comes to my mind would be:

1. limiting the number of characters
2. check for empty spaces
3. The '@' only appearing once

Anything else?

Thanks for the help everyone.

brancook




msg:3463654
 12:01 pm on Sep 28, 2007 (gmt 0)

The php above doesn't seem to be working for me. This is what I have for my contact form:

<?php

include ("validation_functions.php4");

if (@$_POST['submitted']) {
$first_name = @$_POST['first_name'];
$last_name = @$_POST['last_name'];
$title = @$_POST['title'];
$email = @$_POST['email'];
$company = @$_POST['company'];
$phone = @$_POST['phone'];
$fax = @$_POST['fax'];
$address = @$_POST['address'];
$city = @$_POST['city'];
$state = @$_POST['state'];
$zip = @$_POST['zip'];
$country = @$_POST['country'];
$msg = @$_POST['message'];

if (get_magic_quotes_gpc() ) {
$first_name = stripslashes($first_name);
$last_name = stripslashes($last_name);
$title = stripslashes($title);
$email = stripslashes($email);
$company = stripslashes($company);
$phone = stripslashes($phone);
$fax = stripslashes($fax);
$address = stripslashes($address);
$city = stripslashes($city);
$state = stripslashes($state);
$zip = stripslashes($zip);
$coutnry = stripslashes($country);
$msg = stripslashes($msg);
}

$error_msg=array();

if ($first_name=="") {
$error_msg[] ="<strong>Please enter your first name.</strong>";
}

if ($last_name=="") {
$error_msg[] ="<strong>Please enter your last name.</strong>";
}

//if (!strrpos($email,"@")) {
//$error_msg[] ="Please enter a valid email address";
//} Commented out, will check for the '@' in an email address

$valid = verifyEmail ($email);
if (!$valid){
$error_msg[]="<strong>Email must be a valid format (e.g. john@yahoo.com).</strong>";
}

if ($phone=="") {
$error_msg[] ="<strong>Please enter your phone number.</strong>";
}

if ($msg=="") {
$error_msg[]="<strong>Don't forget to write your message!</strong>";
}

$destination_email = "myemail@widgets.com";
$email_subject = "Web Contact";
$email_body = "First Name: $first_name"."\n".
"Last Name: $last_name"."\n".
"Title: $title"."\n".
"Email: $email"."\n".
"Company: $company"."\n".
"Phone: $phone"."\n".
"Fax: $fax"."\n".
"Address: $address"."\n".
"City: $city"."\n".
"State: $state"."\n".
"Zip: $zip"."\n".
"Country: $country"."\n".
"Message: $msg";

if (!$error_msg) {
mail ($destination_email, $email_subject, $email_body);

header ('Location: form_confirm.php');

exit();

}
}
?>

brancook




msg:3464387
 4:05 am on Sep 29, 2007 (gmt 0)

I can't seem to override the from field. The email address is being inserted into the subject of the email.

penders




msg:3464806
 8:24 pm on Sep 29, 2007 (gmt 0)

mail ($destination_email, $email_subject, $email_body, $FOURTH_PARAM);
I can't seem to override the from field.

Have you tried passing a forth parameter to the mail() function [uk.php.net] as mentioned in PHP_Chimp's post above? The 4th param enables you to specify any number of additional headers: 'cc', 'bcc' and 'from' etc. But, as eelixduppy mentions above, it is very important to validate this parameter very strictly to avoid any hacker attempts - if you choose to use it at all.

Sylver




msg:3465753
 9:33 am on Oct 1, 2007 (gmt 0)

This is what I use:

$headers = 'From: '. $clientEmail; // No need to change that one.
$mailSuccess=@mail($to, $subject, $message, $headers);

Works just fine. Of course, "$clientEmail" *must absolutely* be validated.

[edited by: coopster at 2:00 pm (utc) on Oct. 1, 2007]
[edit reason] no personals please TOS [webmasterworld.com] [/edit]

brancook




msg:3466014
 2:58 pm on Oct 1, 2007 (gmt 0)

Will these work so when we click on the mail to reply it will automatically go the $clientemail? In other words will this override the servers email address?

brancook




msg:3466031
 3:07 pm on Oct 1, 2007 (gmt 0)

The $headers parameter is overriding me $email_subject and is just placing the customers email in the subject line, is that the way it's supposed to work?

brancook




msg:3466106
 4:18 pm on Oct 1, 2007 (gmt 0)

I got it, this is what worked for me:

if (!$error_msg) {
mail('me@widgets.com',
'Subject', $email_body,
"To: Me <me@widgets.com>\n" .
"From: $email <$email>\n" .
"X-Mailer: PHP 4.x");

I seem to be repeating my self with my email address being in there twice but it does work.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved