homepage Welcome to WebmasterWorld Guest from 54.83.133.189
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe and Support WebmasterWorld
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Adding field (s) to simple form
pp46




msg:4368165
 10:02 am on Sep 28, 2011 (gmt 0)

I have a simple form on all my sites sent with the mail function.
At present it has just the email field which ensures that we get senders email (as ling as he fills it out correctly)
and the message text area
I have tried adding the field and the corresponding variables

but I am getting nowhere.

I will post the code here and if somebody can put me on the right track
pls note that I am not very PHP proficient, I work with existing scripts but can not write it

here is the form

<!--Start form table--><br><br>
<table width="450" cellspacing="2" border="0" cellpadding="2" align="center">
<tbody align="left" valign="middle">
<tr>
<td><form method="post" action="sendmail.php">
Votre Email: <input name="email" type="text" class="input" /><br />
Votre Message:<br />
<textarea name="message" rows="18" cols="60" class="input" >
</textarea><br />
<input type="submit" value="Envoyer" class="button" />
</form></td>
</tr>
</tbody>
</table>
<!--End form table-->


and here is the sendmail.php file
<?php
$email = $_REQUEST['email'] ;
$message = $_REQUEST['message'] ;

if (!isset($_REQUEST['email'])) {
header( "Location: http://www.somedomain.com/thanks.php" );
}
elseif (empty($email) || empty($message)) {
?>
<html>
<head>
<body>
<table width="960" cellspacing="2" border="0" cellpadding="2" align="center" bgcolor=#E7CE97>
<tbody>
</tr>
<tr>
<td>You have not filled in all the fields
<br> <a href="contact.php" target="_self">please click here and start again</a><br><br><br><br><br></td>
</tr>
</tbody>
</table>
</body>
</html>
<?php
}
else {
mail( "contact@somedomain.com", "Message from somedomain.com",
$message, "From: $email" );
header( "Location: http://www.somedomain.com/thanks.php" );
}
?>


What I would like would be the following

<!--Start form table--><br><br>
<table width="450" cellspacing="2" border="0" cellpadding="2" align="center">
<tbody align="left" valign="middle">
<tr>
<td><form method="post" action="sendmail.php">
Votre Email: <input name="email" type="text" class="input" /><br />
Votre Nom: <input name="name" type="text" class="input" /><br /><br>
Votre Tel: <input name="tel" type="text" class="input" /><br /><br>
Votre Message:<br />
<textarea name="message" rows="18" cols="60" class="input" >
</textarea><br />
<input type="submit" value="Envoyer" class="button" />
</form></td>
</tr>
</tbody>
</table>
<!--End form table-->


Thanks for any help

 

rocknbil




msg:4368343
 4:31 pm on Sep 28, 2011 (gmt 0)

This script is horribly insecure, look into input cleansing . . . .

at any rate, look at how the "message" gets into the email body. In the form you have

<textarea name="message" rows="18" cols="60" class="input" >

which is parsed by the script here,

$message = $_REQUEST['message'] ;

.. storing the input value in "$message" and actually placed in the email here.

mail( "contact@somedomain.com", "Message from somedomain.com",
$message, "From: $email" );

So the first question is, where do you want your additional fields to appear?

Let's "prepend" them to "$message" for example. The fields in the form,

Votre Nom: <input name="name" type="text" class="input" /><br /><br>
Votre Tel: <input name="tel" type="text" class="input" /><br /><br>

Then "capture" them in new variables, following the style,
$message = $_REQUEST['message'];
$nm = $_REQUEST['name'];
$tel = $_REQUEST['tel'];


// Then prepend it to message. We do this by re-storing "$message" back into $message as a new string:

$message = "
Name: $nm<br>
Tel: $tel<br>
$message
";

Then when you go to email, "$message" contains the new field data.

Again, you might look into protecting your script with input filtering, it's a large topic but form abuse is rampant. Some good search terms are email injection, database injection, cleanse input . . .

pp46




msg:4368655
 7:52 am on Sep 29, 2011 (gmt 0)

Thanks rocknbil

I am really happy with your answer and comments.

I am now able to add any field I want, this is perfect!

I noted what you said about security and stared having a look at that, so far I do not understand what damage can be done apart from spammers sending junk but they can not get my mail address.

they have that anyway
:-)

But I need to look more into it and read up on the links I will finish off the form and get back here if I have some questions

rocknbil




msg:4368846
 6:30 pm on Sep 29, 2011 (gmt 0)

Suppose I could do this.

<input type="text" name="email" value="spammer1@example.com,spammer2@example.com,spammer3@example.com,spammer4@example.com">

I've just used your form to spam. Multiply that by 1000. Of course, a real hack wouldn't come from your form, and it woudlnt' be that simple, it would come from a command line. There's plenty they could do . . .

pp46




msg:4368865
 7:09 pm on Sep 29, 2011 (gmt 0)

I got a spam yesterday
but not tonight ?

rocknbil




msg:4369430
 5:56 am on Oct 1, 2011 (gmt 0)

It seems you took my comment literally, I didn't just "send you spam" (the example there wouldn't work anyway as posted.) My apologies for expressing it in first person and assure you - I'd never send anyone "spam." :-)

<scrurries back to English 101>

pp46




msg:4369460
 8:55 am on Oct 1, 2011 (gmt 0)

Sorry about that, no harm done at all. I did take it as constructive though ..
:-)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved