homepage Welcome to WebmasterWorld Guest from 54.235.16.159
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
PHP 'send to friend' form not working
the URL info isnt posting through
tjk2009




msg:4395130
 10:57 am on Dec 7, 2011 (gmt 0)

hello all,

i am somewhat new at php, and i am trying to use it to create a 'send to friend' form for my website. the idea is that someone can click a link on any webpage and a window will pop-up asking them for their info and that of their recipient and then send an e-mail with that specific webpage's title and URL. everything works, except for the most crucial thing -- the e-mail that sends does not include the title/URL. i believe this is because the PHP form is not passing along the info from the original webpage.

here's what appears on 'Sample webpage (sample.htm)':

<form method="post" action="sendtofriend.php">
<input type="hidden" name="title" value="Sample webpage">
<input type="hidden" name="url" value="sample.htm">
<input type="submit" value="Send to friend">
</form>


this takes us to the sendtofriend.php pop-up, which contains this code (edited to just the relevant info):

<?php
if (isset($_REQUEST['email']))
{
$title = $_POST['title'] ;
$url = $_POST['url'] ;
$email = $_REQUEST['email'] ;
$sender = $_REQUEST['sender'] ;
$recipient = $_REQUEST['recipient'] ;
$subject = $_REQUEST['subject'] ;
$comment = $_REQUEST['comment'] ;
$message = $sender . "wanted to send you this link: " . $title . " (" . $url . ")"
His/her comment: " . $comment ;
$from = "" . $sender . " <" . $email . ">";
$headers = "From: " . $from;
mail($recipient, $subject, stripslashes($message), $headers);
echo "Sent!";
}
else
{
echo "<form method='post' action='sendtofriend.php'>
<input type='hidden' name='subject' value='From a friend'>
Name: <input type='text' name='sender' size='40'><br>
Your e-mail: <input type='text' name='email' size='40'><br>
To: <input type='text' name='recipient' size='60'><br>
Comment: <textarea cols='60' rows='4' wrap='hard' name='comment'></textarea><br>
<input type='submit' value='Send to friend'>
</form>";
}
?>


i *think* the problem is that when this form (sendtofriend.php) is submitted, it does not retain and pass along the info it received from sample.htm. i have struggled with this for a few days now with no success. i have tried using $_REQUEST and $_GET instead of $_POST, to no avail.

is there a way to keep that info in its 'memory' (keeping in mind that the referring page is HTML and not PHP)? i know that this could be avoided by putting the whole form in the original page (sample.htm), but the idea is that i would not have to put it in every single webpage, but rather, could have all the webpages link to one standard 'send to friend' form.

thanks for any help in advance!

 

vortex




msg:4395159
 12:41 pm on Dec 7, 2011 (gmt 0)

You need to add
<input type='hidden' name='url' value='".$_POST['url']."'>
in sendtofriend.php, at the form.

echo "<form method='post' action='sendtofriend.php'>
<input type='hidden' name='subject' value='From a friend'>
Name: <input type='text' name='sender' size='40'><br>
Your e-mail: <input type='text' name='email' size='40'><br>
To: <input type='text' name='recipient' size='60'><br>
Comment: <textarea cols='60' rows='4' wrap='hard' name='comment'></textarea><br>
<input type='submit' value='Send to friend'>
</form>";

will be
echo "<form method='post' action='sendtofriend.php'>
<input type='hidden' name='subject' value='From a friend'>
<input type='hidden' name='url' value='".$_POST['url']."'>
Name: <input type='text' name='sender' size='40'><br>
Your e-mail: <input type='text' name='email' size='40'><br>
To: <input type='text' name='recipient' size='60'><br>
Comment: <textarea cols='60' rows='4' wrap='hard' name='comment'></textarea><br>
<input type='submit' value='Send to friend'>
</form>";


:)

tjk2009




msg:4395576
 3:42 pm on Dec 8, 2011 (gmt 0)

thanks! i thought something like that might work -- but i kept making a mistake with the single and double quotation marks, so it never worked. thanks again, i really appreciate it.

Matthew1980




msg:4395802
 11:45 pm on Dec 8, 2011 (gmt 0)

Hi all,

You're mixing your $_POST & $_REQUEST globals in the script - $_REQUEST's are not the best thing to use in this context as they open your script upto potential injections.

$_POST is the safer option, but you still need to sanitise the data on the receiving page. Use strip_tags() and trim() to make things a little easier, and make sure that your actually checking for a correct form submission too, all these things should help to make your script that little bit more safer.

and for this:-

echo "Sent!";
exit;//use this stop any further code execution post if statement.
}
else
{


As php will still execute instructions further downstream if there is anything there - I've even known this stop white space (gaps bewteen <?php ?> tags) killing scripts before.

And I'll assume that you're aware of the differences bewteen $_GET & $_POST; shortform answer is: $_GET is vars/data passed via URL (and is default IF not declared in the forms attributes)
$_POST is data held, sent and delivered from the server and is more secure than passing via the URL

Hope that helps.

Cheers,
MRb

tjk2009




msg:4395916
 9:31 am on Dec 9, 2011 (gmt 0)

thank you, matthew. i was aware that POST is safer than GET, but i did not know that REQUESTS could be problematic. i changed all of the REQUESTs to POSTs. i also added the exist statement, as you suggested.

however, it all seems to work without needing strip tags or trim. all of the user-input information takes place on the same PHP page as the form; the only info being carried over from the referring page is the hidden data on webpage title and URL that i myself inserted. so do i need those tags (it seems to work without)?

thanks!

tjk2009




msg:4395917
 9:32 am on Dec 9, 2011 (gmt 0)

*exit statement, that is

vortex




msg:4395995
 2:42 pm on Dec 9, 2011 (gmt 0)

A contact form without checks can be easily used by spammers to send spam email.

More info and solutions here: [foundationphp.com...]

:)

Matthew1980




msg:4396034
 4:19 pm on Dec 9, 2011 (gmt 0)

>>however, it all seems to work without needing strip tags or trim...

Lol! Sounds like the familiar sound of complacancy there. I'm only trying to advise you on how to make things a little safer - I have had to fix these sorts of issues on other peoples scripts before now, and I always find that prevention is better than cure, getting into these sanitisation habits now will pay huge dividends in the future - when you can you'll write classes just for this sort of thing.

Normally I use callback functionality used in array_map() to sanitise the whole array in one shot, something like this:-

$_POST = array_map('trim', $_POST);
$_POST = array_map('strip_tags', $_POST);

This essentially takes the whole global array that is $_POST and applys the chosen function to that array, and re writes it, saves doing loads of lines of code Imho.

Hope this helps a little.

Cheers,
MRb

tjk2009




msg:4396167
 10:09 pm on Dec 9, 2011 (gmt 0)

thank you again, vortex and matthew! i went ahead and made the changes that you suggest. all seems to work great. here's the final version (edited down for simplicity):

<?php
if (isset($_POST['email']))
{
$title = $_POST['title'] ;
$url = $_POST['url'] ;
$email = $_POST['email'] ;
$fromfriend = $_POST['fromfriend'] ;
$tofriend = $_POST['tofriend'] ;
$subject = "Link from " . $fromfriend ;
$comment = $_POST['comment'] ;
$message = $fromfriend . "wanted to send you this link: " . $title . " (" . $url . ")"
His/her comment: " . $comment ;

$_POST = array_map('trim', $_POST);
$_POST = array_map('strip_tags', $_POST);
$comment = stripslashes($comment);
$from = "" . $fromfriend . " <" . $email . ">";
$validatedemail = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);
$validatedtofriend = filter_input(INPUT_POST, 'tofriend', FILTER_VALIDATE_EMAIL);
if ($validatedemail && $validatedtofriend)
{
$headers = "From: " . $from . "\r\n";
$headers .= "Content-type: text/plain; charset=UTF-8 \r\n";
$headers .= "Reply-to: " . $email . "\r\n";
$headers .= "Errors-to: " . $email . "\r\n";
}
else
{
echo "E-mail address(es) below are not valid.<br>
<form method='post' action='sendtofriend.php'>
<input type='hidden' name='title' value='".$_POST['title']."'>
<input type='hidden' name='url' value='".$_POST['url']."'>
Name: <input type='text' name='fromfriend' size='40' value='".$_POST['fromfriend']."'><br>
Your e-mail: <input type='text' name='email' size='40' value='".$_POST['email']."'><br>
To: <input type='text' name='tofriend' size='60' value='".$_POST['tofriend']."'><br>
Comment: <textarea cols='60' rows='4' wrap='hard' name='comment'>" . stripslashes($comment) . "</textarea><br>
<input type='submit' value='Send to friend'>
</form>";
exit;
}

mail($tofriend, $subject, stripslashes($message), $headers);
echo "Sent!";
exit;
}
else
{
echo "<form method='post' action='sendtofriend.php'>
<input type='hidden' name='title' value='".$_POST['title']."'>
<input type='hidden' name='url' value='".$_POST['url']."'>
Name: <input type='text' name='fromfriend' size='40'><br>
Your e-mail: <input type='text' name='email' size='40'><br>
To: <input type='text' name='tofriend' size='60'><br>
Comment: <textarea cols='60' rows='4' wrap='hard' name='comment'></textarea><br>
<input type='submit' value='Send to friend'>
</form>";
exit;
}
?>

Matthew1980




msg:4396309
 10:53 am on Dec 10, 2011 (gmt 0)

Hi there tjk2009,

Just a slight change to your code here:-

<?php
//just check for a genuine submission - this could be circumvented from the command line without
//more diligent checks
if (isset($_POST['email']) && isset($_POST['submit']) && ($_POST['submit'] == "Sent to friend")){

//some sanitising
$_POST = array_map('trim', $_POST);
$_POST = array_map('strip_tags', $_POST);

//assign the vars, you could use a function here to check for a valid email address...
//there is a built in function to php, this 'if clause' is only a suggestion. I use this on my own
//projects, I just get it to flash a div with the error :)
if (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)){
//there is an error in the email formatting, please recheck
exit;
}

//else carry on processing

$title = $_POST['title'] ;
$url = $_POST['url'] ;
$email = $_POST['email'] ;
$fromfriend = $_POST['fromfriend'] ;
$tofriend = $_POST['tofriend'] ;
$subject = "Link from " . $fromfriend ;
$comment = $_POST['comment'] ;
$message = $fromfriend . "wanted to send you this link: " . $title . " (" . $url . ")"
His/her comment: " . $comment ;


I hope that you can extrapolate from that, and amend as desired.

Other than that, all is well, above all have fun learning. Enjoy the project.

Cheers,
MRb

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved