this line is problematic

$recipient=($_POST["recipient"]);

because you do no cleaning on the email var and then you use it directly in

if (mail($recipient, $subject, $msg, "", "-f christian@example.com")){

you should test to be sure the value is of the proper form, a single email address

Are you asking whether or not the code works for that area, or to do it differently? If you are asking if it works, yes, it works. Basically, the user can choose from a drop down menu who they would like th email to be sent to, and then that email is put into the recipient value.

I'm saying you shouldn't use any user supplied data straight in your mail function

always test/clean/validate it first

what he is meaning is that without verifying the data posted as the recipient, a spammer could, fairly easily submit multiple recipients via the post, bypassing your drop down menu entirely and spam the heck out of people.

You want to verify that the recipient is valid. If you have specific recipients in the drop down menu, then checking the recipient posted against one of the approved emails in the drop down menu should do it.

man..beat me to it. Oh well, I was more detailed. :)

[edited by: Philosopher at 3:10 pm (utc) on Aug. 31, 2007]

Could I do an if/else statement something like:

if ($_POST["recipient"] == "email1")

Could I do it something like that? Where the recipient would have to match one of the emails? And how would I list more emails? Like would it be == "email1" == "email2")

you could put them in an array and compare what you have in POST to the items in the array. It should match exactly since you know the possible values.

looks like you're on the right track.
if you want to compare the $_POST to multiple emails, arrays would be the fastest/easiest route.
<?
$emails = array("email1", "email2", "email3");
if(in_array($_POST['recipient'], $emails)){ //in_array() is case sensitive
//mail function goes here
}

?>

Thank you for all of the help! So here is my final code. So far it is working on my site, and is this proper syntax? One question I do have thought. You can just next if/else statements just like this?

So basically, how it is written now, if a spammer wanted to use the form to spam other people, they couldn't, because the recipient would have to match one of the emails in my array? Thanks again!

<?php
$emails = array("email1", "email2", "email3", "email4", "email5", "email6", "email7", "email8", "email9");
if(in_array($_POST['recipient'], $emails)){ //in_array() is case sensitive
//mail function goes here

if ($_POST["image"] == "26mush3") {
if ($_SERVER['REQUEST_METHOD']=="POST"){
// In testing, if you get an Bad referer error
// comment out or remove the next three lines
if (strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'])>7 ¦¦
!strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST']))
die("Bad referer");
$msg="Values submitted by the user:\n";
foreach($_POST as $key => $val){
if (is_array($val)){
$msg.="Item: $key\n";
foreach($val as $v){
$v = stripslashes($v);
$msg.=" $v\n";
}
} else {
$val = stripslashes($val);
$msg.="$key: $val\n";
}
}
$recipient=($_POST["recipient"]);
$subject="example.com Contact Form";
error_reporting(0);
if (mail($recipient, $subject, $msg, "", "-f christian@example.com")){
echo "<center><h1>Thank You</h1><p>Message successfully sent! <a href=http://www.example.com>Click here</a> to return to the example.com home page.</p></center><br>\n";
echo nl2br($input);
} else
echo "An error occurred and the message could not be sent.";
} else
echo "Bad request method";
} else {
echo "<center>You did not enter the proper image verification code. Please hit your back button and try again.</center>";
}

} else {
echo "<center>Bad request method.</center>";
}

?>

[edited by: eelixduppy at 7:04 pm (utc) on Aug. 31, 2007]
[edit reason] please use example.com [/edit]