Welcome to WebmasterWorld Guest from 54.145.44.134

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Idiot proof a contact form

php email contacts

     

brancook

3:39 pm on Sep 27, 2007 (gmt 0)

5+ Year Member



I have to idiot proof the contact form on our website. The contact form uses php, and automatically emails the information the customer supplies to me and one of the salesmen. The email comes from the server. Our sales guy just wants to be able to just click reply in his email to contact the customer back. Is it possible to take the person's email that they supply in the contact form and have that inserted into the "from" of the email?

PHP_Chimp

3:46 pm on Sep 27, 2007 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Yes.
$from = $_POST['customer_email']."\r\n";
mail($to, $subject, $msg, "From: $from");

Just make sure that you validate the email address to make sure it doesn't contain anything nasty.

penders

3:50 pm on Sep 27, 2007 (gmt 0)

WebmasterWorld Senior Member penders is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



Yes. Presumably you are already supplying some kind of email in the From: field of the email? Simply use the email address as supplied in the form instead, so long as it looks like a valid email address.

brancook

4:26 pm on Sep 27, 2007 (gmt 0)

5+ Year Member



Thanks,

Yes I do validate the email address to make sure it is valid.

eelixduppy

5:01 pm on Sep 27, 2007 (gmt 0)

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 5+ Year Member



You have to be very careful when you allow user-define headers like shown above. This is open to all sorts of exploits if not handled with absolute care. For instance, someone could add a cc and copy an email to a whole list of people. I usually try to avoid situations where the headers are defined by user variables if I can.

PHP_Chimp

5:07 pm on Sep 27, 2007 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



If you are going to use my idea above then when I say validate I didnt mean check that the email address was a real one.
You need to check that there is only 1 address, as at the moment spamming through other people web forms seems to be the thing everyone is into. So allowing people to post cc: or bcc: means that you send all of there spam for them.

brancook

5:47 pm on Sep 27, 2007 (gmt 0)

5+ Year Member



What kind of validation would you recommend? First thing that comes to my mind would be:

1. limiting the number of characters
2. check for empty spaces
3. The '@' only appearing once

Anything else?

Thanks for the help everyone.

brancook

12:01 pm on Sep 28, 2007 (gmt 0)

5+ Year Member



The php above doesn't seem to be working for me. This is what I have for my contact form:

<?php

include ("validation_functions.php4");

if (@$_POST['submitted']) {
$first_name = @$_POST['first_name'];
$last_name = @$_POST['last_name'];
$title = @$_POST['title'];
$email = @$_POST['email'];
$company = @$_POST['company'];
$phone = @$_POST['phone'];
$fax = @$_POST['fax'];
$address = @$_POST['address'];
$city = @$_POST['city'];
$state = @$_POST['state'];
$zip = @$_POST['zip'];
$country = @$_POST['country'];
$msg = @$_POST['message'];

if (get_magic_quotes_gpc() ) {
$first_name = stripslashes($first_name);
$last_name = stripslashes($last_name);
$title = stripslashes($title);
$email = stripslashes($email);
$company = stripslashes($company);
$phone = stripslashes($phone);
$fax = stripslashes($fax);
$address = stripslashes($address);
$city = stripslashes($city);
$state = stripslashes($state);
$zip = stripslashes($zip);
$coutnry = stripslashes($country);
$msg = stripslashes($msg);
}

$error_msg=array();

if ($first_name=="") {
$error_msg[] ="<strong>Please enter your first name.</strong>";
}

if ($last_name=="") {
$error_msg[] ="<strong>Please enter your last name.</strong>";
}

//if (!strrpos($email,"@")) {
//$error_msg[] ="Please enter a valid email address";
//} Commented out, will check for the '@' in an email address

$valid = verifyEmail ($email);
if (!$valid){
$error_msg[]="<strong>Email must be a valid format (e.g. john@yahoo.com).</strong>";
}

if ($phone=="") {
$error_msg[] ="<strong>Please enter your phone number.</strong>";
}

if ($msg=="") {
$error_msg[]="<strong>Don't forget to write your message!</strong>";
}

$destination_email = "myemail@widgets.com";
$email_subject = "Web Contact";
$email_body = "First Name: $first_name"."\n".
"Last Name: $last_name"."\n".
"Title: $title"."\n".
"Email: $email"."\n".
"Company: $company"."\n".
"Phone: $phone"."\n".
"Fax: $fax"."\n".
"Address: $address"."\n".
"City: $city"."\n".
"State: $state"."\n".
"Zip: $zip"."\n".
"Country: $country"."\n".
"Message: $msg";

if (!$error_msg) {
mail ($destination_email, $email_subject, $email_body);

header ('Location: form_confirm.php');

exit();

}
}
?>

brancook

4:05 am on Sep 29, 2007 (gmt 0)

5+ Year Member



I can't seem to override the from field. The email address is being inserted into the subject of the email.

penders

8:24 pm on Sep 29, 2007 (gmt 0)

WebmasterWorld Senior Member penders is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



mail ($destination_email, $email_subject, $email_body, $FOURTH_PARAM);

I can't seem to override the from field.

Have you tried passing a forth parameter to the mail() function [uk.php.net] as mentioned in PHP_Chimp's post above? The 4th param enables you to specify any number of additional headers: 'cc', 'bcc' and 'from' etc. But, as eelixduppy mentions above, it is very important to validate this parameter very strictly to avoid any hacker attempts - if you choose to use it at all.

Sylver

9:33 am on Oct 1, 2007 (gmt 0)

10+ Year Member



This is what I use:

$headers = 'From: '. $clientEmail; // No need to change that one.
$mailSuccess=@mail($to, $subject, $message, $headers);

Works just fine. Of course, "$clientEmail" *must absolutely* be validated.

[edited by: coopster at 2:00 pm (utc) on Oct. 1, 2007]
[edit reason] no personals please TOS [webmasterworld.com] [/edit]

brancook

2:58 pm on Oct 1, 2007 (gmt 0)

5+ Year Member



Will these work so when we click on the mail to reply it will automatically go the $clientemail? In other words will this override the servers email address?

brancook

3:07 pm on Oct 1, 2007 (gmt 0)

5+ Year Member



The $headers parameter is overriding me $email_subject and is just placing the customers email in the subject line, is that the way it's supposed to work?

brancook

4:18 pm on Oct 1, 2007 (gmt 0)

5+ Year Member



I got it, this is what worked for me:

if (!$error_msg) {
mail('me@widgets.com',
'Subject', $email_body,
"To: Me <me@widgets.com>\n" .
"From: $email <$email>\n" .
"X-Mailer: PHP 4.x");

I seem to be repeating my self with my email address being in there twice but it does work.

 

Featured Threads

Hot Threads This Week

Hot Threads This Month