Welcome to WebmasterWorld Guest from 54.146.201.80

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Idiot proof a contact form

php email contacts

     
3:39 pm on Sep 27, 2007 (gmt 0)

Junior Member

5+ Year Member

joined:Oct 2, 2006
posts:187
votes: 0


I have to idiot proof the contact form on our website. The contact form uses php, and automatically emails the information the customer supplies to me and one of the salesmen. The email comes from the server. Our sales guy just wants to be able to just click reply in his email to contact the customer back. Is it possible to take the person's email that they supply in the contact form and have that inserted into the "from" of the email?
3:46 pm on Sept 27, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:July 12, 2007
posts:766
votes: 0


Yes.
$from = $_POST['customer_email']."\r\n";
mail($to, $subject, $msg, "From: $from");

Just make sure that you validate the email address to make sure it doesn't contain anything nasty.

3:50 pm on Sept 27, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member penders is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:July 3, 2006
posts: 3123
votes: 0


Yes. Presumably you are already supplying some kind of email in the From: field of the email? Simply use the email address as supplied in the form instead, so long as it looks like a valid email address.
4:26 pm on Sept 27, 2007 (gmt 0)

Junior Member

5+ Year Member

joined:Oct 2, 2006
posts:187
votes: 0


Thanks,

Yes I do validate the email address to make sure it is valid.

5:01 pm on Sept 27, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 12, 2005
posts:5966
votes: 0


You have to be very careful when you allow user-define headers like shown above. This is open to all sorts of exploits if not handled with absolute care. For instance, someone could add a cc and copy an email to a whole list of people. I usually try to avoid situations where the headers are defined by user variables if I can.
5:07 pm on Sept 27, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:July 12, 2007
posts:766
votes: 0


If you are going to use my idea above then when I say validate I didnt mean check that the email address was a real one.
You need to check that there is only 1 address, as at the moment spamming through other people web forms seems to be the thing everyone is into. So allowing people to post cc: or bcc: means that you send all of there spam for them.
5:47 pm on Sept 27, 2007 (gmt 0)

Junior Member

5+ Year Member

joined:Oct 2, 2006
posts:187
votes: 0


What kind of validation would you recommend? First thing that comes to my mind would be:

1. limiting the number of characters
2. check for empty spaces
3. The '@' only appearing once

Anything else?

Thanks for the help everyone.

12:01 pm on Sept 28, 2007 (gmt 0)

Junior Member

5+ Year Member

joined:Oct 2, 2006
posts:187
votes: 0


The php above doesn't seem to be working for me. This is what I have for my contact form:

<?php

include ("validation_functions.php4");

if (@$_POST['submitted']) {
$first_name = @$_POST['first_name'];
$last_name = @$_POST['last_name'];
$title = @$_POST['title'];
$email = @$_POST['email'];
$company = @$_POST['company'];
$phone = @$_POST['phone'];
$fax = @$_POST['fax'];
$address = @$_POST['address'];
$city = @$_POST['city'];
$state = @$_POST['state'];
$zip = @$_POST['zip'];
$country = @$_POST['country'];
$msg = @$_POST['message'];

if (get_magic_quotes_gpc() ) {
$first_name = stripslashes($first_name);
$last_name = stripslashes($last_name);
$title = stripslashes($title);
$email = stripslashes($email);
$company = stripslashes($company);
$phone = stripslashes($phone);
$fax = stripslashes($fax);
$address = stripslashes($address);
$city = stripslashes($city);
$state = stripslashes($state);
$zip = stripslashes($zip);
$coutnry = stripslashes($country);
$msg = stripslashes($msg);
}

$error_msg=array();

if ($first_name=="") {
$error_msg[] ="<strong>Please enter your first name.</strong>";
}

if ($last_name=="") {
$error_msg[] ="<strong>Please enter your last name.</strong>";
}

//if (!strrpos($email,"@")) {
//$error_msg[] ="Please enter a valid email address";
//} Commented out, will check for the '@' in an email address

$valid = verifyEmail ($email);
if (!$valid){
$error_msg[]="<strong>Email must be a valid format (e.g. john@yahoo.com).</strong>";
}

if ($phone=="") {
$error_msg[] ="<strong>Please enter your phone number.</strong>";
}

if ($msg=="") {
$error_msg[]="<strong>Don't forget to write your message!</strong>";
}

$destination_email = "myemail@widgets.com";
$email_subject = "Web Contact";
$email_body = "First Name: $first_name"."\n".
"Last Name: $last_name"."\n".
"Title: $title"."\n".
"Email: $email"."\n".
"Company: $company"."\n".
"Phone: $phone"."\n".
"Fax: $fax"."\n".
"Address: $address"."\n".
"City: $city"."\n".
"State: $state"."\n".
"Zip: $zip"."\n".
"Country: $country"."\n".
"Message: $msg";

if (!$error_msg) {
mail ($destination_email, $email_subject, $email_body);

header ('Location: form_confirm.php');

exit();

}
}
?>

4:05 am on Sept 29, 2007 (gmt 0)

Junior Member

5+ Year Member

joined:Oct 2, 2006
posts:187
votes: 0


I can't seem to override the from field. The email address is being inserted into the subject of the email.
8:24 pm on Sept 29, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member penders is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:July 3, 2006
posts: 3123
votes: 0


mail ($destination_email, $email_subject, $email_body, $FOURTH_PARAM);

I can't seem to override the from field.

Have you tried passing a forth parameter to the mail() function [uk.php.net] as mentioned in PHP_Chimp's post above? The 4th param enables you to specify any number of additional headers: 'cc', 'bcc' and 'from' etc. But, as eelixduppy mentions above, it is very important to validate this parameter very strictly to avoid any hacker attempts - if you choose to use it at all.

9:33 am on Oct 1, 2007 (gmt 0)

Junior Member

10+ Year Member

joined:July 4, 2004
posts:103
votes: 0


This is what I use:

$headers = 'From: '. $clientEmail; // No need to change that one.
$mailSuccess=@mail($to, $subject, $message, $headers);

Works just fine. Of course, "$clientEmail" *must absolutely* be validated.

[edited by: coopster at 2:00 pm (utc) on Oct. 1, 2007]
[edit reason] no personals please TOS [webmasterworld.com] [/edit]

2:58 pm on Oct 1, 2007 (gmt 0)

Junior Member

5+ Year Member

joined:Oct 2, 2006
posts:187
votes: 0


Will these work so when we click on the mail to reply it will automatically go the $clientemail? In other words will this override the servers email address?
3:07 pm on Oct 1, 2007 (gmt 0)

Junior Member

5+ Year Member

joined:Oct 2, 2006
posts:187
votes: 0


The $headers parameter is overriding me $email_subject and is just placing the customers email in the subject line, is that the way it's supposed to work?
4:18 pm on Oct 1, 2007 (gmt 0)

Junior Member

5+ Year Member

joined:Oct 2, 2006
posts:187
votes: 0


I got it, this is what worked for me:

if (!$error_msg) {
mail('me@widgets.com',
'Subject', $email_body,
"To: Me <me@widgets.com>\n" .
"From: $email <$email>\n" .
"X-Mailer: PHP 4.x");

I seem to be repeating my self with my email address being in there twice but it does work.