Idiot proof a contact form

Forum Moderators: coopster

Message Too Old, No Replies

Idiot proof a contact form

php email contacts

brancook

3:39 pm on Sep 27, 2007 (gmt 0)

I have to idiot proof the contact form on our website. The contact form uses php, and automatically emails the information the customer supplies to me and one of the salesmen. The email comes from the server. Our sales guy just wants to be able to just click reply in his email to contact the customer back. Is it possible to take the person's email that they supply in the contact form and have that inserted into the "from" of the email?

PHP_Chimp

3:46 pm on Sep 27, 2007 (gmt 0)

Yes.
$from = $_POST['customer_email']."\r\n";
mail($to, $subject, $msg, "From: $from");

Just make sure that you validate the email address to make sure it doesn't contain anything nasty.

penders

3:50 pm on Sep 27, 2007 (gmt 0)

Yes. Presumably you are already supplying some kind of email in the From: field of the email? Simply use the email address as supplied in the form instead, so long as it looks like a valid email address.

brancook

4:26 pm on Sep 27, 2007 (gmt 0)

Thanks,

Yes I do validate the email address to make sure it is valid.

eelixduppy

5:01 pm on Sep 27, 2007 (gmt 0)

You have to be very careful when you allow user-define headers like shown above. This is open to all sorts of exploits if not handled with absolute care. For instance, someone could add a cc and copy an email to a whole list of people. I usually try to avoid situations where the headers are defined by user variables if I can.

PHP_Chimp

5:07 pm on Sep 27, 2007 (gmt 0)

If you are going to use my idea above then when I say validate I didnt mean check that the email address was a real one.
You need to check that there is only 1 address, as at the moment spamming through other people web forms seems to be the thing everyone is into. So allowing people to post cc: or bcc: means that you send all of there spam for them.

brancook

5:47 pm on Sep 27, 2007 (gmt 0)

What kind of validation would you recommend? First thing that comes to my mind would be:

1. limiting the number of characters
2. check for empty spaces
3. The '@' only appearing once

Anything else?

Thanks for the help everyone.

brancook

12:01 pm on Sep 28, 2007 (gmt 0)

The php above doesn't seem to be working for me. This is what I have for my contact form:

<?php

include ("validation_functions.php4");

if (@$_POST['submitted']) {
$first_name = @$_POST['first_name'];
$last_name = @$_POST['last_name'];
$title = @$_POST['title'];
$email = @$_POST['email'];
$company = @$_POST['company'];
$phone = @$_POST['phone'];
$fax = @$_POST['fax'];
$address = @$_POST['address'];
$city = @$_POST['city'];
$state = @$_POST['state'];
$zip = @$_POST['zip'];
$country = @$_POST['country'];
$msg = @$_POST['message'];

if (get_magic_quotes_gpc() ) {
$first_name = stripslashes($first_name);
$last_name = stripslashes($last_name);
$title = stripslashes($title);
$email = stripslashes($email);
$company = stripslashes($company);
$phone = stripslashes($phone);
$fax = stripslashes($fax);
$address = stripslashes($address);
$city = stripslashes($city);
$state = stripslashes($state);
$zip = stripslashes($zip);
$coutnry = stripslashes($country);
$msg = stripslashes($msg);
}

$error_msg=array();

if ($first_name=="") {
$error_msg[] ="Please enter your first name.";
}

if ($last_name=="") {
$error_msg[] ="Please enter your last name.";
}

//if (!strrpos($email,"@")) {
//$error_msg[] ="Please enter a valid email address";
//} Commented out, will check for the '@' in an email address

$valid = verifyEmail ($email);
if (!$valid){
$error_msg[]="Email must be a valid format (e.g. john@yahoo.com).";
}

if ($phone=="") {
$error_msg[] ="Please enter your phone number.";
}

if ($msg=="") {
$error_msg[]="Don't forget to write your message!";
}

$destination_email = "myemail@widgets.com";
$email_subject = "Web Contact";
$email_body = "First Name: $first_name"."\n".
"Last Name: $last_name"."\n".
"Title: $title"."\n".
"Email: $email"."\n".
"Company: $company"."\n".
"Phone: $phone"."\n".
"Fax: $fax"."\n".
"Address: $address"."\n".
"City: $city"."\n".
"State: $state"."\n".
"Zip: $zip"."\n".
"Country: $country"."\n".
"Message: $msg";

if (!$error_msg) {
mail ($destination_email, $email_subject, $email_body);

header ('Location: form_confirm.php');

exit();

}
}
?>

brancook

4:05 am on Sep 29, 2007 (gmt 0)

I can't seem to override the from field. The email address is being inserted into the subject of the email.

penders

8:24 pm on Sep 29, 2007 (gmt 0)

mail ($destination_email, $email_subject, $email_body, $FOURTH_PARAM);
I can't seem to override the from field.

Have you tried passing a forth parameter to the mail() function [uk.php.net] as mentioned in PHP_Chimp's post above? The 4th param enables you to specify any number of additional headers: 'cc', 'bcc' and 'from' etc. But, as eelixduppy mentions above, it is very important to validate this parameter very strictly to avoid any hacker attempts - if you choose to use it at all.

Sylver

9:33 am on Oct 1, 2007 (gmt 0)

This is what I use:

$headers = 'From: '. $clientEmail; // No need to change that one.
$mailSuccess=@mail($to, $subject, $message, $headers);

Works just fine. Of course, "$clientEmail" *must absolutely* be validated.

[edited by: coopster at 2:00 pm (utc) on Oct. 1, 2007]
[edit reason] no personals please TOS [webmasterworld.com] [/edit]

brancook

2:58 pm on Oct 1, 2007 (gmt 0)

Will these work so when we click on the mail to reply it will automatically go the $clientemail? In other words will this override the servers email address?

brancook

3:07 pm on Oct 1, 2007 (gmt 0)

The $headers parameter is overriding me $email_subject and is just placing the customers email in the subject line, is that the way it's supposed to work?

brancook

4:18 pm on Oct 1, 2007 (gmt 0)

I got it, this is what worked for me:

if (!$error_msg) {
mail('me@widgets.com',
'Subject', $email_body,
"To: Me <me@widgets.com>\n" .
"From: $email <$email>\n" .
"X-Mailer: PHP 4.x");

I seem to be repeating my self with my email address being in there twice but it does work.