php mail() question - PHP Server Side Scripting forum at WebmasterWorld - WebmasterWorld

Forum Moderators: coopster

Message Too Old, No Replies

php mail() question

one static recipient, one user defined

Powdork

5:50 am on Dec 2, 2008 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

so here is my process.php file i am trying to send one email to the site owner, and the second would be sent to the user that submitted the form. That Email Address is passed through on the form with the name Email.

<?php
if ($_SERVER['REQUEST_METHOD']=="POST"){
// In testing, if you get an Bad referer error
// comment out or remove the next three lines
if (strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'])>7 ŚŚ
!strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST']))
die("Bad referer");
$msg="Values submitted by the user:\n";
foreach($_POST as $key => $val){
if (is_array($val)){
$msg.="Item: $key\n";
foreach($val as $v){
$v = stripslashes($v);
$msg.=" $v\n";
}
} else {
$val = stripslashes($val);
$msg.="$key: $val\n";
}
}
$recipient = "me@example.com" . ', '; // note the comma
$recipient .= "whatgoeshere";
$subject="Form submission";
error_reporting(0);
if (mail($recipient, $subject, $msg)){
echo "<h1>Thank you</h1><p>Message successfully sent:</p>\n";
echo nl2br($input);
} else
echo "An error occurred and the message could not be sent.";
} else
echo "Bad request method";
?>

[edited by: Powdork at 5:59 am (utc) on Dec. 2, 2008]

Powdork

7:29 am on Dec 2, 2008 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

never mind, this worked

$recipient = $_POST['Email'] . ', '; // note the comma
$recipient .= "me@example.com";

When I was testing before, I had cEmail and the static email were the same address, so I was only seeing 1 email. As soon as I changed it, everything worked.

vincevincevince

10:46 am on Dec 2, 2008 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Off topic; but important:

Someone sneaky (or more likely a robot) will POST a value to Email which is not an email address; in fact it may start with an email address, but it will then add more email addresses, Mime type headers and a spam body.

You absolutely must write a robust regular expression for $_POST[Email] and apply it...

if (!preg_match("/^[a-z0-9\-\_\.]+\@[a-z0-9\-\.]+\.[a-z0-9\-\.]{2,8}$/ism",$_POST['Email'])) die();

Powdork

7:53 am on Dec 3, 2008 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

i will be doing some validation. the tutorial i'm using recommends this to go with what i have.

if(preg_match("/\r¦\n/",urldecode($from))){
$errors[] = "Invalid form submission";
}else{
$headers = "From: $from";
}

will that work?

while this takes care of sending the email to the customer as well as the retailer, i then have some java script

<SCRIPT LANGUAGE="JavaScript"></SCRIPT>

which automatically submits the form sending the the amount to the paypal payment page. the problem is this is tripping popup blockers. is there a way to defeat this?

vincevincevince

8:13 am on Dec 3, 2008 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

The check for \n or \r does not seem quite strong enough to me; but it may well be. Try a preg_match() similar to the one I suggest; or at the minimum - limit the length of the email address to say 40 characters.

automatically submits the form sending the the amount to the paypal payment page

Paypal has an 'email payments' method, which is basically the same as the POST form but in GET format. Compile that form of URL then do a true redirect for the user:

header("Location: http:// www.paypal.com/web_cmd....");

That way it is instant and in line. A better way to do this would probably be to go to paypal.com immediately and then fire your emails when you get confirmation of completed payment via the paypal IPN.