Forum Moderators: coopster
I've been using a script out of a book to create a more secure contact form. I've looked it over several times and can't figure out why it is not working. The problem is, the script is supposed to be replacing "\r" with a space if it is typed anywhere in the email.
However, when I test the contact form by typing \r in the body. It shows up in the email that is sent from the contact form. If anyone has a few minutes to look over my script, I would be grateful.
Here is what I have so far:
<?php # Script 12.1 - email.php #2
include('addressErrorHandling.php');
// Check for form submission:
if (isset($_POST['submitted'])) {
/* The function takes one argument: a string.
* The function returns a clean version of the string.
* The clean version may be either an empty string or
* just the removal of all newline characters.
*/
function spam_scrubber($value) {
// List of very bad values:
$very_bad = array('to:', 'cc:', 'bcc:', 'content-type:', 'mime-version:', 'multipart-mixed:', 'content-transfer-encoding:');
// If any of the very bad strings are in
// the submitted value, return an empty string:
foreach ($very_bad as $v) {
if (stripos($value, $v) !== false) return '';
}
// Replace any newline characters with spaces:
$value = str_replace(array( "\r", "\n", "%0a", "%0d"), ' ', $value);
// Return the value:
return trim($value);
} // End of spam_scrubber() function.
// Clean the form data:
$scrubbed = array_map('spam_scrubber', $_POST);
// Minimal form validation:
if (!empty($scrubbed['name']) &&
!empty($scrubbed['email']) &&
!empty($scrubbed['comments']) ) {
// Create the body:
$body = "Name: {$scrubbed['name']}\n\nComments: {$scrubbed['comments']}";
$body = wordwrap($body, 70);
// Send the email:
mail('(my email address here, removed to avoid spam)',
'Contact Form Submission', $body,
"From: {$scrubbed['email']}");
// Print a message:
echo '<p><em>Thank you for contacting me. I will reply some day.</em></p>';
// Clear $_POST (so that the form's not sticky):
$_POST = array();
} else {
echo "<p style=\"font-weight: bold; color: #C00\">Please fill out the form completely.</p>";
}
} // End of main isset() IF.
?>
<p>Please fill out this form to contact me.</p>
<form action="contact_us_new.php" method="post">
<p>Name: <input type="text" name="name" size="30" maxlength="60" value="<?php if (isset($_POST['name'])) echo $_POST['name']; ?>" /></p>
<p>Email Address: <input type="text" name="email" size="30" maxlength="80" value="<?php if (isset($_POST['email'])) echo $_POST['email']; ?>" /></p>
<p>Comments: <textarea name="comments" rows="5" cols="30"><?php if (isset($_POST['comments'])) echo $_POST['comments']; ?></textarea></p>
<p><input type="submit" name="submit" value="Send!" /></p>
<input type="hidden" name="submitted" value="TRUE" />
</form>
magic_quotes_gpc Off
magic_quotes_runtime Off
magic_quotes_sybase Off
include('addressErrorHandling.php');
Do you have this file? And in the correct place? Is it been called in? This file I would guess sets up the following function to be used:
function spam_scrubber($value)
However, this line:
// Replace any newline characters with spaces:
$value = str_replace(array( "\r", "\n", "%0a", "%0d"), ' ', $value);
Will do the job on its own. But I dont know whats in the addressErrorHandling.php file, and that str_replace line is within the spam_scrubber function.
Hope that helps
:)
Thanks for responding. The only code in the "addressErrorHandling" file is listed below. The script works the same whether I include it or not.
"ini_set ('display_errors', 1);
error_reporting (E_ALL & ~E_NOTICE);"
I appreciate the help.
IT WORKS! I used the single quotes as you suggested and the script is now successfully replacing the \r and \n with a space. (I will have to let the writer of the book know that he has typos. It is amazing how often this happens.)
By the way, what does "generated by system" mean?
thanks
Remove '\r' (carriage return) before sending mail; example as input text:
Line 1
Line 2
The recipient see this: "Line 1 Line 2"
BUT, you intended to work as this:
Line 1
Line 2\rmore words.
The recipient see this:
"Line 1
Line 2 more words"
\r will be replaced by " " as user input, but not carriage return.
