1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 11:11 am Apr 28, 2026

Forum Moderators: coopster

Message Too Old, No Replies

New to PHP

Contact Form

         

php123

3:56 pm on Sep 16, 2010 (gmt 0)

10+ Year Member



Hi,

I have just created a contact form from an online generator and have a contact.php file.

The code is as follows:

<?
$subject="from ".$_GET['txtName'];
$headers= "From: ".$_GET['txtEmail']."\n";
$headers.='Content-type: text/html; charset=iso-8859-1';
mail("example@gmail.com", $subject, "
<html>
<head>
<title>Contact letter</title>
</head>
<body>

<br>
".$_GET['txtMessage']."
</body>
</html>" , $headers);
echo ("Your message was successfully sent!");
?>
<script>
resizeTo(300, 300)
//window.close()
</script>


Can anyone help me with the code to stop a new window opening after i click the submit button. I would prefer if i could get a message box to appear and then for the page to redirect to say index.html.

Any help on this matter would be greatly appreciated.

Thanks
E

CyBerAliEn

4:28 pm on Sep 16, 2010 (gmt 0)

10+ Year Member



First... I really don't understand what this is for at the end: 
<script>
resizeTo(300, 300)
//window.close()
</script>


Secondly... this: 
<?
$subject="from ".$_GET['txtName'];
$headers= "From: ".$_GET['txtEmail']."\n";
$headers.='Content-type: text/html; charset=iso-8859-1';
mail("example@gmail.com", $subject, "
<html>
<head>
<title>Contact letter</title>
</head>
<body>

<br>
".$_GET['txtMessage']."
</body>
</html>" , $headers);
echo ("Your message was successfully sent!");
?>


Is opening the door for abuse.

Huh? Your grabbing your header values, body, etc straight from the global "GET" variable. Anybody can throw and force their own code into the GET from the outside. By blindly including these values into your mail code, it allows someone (who knows what their doing) to hijack your server (via this code) by sending SPAM through it.

I would highly recommend, foremost, to clean your "user" input. Do a search online for "PHP user input cleaning" (or such); you'll find plenty of resources and code to reference. Also consider searching topics like "PHP mail injection" or similar phrases.

Best of luck

Matthew1980

8:37 pm on Sep 16, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Welcome to WebmasterWorld, php123,

I shall just be a little nit-picky here, but I think as it's justified!

As you are writing a php application, it would be nice to tell the parser that! When declaring a php file, apart from calling it afile.php you need to actually tell the parser that it's php that you are using! So, you opening line should be:-

<?php
error_reporting(E_ALL);//always good to know where you stand at compile time!

When doing this, it will make the document easier for the parser to differentiate between html & php, and this makes your application A LOT more compatible with more servers, as the short tag option is defined in the ini file; so different servers have different ini files, so when you come to migrate servers - this will eradicate any incompatibility cross server.

Hope that makes sense anyway, I have seen this stop scripts in their tracks because people have only used short form tags.

Also before attempting anything like this, read a tutorial and read up on spam prevention methods & data sanitising (cleaning user submitted data) before you set anything live, as doing this incorrectly can have nasty consequences if you leave yourself open to abuse.

Useful link to have.. [w3schools.com]

Cheers,
MRb
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 11:11 am Apr 28, 2026