Welcome to WebmasterWorld Guest from 54.162.155.183

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Adding field (s) to simple form

     
10:02 am on Sep 28, 2011 (gmt 0)

5+ Year Member



I have a simple form on all my sites sent with the mail function.
At present it has just the email field which ensures that we get senders email (as ling as he fills it out correctly)
and the message text area
I have tried adding the field and the corresponding variables

but I am getting nowhere.

I will post the code here and if somebody can put me on the right track
pls note that I am not very PHP proficient, I work with existing scripts but can not write it

here is the form

<!--Start form table--><br><br>
<table width="450" cellspacing="2" border="0" cellpadding="2" align="center">
<tbody align="left" valign="middle">
<tr>
<td><form method="post" action="sendmail.php">
Votre Email: <input name="email" type="text" class="input" /><br />
Votre Message:<br />
<textarea name="message" rows="18" cols="60" class="input" >
</textarea><br />
<input type="submit" value="Envoyer" class="button" />
</form></td>
</tr>
</tbody>
</table>
<!--End form table-->


and here is the sendmail.php file
<?php
$email = $_REQUEST['email'] ;
$message = $_REQUEST['message'] ;

if (!isset($_REQUEST['email'])) {
header( "Location: http://www.somedomain.com/thanks.php" );
}
elseif (empty($email) || empty($message)) {
?>
<html>
<head>
<body>
<table width="960" cellspacing="2" border="0" cellpadding="2" align="center" bgcolor=#E7CE97>
<tbody>
</tr>
<tr>
<td>You have not filled in all the fields
<br> <a href="contact.php" target="_self">please click here and start again</a><br><br><br><br><br></td>
</tr>
</tbody>
</table>
</body>
</html>
<?php
}
else {
mail( "contact@somedomain.com", "Message from somedomain.com",
$message, "From: $email" );
header( "Location: http://www.somedomain.com/thanks.php" );
}
?>


What I would like would be the following

<!--Start form table--><br><br>
<table width="450" cellspacing="2" border="0" cellpadding="2" align="center">
<tbody align="left" valign="middle">
<tr>
<td><form method="post" action="sendmail.php">
Votre Email: <input name="email" type="text" class="input" /><br />
Votre Nom: <input name="name" type="text" class="input" /><br /><br>
Votre Tel: <input name="tel" type="text" class="input" /><br /><br>
Votre Message:<br />
<textarea name="message" rows="18" cols="60" class="input" >
</textarea><br />
<input type="submit" value="Envoyer" class="button" />
</form></td>
</tr>
</tbody>
</table>
<!--End form table-->


Thanks for any help
4:31 pm on Sep 28, 2011 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member



This script is horribly insecure, look into input cleansing . . . .

at any rate, look at how the "message" gets into the email body. In the form you have

<textarea name="message" rows="18" cols="60" class="input" >

which is parsed by the script here,

$message = $_REQUEST['message'] ;

.. storing the input value in "$message" and actually placed in the email here.

mail( "contact@somedomain.com", "Message from somedomain.com",
$message, "From: $email" );

So the first question is, where do you want your additional fields to appear?

Let's "prepend" them to "$message" for example. The fields in the form,

Votre Nom: <input name="name" type="text" class="input" /><br /><br>
Votre Tel: <input name="tel" type="text" class="input" /><br /><br>

Then "capture" them in new variables, following the style,
$message = $_REQUEST['message'];
$nm = $_REQUEST['name'];
$tel = $_REQUEST['tel'];


// Then prepend it to message. We do this by re-storing "$message" back into $message as a new string:

$message = "
Name: $nm<br>
Tel: $tel<br>
$message
";

Then when you go to email, "$message" contains the new field data.

Again, you might look into protecting your script with input filtering, it's a large topic but form abuse is rampant. Some good search terms are email injection, database injection, cleanse input . . .
7:52 am on Sep 29, 2011 (gmt 0)

5+ Year Member



Thanks rocknbil

I am really happy with your answer and comments.

I am now able to add any field I want, this is perfect!

I noted what you said about security and stared having a look at that, so far I do not understand what damage can be done apart from spammers sending junk but they can not get my mail address.

they have that anyway
:-)

But I need to look more into it and read up on the links I will finish off the form and get back here if I have some questions
6:30 pm on Sep 29, 2011 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Suppose I could do this.

<input type="text" name="email" value="spammer1@example.com,spammer2@example.com,spammer3@example.com,spammer4@example.com">

I've just used your form to spam. Multiply that by 1000. Of course, a real hack wouldn't come from your form, and it woudlnt' be that simple, it would come from a command line. There's plenty they could do . . .
7:09 pm on Sep 29, 2011 (gmt 0)

5+ Year Member



I got a spam yesterday
but not tonight ?
5:56 am on Oct 1, 2011 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member



It seems you took my comment literally, I didn't just "send you spam" (the example there wouldn't work anyway as posted.) My apologies for expressing it in first person and assure you - I'd never send anyone "spam." :-)

<scrurries back to English 101>
8:55 am on Oct 1, 2011 (gmt 0)

5+ Year Member



Sorry about that, no harm done at all. I did take it as constructive though ..
:-)
 

Featured Threads

Hot Threads This Week

Hot Threads This Month