I am currently creating a website with Wordpress, I am creating my theme and I am not using jQuery. I need to introduce a simple contact form, which sends an email on submission and all plugins need jquery to work.
Is it safe to create a contact form that sends an email? Is there a risk of SQL injection since I do not query the database on submission?
I have very little security skill, any information or clarification will be welcome
So for example something like:
$name = "{$_POST['message_name']} {$_POST['message_lastname']}"; // I like to combine first and lastname in to 1 variable.
$email = $_POST['message_email'];
$website = $_POST['message_url'];
$message = $_POST['message_description'];
if ( ! filter_var( $email, FILTER_VALIDATE_EMAIL ) ) {
$response = form_validation_response( 'error', $email_invalid );
} else {
if ( empty( $name ) || empty( $message) ) {
$response = form_validation_response( 'error', $missing_content );
}
}
// The most simple check you can do is make sre that the fields are NOT empty.
The form_validation_response method is a simple function which you can use to return error message:
$not_human = "Human verification incorrect.";
$missing_content = "Please supply all information.";
$email_invalid = "Email Address Invalid.";
$message_unsent = "Message was not sent. Try Again.";
$message_sent = "Thanks! Your message has been sent.";
function form_validation_response( $type, $message ) {
$class = 'px-2 py-1 mb-6 rounded-md' // These are tailwind classes, but it could be bootstrap
if ( $type == 'success' ) {
$class .= "border border-green-800 text-green-700";
} else {
$class .= "border border-redish text-redish";
}
return "<div class='{$class}'>{$message}</div>";
}
The example above is used to validate the email, but you can also make sure that the fields are actually submitted, before even starting the validation process:
If you're not familiar with creating a "secure" php form I would advice you to use a plugin for this.
If your "allowed" to install plugins, then have a look "form plugins" like:
WPForms (https://wpforms.com/)
Gravity Forms (https://www.wpbeginner.com/refer/gravityforms/)
Contact Form 7 (https://wordpress.org/plugins/contact-form-7/)
This is just a few of the form plugins that are available. Depending on your need/budget you should then make a decision which plugin fits the best (some are free, freemium, premium etc.).
Related
I'm trying to make the emails pass validation by using filter_var. However, I am not sure how to prevent the script from processing the form data to my database if the email is not valid.
I have
$email = $_POST['email'];
$email = filter_var($email, FILTER_SANITIZE_EMAIL);
if (!filter_var($email, FILTER_VALIDATE_EMAIL) === false) {
echo("$email is a valid email address");
} else {
echo("$email is not a valid email address");
exit();
}
the email obviously comes from what was entered in by the user and is in the $_POST variable. The script DOES show the email as valid or invalid, however it STILL processes the script and places the form data into my database. I thought that putting "exit()" would be the solution to this, or the proper way to handle when it's not valid. It simply opens a new page where the echo print shows.
What am I missing or doing wrong? Ideally I would like the form field to highlight and give the user some indication that they've entered in an incorrectly formatted email address (although I know that is a different topic and somewhat a bells and whistles type of thing), but I certainly do not want to allow the script to process the data into my database.
The answer lies in where the validation code was placed. Instead of placing it RIGHT AFTER the posted variables and before the SQL insertion code, I put it at the very end of the script. So the posted data went into the database before they can be validated.
So now, I have (which works)
$name = $_POST['name'];
$email = $_POST['email'];
$email = filter_var($email, FILTER_SANITIZE_EMAIL);
if (filter_var($email, FILTER_VALIDATE_EMAIL) === false) {
echo("$email is not a valid email address");
exit();
} else {
$msg_to_user = '<br /><br /><h4>Thanks ' . $name . ', we will send you news when appropriate. Take care!</font></h4>';
$name = "";
$email = "";
}
// THE SQL SELECT STATEMENT TO ENSURE NO DUPLICATE EMAIL AND THEN THE INSERT STATEMENT TO PUT THE DATA IN THE DATABASE COMES AFTER THE CODE ABOVE
I want to check all my signup fiels to be validate in php but it seems it not take other validation except email validation. Please have a look so that can help me to bug my errors.
Thank you.
Here its my signup process...
if($_POST['action']=="signup")
{
$name = mysqli_real_escape_string($connection,$_POST['name']);
$email = mysqli_real_escape_string($connection,$_POST['email']);
$bankid = mysqli_real_escape_string($connection,$_POST['bankid']);
$phone = mysqli_real_escape_string($connection,$_POST['phone']);
$password = mysqli_real_escape_string($connection,$_POST['password']);
$query = "SELECT email FROM users where email='".$email."'";
$result = mysqli_query($connection,$query);
$numResults = mysqli_num_rows($result);
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) // Validate email address
{
$message = "E - post Redan also!!";
}
elseif($numResults>=1)
{
$message = $email." E-post redan finns!!";
}
else
{
mysqli_query($connection,"insert into users(name,email,bankid,phone,password) values('".$name."','".$email."','".$bankid."','".$phone."','".md5($password)."')");
$message = "Registrera framgångsrikt!!";
}
}
If I understand you correctly, you want to be able to validate all the fields of your sign up form on submit, correct?
There are various examples online of using filter_var in PHP - a bit of Googling will get you the answers.
I would recommend using a validation library that's built to help you make sure your code is secure. An example of such library is: https://github.com/Wixel/GUMP
If you have a look at the source code for GUMP, there are more examples using filter_var:
https://github.com/Wixel/GUMP/blob/master/gump.class.php#L878
filter_var($value, FILTER_SANITIZE_NUMBER_INT)
filter_var($value, FILTER_SANITIZE_SPECIAL_CHARS);
// etc
I am using a form to get newsletter sign ups on my website. I am using a contact.php file which works well but there is no validation so I occasionaly and sometimes frequently get blank responses.
I'm not sure why this is, but I believe I need validation.
This is my original code
<?php
/*
Author: Andrew Walsh
Date: 30/05/2006
Codewalkers_Username: Andrew
This script is a basic contact form which uses AJAX to pass the information to php, thus making the page appear to work without any refreshing or page loading time.
*/
$to = "hello#interzonestudio.com"; //This is the email address you want to send the email to
$subject_prefix = ""; //Use this if you want to have a prefix before the subject
if(!isset($_GET['action']))
{
die("You must not access this page directly!"); //Just to stop people from visiting contact.php normally
}
/* Now lets trim up the input before sending it */
$subject = "Newsletter Sign Up"; //The senders subject
$message = trim($_GET['email']); //The senders subject
$email = trim($_GET['email']); //The senders email address
mail($to,$subject,$message,"From: ".$email.""); //a very simple send
echo 'contactarea|Thank you. We promise you won’t regret it.'; //now lets update the "contactarea" div on the contact.html page. The contactarea| tell's the javascript which div to update.
?>
and this is the code I tried to add to validate but it doesnt work.
<?php
/*
Author: Andrew Walsh
Date: 30/05/2006
Codewalkers_Username: Andrew
This script is a basic contact form which uses AJAX to pass the information to php, thus making the page appear to work without any refreshing or page loading time.
*/
$to = "jcash1#gmail.com"; //This is the email address you want to send the email to
$subject_prefix = ""; //Use this if you want to have a prefix before the subject
if(!isset($_GET['action']))
{
die("You must not access this page directly!"); //Just to stop people from visiting contact.php normally
}
/* Now lets trim up the input before sending it */
$subject = "Newsletter Sign Up"; //The senders subject
$message = trim($_GET['email']); //The senders subject
$email = trim($_GET['email']); //The senders email address
/* Validation */
$error=0; // check up variable
$errormsg = '<ul class="errorlist">';
/* get it checking */
if(!check_email($email))
{
$errormsg.= "<li class='errormessage'>ERROR: not a valid email.</li>";
$error++;
}
$errormsg .= '</ul>';
if($error == 0) {
mail($to,$subject,$message,"From: ".$email.""); //a very simple send
echo 'contactarea|Thank you. We promise you won’t regret it.'; //now lets update the "contactarea" div on the contact.html page. The contactarea| tell's the javascript which div to update.
} else {
echo 'error|'. $errormsg;
}
?>
Can anyone offer some insight?
I cannot for the life of me get this to work...
I am getting an Error with the plugin and I have loaded it correctly
so I tried adding this :
if (filter_var($email, FILTER_VALIDATE_EMAIL) === true) {
//your email sending code here
} else {
echo("$email is not a valid email address");
}
like so:
<?php
/*
Author: Andrew Walsh
Date: 30/05/2006
Codewalkers_Username: Andrew
This script is a basic contact form which uses AJAX to pass the information to php, thus making the page appear to work without any refreshing or page loading time.
*/
$to = "hello#interzonestudio.com"; //This is the email address you want to send the email to
$subject_prefix = ""; //Use this if you want to have a prefix before the subject
if(!isset($_GET['action']))
{
die("You must not access this page directly!"); //Just to stop people from visiting contact.php normally
}
/* Now lets trim up the input before sending it */
if (filter_var($email, FILTER_VALIDATE_EMAIL) === true) {
$subject = "Newsletter Sign Up"; //The senders subject
$message = trim($_GET['email']); //The senders subject
$email = trim($_GET['email']); //The senders email address
mail($to,$subject,$message,"From: ".$email.""); //a very simple send
echo 'contactarea|<div id="thanks">Thank you. We promise you won’t regret it.</div>'; //now lets update the "contactarea" div on the contact.html page. The contactarea| tell's the javascript which div to update.
} else {
echo("$email is not a valid email address");
}
?>
Which is not working. I think it is beauce I have implemented the code in the wrong place but I am not sure. Any help would be greatly appreciated.
You can use filter_var() function in PHP for validating email addresses.
For simply validating email addresses in PHP you can use it like this,
if(filter_var($email, FILTER_VALIDATE_EMAIL)){
echo "Valid email";
}
And your code can be improved like this.
if(filter_var($email, FILTER_VALIDATE_EMAIL)){
mail($to,$subject,$message,"From: ".$email.""); //a very simple send
echo 'contactarea|Thank you. We promise you won’t regret it.'; //now lets update the "contactarea" div on the contact.html page. The contactarea| tell's the javascript which div to update.
}
else {
$errormsg.= "<li class='errormessage'>ERROR: not a valid email.</li>";
$error++;
echo '</ul> error|'. $errormsg;
}
If you want to know more about it, visit official PHP documentation page here : http://php.net/manual/en/filter.filters.validate.php
Or use jquery validation plugin. I highly recommend it.
Code will look similar to below
$( "#myform" ).validate({
rules: {
field: {
required: true,
email: true
}
}
});
You can use server side validation by using this code
if (filter_var($email, FILTER_VALIDATE_EMAIL) === true) {
//your email sending code here
} else {
echo("$email is not a valid email address");
}
im getting the "invalid email address"
all is hardcoded for testing, what is missing? thanks!
<html>
<head><title>PHP Mail Sender</title></head>
<body>
<?php
/* All form fields are automatically passed to the PHP script through the array $HTTP_POST_VARS. */
$email = $HTTP_POST_VARS['example#example.com'];
$subject = $HTTP_POST_VARS['subjectaaa'];
$message = $HTTP_POST_VARS['messageeeee'];
/* PHP form validation: the script checks that the Email field contains a valid email address and the Subject field isn't empty. preg_match performs a regular expression match. It's a very powerful PHP function to validate form fields and other strings - see PHP manual for details. */
if (!preg_match("/\w+([-+.]\w+)*#\w+([-.]\w+)*\.\w+([-.]\w+)*/", $email)) {
echo "<h4>Invalid email address</h4>";
echo "<a href='javascript:history.back(1);'>Back</a>";
} elseif ($subject == "") {
echo "<h4>No subject</h4>";
echo "<a href='javascript:history.back(1);'>Back</a>";
}
/* Sends the mail and outputs the "Thank you" string if the mail is successfully sent, or the error string otherwise. */
elseif (mail($email,$subject,$message)) {
echo "<h4>Thank you for sending email</h4>";
} else {
echo "<h4>Can't send email to $email</h4>";
}
?>
</body>
</html>
Change
$email = $HTTP_POST_VARS['jaaanman2324#gmail.com'];
$subject = $HTTP_POST_VARS['subjectaaa'];
$message = $HTTP_POST_VARS['messageeeee'];
to
$email ='jaaanman2324#gmail.com';
$subject ='subjectaaa';
$message = 'messageeeee';
I think you want it to be hardcoded like this:
$email = 'jaaanman2324#gmail.com';
Otherwise you are trying to get the value out of HTTP_POST_VARS with the key of jaaanman2324#gmail.com
First, don't use $HTTP_POST_VARS, it's $_POST now.
Second, by writing $HTTP_POST_VARS['jaaanman2324#gmail.com'] you're looking for table element with juanman234#gmail.com key.
That's not what you wanted to do.
If you want to hardcode it, write
$email = 'jaaanman2324#gmail.com';`
if not, write
$email = $_POST['email'];
to get email field from form.
I can't find a damned bit of documentation for using the Constant Contact REST API to check if an email address is in a list or not.
The following seems to be completely useless:
include_once('cc_class.php');
$ccContactOBJ = new CC_Contact("basic", $cckey, $ccuser, $ccpass);
if(($_SERVER['REQUEST_METHOD']=="POST") && !empty($_REQUEST['member-submit'])) {
$contact = $ccContactOBJ->getSubscribers(urlencode($_POST['MemberEmail']));
if (empty($contact['items'])) {
$message = 'You are not listed in our database.';
}
else {
$message = 'You are already listed in our database';
}
echo $message;
}
Anyone have ANY idea how to return a true or false value?