My hosting provider has contacted me and said one of the sites I have designed is sending spoof emails. Done a little bit of research but I still don't really understand how/what are they are doing to send these spoof emails. However more importantly how should I approach this, would it help if I try and put one of these 'captcha' things in place on the contact form or should I change the code I have on my site. Which is shown below:
<?php
$EmailFrom = Trim(stripslashes($_POST['EmailFrom']));
$EmailTo = "***";
$Subject = "Message to A R C Products";
$Name = Trim(stripslashes($_POST['Name']));
$Address = Trim(stripslashes($_POST['Address']));
$Telephone = Trim(stripslashes($_POST['Telephone']));
$Message = Trim(stripslashes($_POST['Message']));
// prepare email body text
$headers = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
$Message = "
Name:$Name
Address: $Address
Telephone: $Telephone
$Message";
// send email
$success = mail($EmailTo, $Subject, $Message, $headers);
// redirect to success page
if ($success){
print "<meta http-equiv=\"refresh\" content=\"0;URL=ok.html\">";
}
else{
print "<meta http-equiv=\"refresh\" content=\"0;URL=error.html\">";
}
?>
<h2><strong>Contact Us</strong></h2>
<form method="POST" action="contact.php">
<br/>
<p style="margin-top: 0;">Fields marked (*) are required</p>
<p style="margin-top: 0;">Your Email:* <br/>
<input type="text" name="EmailFrom">
<p style="margin-top: 0;">Name:* <br/>
<input type="text" name="Name">
<p style="margin-top: 0;">Address:<br/>
<input type="text" name="Address">
<p style="margin-top: 0;">Telephone:<br/>
<input type="text" name="Telephone">
<p style="margin-top: 0;">Message:*<br/>
<TEXTAREA NAME="Message" ROWS=6 COLS=40>
</TEXTAREA>
<p style="margin-top: 0;"><input type="submit" name="submit" value="Submit">
</form>
Take a look on filter_input to clean your input data. Also i would not use the email from the form as a from address.
$EmailFrom = filter_input(INPUT_POST,'EmailFrom', FILTER_SANITIZE_EMAIL);
Related
Good day,
Newbie here in PHP. I have been working on a website (free template) and got all the functions to work except the Contact Us part of the code. I don't get any errors it just does not send any email to the listed email or send back a response to the sender.
Here is the HTML Side of the code:
<form id="contact-form" action="php/mail.php">
<div class="control-group">
<div class="controls">
<input class="span6" type="text" id="name" name="name" placeholder="* Your name..."/>
<div class="error center" id="err-name">Please enter your name.</div>
</div></div>
<div class="control-group">
<div class="controls">
<input class="span6" type="email" name="email" id="email" placeholder="* Your email..."/>
<div class="error center" id="err-email">Please enter a valid email adress.</div></div></div>
<div class="control-group">
<div class="controls">
<textarea class="span6" name="comment" id="comment" placeholder="* Comments..."></textarea>
<div class="error center" id="err-comment">Please enter your comment.</div>
</div></div>
<div class="control-group">
<div class="controls">
<button id="send-mail" class="message-btn">Send message</button>
</div></div></form>
and this is the mail.php code used:
include 'functions.php';
if (!empty($_POST)) {
$data['success'] = true;
$_POST = multiDimensionalArrayMap('cleanEvilTags', $_POST);
$_POST = multiDimensionalArrayMap('cleanData', $_POST);
//your email adress
$emailTo = "myemail#gmail.com"; //"myemail#gmail.com";
//from email adress
$emailFrom = "myemail#gmail.com"; //"myemail#gmail.com";
//email subject
$emailSubject = "Mail from MyEmail";
$name = $_POST["name"];
$email = $_POST["email"];
$comment = $_POST["comment"];
if ($name == "")
$data['success'] = false;
if (!preg_match("/^[_\.0-9a-zA-Z-]+#([0-9a-zA-Z][0-9a-zA-Z-]+\.)+[a-zA-Z]{2,6}$/i", $email))
$data['success'] = false;
if ($comment == "")
$data['success'] = false;
if ($data['success'] == true) {
$message = "NAME: $name<br>
EMAIL: $email<br>
COMMENT: $comment";
$headers = "MIME-Version: 1.0" . "\r\n";
$headers .= "Content-type:text/html; charset=utf-8" . "\r\n";
$headers .= "From: <$emailFrom>" . "\r\n";
mail($emailTo, $emailSubject, $message, $headers);
$data['success'] = true;
echo json_encode($data);
}
}
I am really stuck at this point and this is the only issue I have left hope someone can help point out what I am doing wrong.
Regards,
Rafael
in order for a form to send POST requests you need to specify it by adding the method attribute:
<form id="contact-form" action="php/mail.php" method="post">
Is your php mail script placed in the cgi directory? This is my mail script:
<?php $name = trim(strip_tags($_POST['name']));
$email = trim(strip_tags($_POST['email']));
$message = htmlentities($_POST['message']);
$subject = "Some subject";
$to = 'info#xxx.de';
$body = <<<HTML
$message
HTML;
$headers = "From: $email\r\n";
$headers .= "Content-type: text/html\r\n";
// send the email
mail($to, $subject, $body, $headers);
// redirect afterwords, if needed
header('Location: ../contact/thx.html');?>
And it is placed in cgi directory.
After much research and help from CodeGoodie I think the blame lies with the Hosting. I had asked how I could check Server logs to detect the error and they just replied I need to upgrade to be able to use that feature (although it is supposed to be part of the feature already). Thanks for all the help guys. I did learn a lot :)
I've created an HTML5 form, which incorporates reCAPTCHA, and I've also written a PHP script that sends an email when the form is submitted. At the moment, the script redirects the user to an error or thankyou page, but I'm trying to adjust it to dynamically replace the form within a message within the same page.
I've tried the following script, but it displays the message as soon as the page loads, before any user interaction.
PHP/HTML:
<?php
if ($_POST) {
// Load reCAPTCHA library
include_once ("autoload.php");
$name = Trim(stripslashes($_POST['name']));
$email = Trim(stripslashes($_POST['email']));
$message = Trim(stripslashes($_POST['message']));
$emailFrom = $email;
$emailTo = "my#email.com";
$subject = "Contact Request";
// Prepare email body text
$body = "<strong>Name:</strong> $name <br /> <strong>Email:</strong> $email <br /> <strong>Message:</strong> $message";
$headers .= 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
$headers .= "From: $name <$emailFrom>" . "\r\n";
$secret = 'XXX';
$recaptcha = new \ReCaptcha\ReCaptcha($secret);
$resp = $recaptcha->verify($_POST['g-recaptcha-response'],$_SERVER['REMOTE_ADDR']);
echo 'Your message was submitted!';
} else {
?>
<div class="contact-form">
<form role="form" method="post" action="index.php">
<label for="name"><span>Name</span><input type="text" class="input-field" name="name" required data-errormessage-value-missing="Please enter your name." /></label>
<label for="email"><span>Email</span><input type="email" class="input-field" name="email" required data-errormessage-value-missing="Please enter your email address." /></label>
<label for="message"><span>Message</span><textarea name="message" class="textarea-field" required data-errormessage-value-missing="Please enter your message."></textarea></label>
<label><span> </span><div id="recaptcha"><div class="g-recaptcha" data-sitekey="6LcBawsTAAAAAKBPfGs1jApXNRLvR2MIPng0Fxol"></div></div></label>
<label><span> </span><input type="submit" value="" class="submit-button" /></label>
</form>
</div>
<?php
}
?>
I'm new to PHP, so I'm not sure if it's a syntax or semantics issue. Any help would be greatly appreciated!
Here's one way of doing it.
Check to see if the form has been submitted with if(isset($_POST['submit'])). You can also use if($_SERVER['REQUEST_METHOD'] == 'POST') to see if the form has been submitted.
Then we check if the email has been successfully sent, and if it has we set the $success_message variable.
We then check to see if the $success_message variable is set, and if it isn't, we show the form.
Also, note that I added name="submit" to the submit button element. This is how we're checking to see if the form has been submitted.
I also changed stripslashes() to strip_tags() to prevent any malicious code from getting through.
<?php
// Load reCAPTCHA library
include_once ("autoload.php");
if(isset($_POST['submit'])) {
$name = trim(strip_tags($_POST['name']));
$email = trim(strip_tags($_POST['email']));
$message = trim(strip_tags($_POST['message']));
$emailFrom = $email;
$emailTo = "my#email.com";
$subject = "Contact Request";
// Prepare email body text
$body = "<strong>Name:</strong> $name <br /> <strong>Email:</strong> $email <br /> <strong>Message:</strong> $message";
$headers = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
$headers .= "From: $name <$emailFrom>" . "\r\n";
$secret = 'XXX';
$lang = 'en';
$recaptcha = new \ReCaptcha\ReCaptcha($secret);
$resp = $recaptcha->verify($_POST['g-recaptcha-response'],$_SERVER['REMOTE_ADDR']);
// EDIT: repositioned recaptcha from OP's PasteBin script, as requested and adjusted messaging
// changed $success var to $message and added error message
// Original if statement, which redirected the user
if($resp->isSuccess()){
// send the email
if(mail($emailFrom, $subject, $body, $headers)) {
// set the success message
$success_message = 'The form was sent! Yay!';
} else {
// error message
$error_message = 'Could not send email';
}
} else {
$error_message = 'Prove you are a human!';
}
}
?>
<div>
<!-- quick and dirty way to print messages -->
<?php if(isset($success_message)) { echo $success_message; } ?>
<?php if(isset($error_message)) { echo $error_message; } ?>
</div>
<?php if(!isset($success_message)): ?>
<div class="contact-form">
<form role="form" method="post" action="index.php">
<label for="name"><span>Name</span><input type="text" class="input-field" name="name" required data-errormessage-value-missing="Please enter your name." /></label>
<label for="email"><span>Email</span><input type="email" class="input-field" name="email" required data-errormessage-value-missing="Please enter your email address." /></label>
<label for="message"><span>Message</span><textarea name="message" class="textarea-field" required data-errormessage-value-missing="Please enter your message."></textarea></label>
<div class="g-recaptcha" data-sitekey="6LcBawsTAAAAAKBPfGs1jApXNRLvR2MIPng0Fxol"></div>
<script type="text/javascript"
src="https://www.google.com/recaptcha/api.js?hl=<?php echo $lang; ?>">
</script>
<label><span> </span><input type="submit" name="submit" value="" class="submit-button" /></label>
</form>
</div>
<?php endif; ?>
Basically I am trying to re work a plugin so what I need to do is post the form data on the Cart.php form on the same page. Below is the set up I have but the $_POST info is not returning anything when email is sent:
Cart.php
<form id='SimpleEcommCartCartForm' action="" method="post">
<div id="emailForm">
<p>Please fill out the form below and one of our associates will contact you with more information.</p>
<div class="col-xs-4">
Name: <input type="text" name="name" id="name">
</div>
<div class="col-xs-4">
E-mail: <input type="email" name="email" id="email">
</div>
<div class="col-xs-4">
Phone: <input type="tel" name="phone" id="phone">
</div>
</div>
</form>
<?php
//Send the email
$to = "test#gmail.com";
$name = $_POST['name'] ;
$from = $_POST['email'] ;
$phone = $_POST['phone'] ;
$headers = "MIME-Version: 1.0\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\n";
$headers .= "From: $from";
$subject = "Pump Part Inquiry";
$emailBody = "
<html>
<head>
<style>
</style>
</head>
<body>
<h1> Pump Inquiry</h1>
<h3>From:".$name."<h3>
<h3>Phone:".$phone."<h3>
<p>Minetuff Parts".$mine."</p>
<p>Flygt Parts".$flygt."</p>
</body>
</html>";
$send = mail($to, $subject, $emailBody, $headers);
?>
It sends the mail with nothing in it (or missing information) if you load it right away, and it's because of a specific reason.
As it stands, your code will send you an Email as soon as you load the page, so it's best to wrap your (PHP) code inside an isset() to work in conjunction with a (named) submit button, which seems to be missing in your originally posted question/code.
Plus, you have two undefined variables:
$mine and $flygt, so you'll need to define those to fit your needs.
I.e.: if(isset($_POST['submit'])) and <input type="submit" name="submit" value="Send">
Sidenote: It's best to check for empty fields, but that's another topic; see my footnotes.
Tested and working, and receiving all info and I've replaced your present mail function with if(mail($to, $subject, $emailBody, $headers)){...}
<form id='SimpleEcommCartCartForm' action="" method="post">
<div id="emailForm">
<p>Please fill out the form below and one of our associates will contact you with more information.</p>
<div class="col-xs-4">
Name: <input type="text" name="name" id="name">
</div>
<div class="col-xs-4">
E-mail: <input type="email" name="email" id="email">
</div>
<div class="col-xs-4">
Phone: <input type="tel" name="phone" id="phone">
<input type="submit" name="submit" value="Send">
</div>
</div>
</form>
<?php
//Send the email
if(isset($_POST['submit'])){
$to = "test#gmail.com";
$name = $_POST['name'] ;
$from = $_POST['email'] ;
$phone = $_POST['phone'] ;
$headers = "MIME-Version: 1.0\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\n";
$headers .= "From: $from";
$subject = "Pump Part Inquiry";
// $mine = " Mine variable"; // replace this
// $flygt = " Flygt variable"; // replace this
$emailBody = "
<html>
<head>
<style>
</style>
</head>
<body>
<h1> Pump Inquiry</h1>
<h3>From:".$name."<h3>
<h3>Phone:".$phone."<h3>
<p>Minetuff Parts".$mine."</p>
<p>Flygt Parts".$flygt."</p>
</body>
</html>";
// $send = mail($to, $subject, $emailBody, $headers);
if(mail($to, $subject, $emailBody, $headers)){
echo "Mail sent.";
}
else{
echo "Sorry, something went wrong.";
}
} // brace for if(isset($_POST['submit']))
?>
If you're still having problems:
Add error reporting to the top of your file(s) right after your opening <?php tag, which will help during production testing.
error_reporting(E_ALL);
ini_set('display_errors', 1);
Footnotes:
You are open to XSS attacks (Cross-site scripting).
Use the following (PHP) filter function: FILTER_SANITIZE_FULL_SPECIAL_CHARS
$name = filter_var($_POST['name'], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
Equivalent to calling htmlspecialchars() with ENT_QUOTES set. Encoding quotes can be disabled by setting.
To check for empty fields, you can add this below if(isset($_POST['submit'])){
if(empty($_POST['name']) || empty($_POST['email']) || empty($_POST['phone'])){
echo "Fill out all the fields";
exit;
}
|| means "OR", which could very well be replaced by OR if you want, however || has precedence over OR.
This is a very basic method; there are other ways of accomplishing this, but you get the gist of it.
The issue here is that the mail is sent before the submit since you didn't test of the existence of $_POST variables, try something like this:
<form id='SimpleEcommCartCartForm' action="" method="post">
<input type="hidden" name="action" value="mailing"/>
<div id="emailForm">
<p>Please fill out the form below and one of our associates will contact you with more information.</p>
<div class="col-xs-4">
Name: <input type="text" name="name" id="name">
</div>
<div class="col-xs-4">
E-mail: <input type="email" name="email" id="email">
</div>
<div class="col-xs-4">
Phone: <input type="tel" name="phone" id="phone">
</div>
<input name="submit" type="submit"/>
</div>
</form>
<?php
if(isset($_POST['mailing'])){
// Send the email
$to = "test#gmail.com";
$name = $_POST['name'] ;
$from = $_POST['email'] ;
$phone = $_POST['phone'] ;
$headers = "MIME-Version: 1.0\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\n";
$headers .= "From: $from";
$subject = "Pump Part Inquiry";
$emailBody = "
<html>
<head>
<style>
</style>
</head>
<body>
<h1> Pump Inquiry</h1>
<h3>From:".$name."<h3>
<h3>Phone:".$phone."<h3>
<p>Minetuff Parts".$mine."</p>
<p>Flygt Parts".$flygt."</p>
</body>
</html>";
$send = mail($to, $subject, $emailBody, $headers);
}
?>
Once the email is sent, you haven't told PHP to output anything to the page.
You could add something like echo 'Mail sent'; to the end of the PHP so if the script is being executed correctly then you'll know about it.
If the problem lies within the email not being sent at all, this may be a problem with your server and you should look for a tutorial on how to set up mail correctly. If you're using shared hosting, there are some companies that do not allow the use of the PHP mail() function so I would check with them first.
Amongst this I would recommend that you use something like PHPMailer, a full email library for PHP. Then you could configure for your emails to be sent from anywhere that supports SMTP (not sure if others are supported but there most likely is). PHPMailer will work with shared hosting.
Updated - Code that you can try
Try this out in replacement of $emailBody:
$emailBody = <<<EOT
<html>
<head>
<style type="text/css">
</style>
</head>
<body>
<h1>Pump Inquiry</h1>
<h3>From: $name<h3>
<h3>Phone: $phone<h3>
<p>Minetuff Parts $mine</p>
<p>Flygt Parts $flygt</p>
</body>
</html>
EOT;
NB: Some email clients only allow the use of inline CSS, so if you did decide to add anything to your <style> tag in the <head>, don't expect it to work very well or at all in some cases.
As someone has mentioned before, you'll also need to protect against cross-site scripting.
I'm using a template to create my website and it came with a contact page and form all set out but it did not have a php contact script so I wrote that up and set it as the action on the html form and it still won't send me anything to my email... which I have set up through gmail ( i changed the domain email exchange DNS to the gmail settings)
in the html contact form i have the following code:
<div id="contact_form"><form method="post" name="contact" action="contact-form-handler.php">
<label for="name">Name:</label> <input type="text" id="name" name="name" class="required input_field" /><div class="cleaner h10"></div>
<label for="email">Email:</label> <input type="text" id="email" name="email" class="validate-email required input_field" /><div class="cleaner h10"></div>
<label for="subject">Subject:</label> <input type="text" name="subject" id="subject" class="input_field" /><div class="cleaner h10"></div>
<label for="text">Message:</label> <textarea id="text" name="text" rows="0" cols="0" class="required"></textarea><div class="cleaner h10"></div>
<input type="submit" value="Send" id="submit" name="submit" class="submit_btn float_l" />
<input type="reset" value="Reset" id="reset" name="reset" class="submit_btn float_r" />
</form>
and the contact-form-handler.php contains this code bellow to process the html form:
<?php
$to = 'info#jamesreborne.co.uk';
$to .= 'damgxx#gmail.com';
// Assigning data from the $_POST array to variables
$name = $_post['sender_name'];
$email = $_post['sender_email'];
$subject = $_post['sender_subject'];
$text = $_post['sender_text'];
// Construct email subject
$content = 'www.jamesreborne.co.uk Message from visitor ' . $name;
// Construct email body
$body_message = 'From: ' . $name . "\r\n";
$body_message .= 'E-mail: ' . $email. "\r\n";
$body_message .= 'Subject: ' . $subject . "\r\n";
$body_message .= 'Message: ' . $text;
// Construct email headers
$headers = 'From: ' . $email . "\r\n";
$headers .= 'Reply-To: ' . $email . "\r\n";
mail($to, $content, $body_message, $headers);
$mail_sent = mail($to, $content, $body_message, $headers);
if ($mail_sent == true){ ?>
<script language="javascript" type="text/javascript">
alert('Thank you for the message. We will contact you shortly.');
window.location = 'contact.html';
</script>
<?php }
else { ?>
<script language="javascript" type="text/javascript">
alert('Message not sent. Please, notify the site administrator info#jamesreborne.co.uk');
window.location = 'contact.html';
</script>
<?php
}
?>
if anyone can help that would be great, thanks
$subject = $_POST['subject'];
$text = $_POST['text'];
Also there is no form field for name and email. Add that.
There is also an error in the part where you set recipients' emails - they are not separated so the $to variable is info#jamesreborne.co.ukdamgxx#gmail.com. It should me more like this:
<?php
$to = 'info#jamesreborne.co.uk';
$to .= ', damgxx#gmail.com';
First your $to string adds two emails in wrong way,
it should be:
$to = 'info#jamesreborne.co.uk, ';
$to .= 'damgxx#gmail.com';
Even if you correct that you wont get subject and message value. AFAIK $_POST is case sensetive(please correct if wrong). So you will have to make it $_POST not $_post.
Then the names of the inputs in html form and in php code are not matching. They should be:
$name = $_POST['name'];
$email = $_POST['email'];
$subject = $_POST['subject'];
$text = $_POST['text'];
If a input field in form is subject, then
$subject = $_POST['subject'];
NOT
$subject = $_POST['sender_subject'];
EDIT:
If you are still not getting email, then your server might not have mail server installed.
Install postfix and try.
I have a "tell a friend" pop up email form that allows users to share my page with an email address that they enter. It pops up fine, but I can't get the form to send the email.
html:
<div id="tellfriend">
Close
<form id='tellafriend_form' method="post" action="#sendMessage" name="tellafriend_form">
<label for="name">Your Name:</label>
<input type="text" id="name" name="name" />
<label for="to">Friend's email:</label>
<input type="text" id="to" name="to" />
<label for="subject">Subject:</label>
<input type="text" id="subject" name="subject" />
<label for="message">Message:</label>
<textarea id="message" name="message"></textarea>
<input type="submit" name="submit" value="Submit">
</form>
</div><!-- #tellfriend -->
javascript that handles the "pop up":
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.5.2/jquery.min.js" type="text/javascript"></script>
<script>
$(function() {
$('#tellfriend').hide();
$('#sendMessage').click(function(e) {
$("#tellfriend").fadeToggle('fast');
});
});
</script>
php that's supposed to send the mail:
<?
if (isset($_POST['Submit'])) {
// This will check to see if the form has been submitted
$senders_name = $_POST['name'];
// The person who is submitting the form
$recipient_friend = $_POST['to'];
// The forms recipient
$subject = $_POST['subject'];
// The subject line
$message = $_POST['message'];
// The message being sent
mail($recipient_friend, "From $senders_name", $subject, $message);
if (isset($_POST['your_email'])) {
echo "<br>Your friend has been contacted <br><br>Thank you $senders_name";
}}
?>
Disclaimer: PHP newbie, hoping to learn. Thanks!
The order of your parameters in mail function is not correct. see this
it should be
mail($recipient_friend, $subject, $message);
if you want to use headers then do this
$headers = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
$headers .= 'To: '.$recipient_friend.' <'.$recipient_friend.'>' . "\r\n";
$headers .= 'From: '.$sender.' <'.$senderEM.'>' . "\r\n";
Then call mail like this
mail($recipient_friend, $subject, $message, $headers);
You have one error in your PHP code:
if (isset($_POST['Submit'])) {
should be:
if (isset($_POST['submit'])) {
with a lowercase "s".
Indeed the name of you submit button is "submit" but the value is "Submit".
You could eventually do that:
if (isset($_POST['submit']) && $_POST['submit'] == 'Submit') {
And your mail parameters are not correct like boug said.
You have 2 errors
first:
if (isset($_POST['submit']))
// $_POST is case sensitive
second:
if (isset($_POST['your_email']))
// you dont have an inout named 'your_email'