I have a strange problem with my PHP contact form, every 15 minutes or so I get a blank email and receive them though the day?! When I fill out the form I get the details sent to me at once and all of the fields are filled out fine.
I use PHP for the form and the jQuery validate for the validation, the form works and so does the validation but since I am not strong with PHP maybe it's the process that's not right?
form.php - from: https://1stwebdesigner.com/php-contact-form-html/
<?php
$name = $_POST['name'];
$email = $_POST['email'];
$phone = $_POST['phone'];
$call = $_POST['call'];
$website = $_POST['website'];
$priority = $_POST['priority'];
$type = $_POST['type'];
$message = $_POST['message'];
$formcontent=" From: $name \n Phone: $phone \n Call Back: $call \n Website: $website \n Priority: $priority \n Type: $type \n Message: $message";
$recipient = "youremail#here.com";
$subject = "Contact Form";
$mailheader = "From: $email \r\n";
mail($recipient, $subject, $formcontent, $mailheader) or die("Error!");
echo "Thank You!";
?>
I had to take the form down as I receive so many mails a day. The $recipient was set to my email but left it as a dummy address for this post.
As per your code snippet. It's nothing to do with 15 mins blank email issue. Your form might been targeted with some bot or malicious script. However, it's really simple form. There are several standard practices for forms but for starters, you may be looking into following links to get the whole idea.
https://www.w3schools.com/php/php_form_complete.asp
https://www.w3schools.com/php/showphp.asp?filename=demo_form_validation_complete
When you are done with this reading, you should be looking into javascript Form Validation and Capcha integration. Once you are comfortable with Javascipt Validation, you migh jump to Jquery Validation or jQuery Validation plugins.
Above links are not really end of the world but you shall at least get the idea for basic form submission process.
Hope this helps.
Related
I have a questionnaire with tons of input fields. So far I started a PHP script to send it to my email which goes as follows.
<?php
$First_Name= $_POST['First_Name'];
$Last_Name= $_POST['Last_Name'];
$E_Mail= $_POST['E_Mail'];
$FB_Name= $_POST['FB_Name'];
$Twitter_Name= $_POST['Twitter_Name'];
$Country= $_POST['Country'];
$State_Province= $_POST['State_Province'];
$City= $_POST['City'];
$Phone_01= $_POST['Phone_01'];
$Phone_02= $_POST['Phone_02'];
$Phone_03= $_POST['Phone_03'];
$How_did_you_hear_about_my_Company= $_POST['How_did_you_hear_about_my_Company'];
$Operating_your_Business= $_POST['Operating_your_Business'];
$Name_for_your_Business= $_POST['Name_for_your_Business'];
$Whats_the_name_of_your_Business= $_POST['Whats_the_name_of_your_Business'];
$What_type_of_Business= $_POST['What_type_of_Business'];
$Type_of_Business_you_run= $_POST['Type_of_Business_you_run'];
$How_long_you_been_building= $_POST['How_long_you_been_building'];
$How_long_you_been_in_business= $_POST['How_long_you_been_in_business'];
$What_do_you_plan_to_offer= $_POST['What_do_you_plan_to_offer'];
$What_do_you_offer= $_POST['What_do_you_offer'];
$List_all_products_you_offer['List_all_products_you_offer'];
$from = 'From: Your_New_Client';
$to = 'Optiqvision#gmail.com';
$subject = 'A New Questionnaire';
$body = "Name: $First_Name $Last_Name
\n E-Mail: $E_Mail
\n FB Name: $FB_Name
\n Twitter Name: $Twitter_Name
\n Country: $Country
\n State/Province: $State_Province
\n City: $City
\n Phone Number: $Phone_01 $Phone_02 $Phone_03
\n How did you hear about my Company?:\n\n $How_did_you_hear_about_my_Company
\n Where are you in terms of opperating your Business?: $Operating_your_Business
\n Have you come up with a name for your Business?: $Name_for_your_Business
\n What's the name of your Business?: $Whats_the_name_of_your_Business
\n What type of Business will you be running?: $What_type_of_Business
\n What type of Business do you run?: $Type_of_Business_you_run
\n How long have you been Building your Business?: $How_long_you_been_building
\n How long have you been in Business?: $How_long_you_been_in_business
\n What do you plan to offer?: $What_do_you_plan_to_offer
\n What do you offer?: $What_do_you_offer
\n List of products: $List_all_products_you_offer
";
?>
<?php
if ($_POST['submit']) {
if (mail ($to, $subject, $body, $from)) {
echo '<p>Your message has been sent!</p>';
} else {
echo '<p>Something went wrong, go back and try again!</p>';
}
}
?>
This works properly, but I want to know how I can tell the PHP to automatically collect all the data without me having to go one by one with each element (there's a lot more than what's represented above).
I came across a script that does this for storing to an SQL database, but not one for email. I tried using the one for SQL but was running into issues because of how many columns it creates.
Aside from this I have another task to tackle with allowing users to add fields which will vary from user to user, so I need the $POST method to be flexible so it can send the results. With the way I have it coded so far, there's no way for extra fields to be posted when the user adds them.
I searched through the site and so far this is the only thing I've come across that relates to this issue, but don't really understand what's being said. PHP: Possible to automatically get all POSTed data?
If that is indeed the answer to what I'm trying to do could someone please break it down a little more and tell me how it works?
You can try like this:
$body="";
foreach ($_POST as $key => $value) {
$body.= str_replace("_"," ",$key).": ". $value."\n";
}
provided that $key holds the descriptive information which you need with words separated by underscore (_) as in your question is.
I have a simple form with a simple mail function:
$name = $_REQUEST['name'] ;
$email = $_REQUEST['email'] ;
$company = $_REQUEST['company'] ;
$phone = $_REQUEST['phone'] ;
$message= $_REQUEST['message'] ;
mail( "$webmaster_email", "Website Form", "From: noreply#mysite.com",
"From: $email \n
Name: $name \n
Phone: $phone\n
Message: $message\n ");
header( "Location: $thankyou_page" );
However, when I test I only rarely receive mail from it and it seems to get stuck - ie: it does not redirect to the thankyou page.
I have placed echos for testing and everything works right up to the mail() function.
I have checked with my hosting provider and there is no mail queue and PHP Apache is working as normal. Obviously, I have also checked my spam folders as well.
Would anyone know why this would only be working some of the time?
You have mixed up the 3rd and 4th parameter of the mail() function. The third parameter should contain the message and the fourth the additional headers. As you are sending the message and all (user provided...) variables in the 4th parameter, that is likely to lead to the problems you are having.
You should be able to change it swapping the parameters:
mail($webmaster_email, "Website Form",
"From: $email \n
Name: $name \n
Phone: $phone\n
Message: $message\n ",
"From: noreply#mysite.com");
You should also add error handling; the mail() function returns true or false depending on successful acceptance for delivery so you could simply log the times it returns false to troubleshoot.
I want to use a php script to send emails from a html file on a website.
Would this php script be secure enough against hacking and spam?
<?php
$to = "emailto#site.com";
$subject = "Sent from site";
$email = $_POST['emailFrom'];
$message = $_POST['message'];
$email = filter_var($email , FILTER_SANITIZE_EMAIL);
$message = filter_var($message , FILTER_SANITIZE_EMAIL);
$message = $email . $message;
mail($to, $subject, $message, "From: webpage#site.com");
?>
FILTER_SANITIZE_EMAIL removes illegal email address characters from a string; this is, therefore not the best option for the contents of an email (however useful it may be for email addresses). Whilst removing HTML special characters is useful when preventing XSS attacks, it is worth noting that there are legitimate reasons to post < and > in messages (i.e. right now). Therefore it is better to convert these characters to their html entities.
I.e.
< would become <
and > would become >
So in order to change html characters to their entities replace:
$message = filter_var($message , FILTER_SANITIZE_EMAIL); with
$message = htmlspecialchars($message);
Other than that it looks good; but remember, in cases where a database is involved database sanitisation should also be added.
I have a problem when sending a form via email using the PHP Mail function. This is the code that I'm using:
$name = $_POST['name'];
$last_name = $_POST['last_name'];
$company = $_POST['company'];
$email = $_POST['email'];
$country = $_POST['country'];
$phone = $_POST['phone'];
$message = $_POST['message']); //This comes from the form
$formcontent="Name: $name $last_name <br> Company: $company <br> Email: $email <br> Country: $country <br> Telephone: $phone <br><br> Message: $message";
$mailheader = 'MIME-Version: 1.0' . "\r\n";
$mailheader .= 'Content-type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable' . "\r\n";
$mailheader .= 'From: ' . $email . "\r\n";
mail("my#email.com", "subject", $formcontent, $mailheader) or die("Error!");
This is a form that will be sending spanish and special characters, like ñ, accents, ç, etc...
The problem is that, if I use it like this, it works fine in Firefox 3.6.3, but when using the form in Internet Explorer 8, the special characters that sends are all messed up (like ç instead of a ç). However, if I add utf8_encode to the variables in the $formcontent, then it works in IE, but it stops working in Firefox, showing stuff like η instead of ç.
What can I do to make it work regardless of the browser? Any help would be much appreciated!
EDIT:
I've noticed that, if I echo the $formcontent variable before sending it with mail, if I'm using Firefox, the special characters are already messed-up. How can I avoid the browsers interfering with what's being sent? Please I'm totally clueless right now!!! I don't know what to change to have something working. Even if it's a dumbed down version, is there any alternative to have PHP Mail working with special characters in both browsers?
Basically you need to make sure that every charset on your page is the same. Make sure the page has a utf-8 charset aswel. Since you're sending it in utf8 the input must come from utf8 aswell.
Could you perhaps show us the code of the page (or a live demo) where the mail is being made?
I have a simple PHP mailer script that takes values from a form submitted via POST and mails them to me:
<?php
$to = "me#example.com";
$name = $_POST['name'];
$message = $_POST['message'];
$email = $_POST['email'];
$body = "Person $name submitted a message: $message";
$subject = "A message has been submitted";
$headers = 'From: ' . $email;
mail($to, $subject, $body, $headers);
header("Location: http://example.com/thanks");
?>
How can I sanitize the input?
Sanitize the post variable with filter_var().
Example here. Like:
echo filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
Since you're not building an SQL query or anything here, the only relevant validation that I can see for those inputs is an email validation for $_POST["email"], and maybe an alphanumeric filter on the other fields if you really want to limit the scope of what the message can contain.
To filter the email address, simply use filter_var:
$email = filter_var($email, FILTER_SANITIZE_EMAIL);
As per Frank Farmer's suggestion, you can also filter out newlines in the email subject:
$subject = str_replace(array("\r","\n"),array(" "," "),$subject);
As others have noted, filter_var is great. If it's not available, add this to your toolchest.
The $headers variable is particularly bad security-wise. It can be appended to and cause spoofed headers to be added. This post called Email Injection discusses it pretty well.
filter_var is great, but another way to assure that something is an email address and not something bad is to use an isMail() function. Here's one:
function isEmail($email) {
return preg_match('|^[_a-z0-9-]+(\.[_a-z0-9-]+)*#[a-z0-9-]+(\.[a-z0-9-]{2,})+$|i', $email);
};
So to use this, you could do:
if (isset($_POST['email']) && isEmail($_POST['email'])) {
$email = $_POST['email'] ;
} else {
// you could halt execution here, set $email to a default email address
// display an error, redirect, or some combination here,
}
In terms of manual validation, limiting the length using substr(), running strip_tags() and otherwise limiting what can be put in.
You need to remove any newlines from input provided by users in $headers, which gets passed to mail() ($email in your case)! See Email injection.
PHP should take care of sanitizing $to and $subject, but there are versions of PHP with bugs (Affected are PHP 4 <= 4.4.6 and PHP 5 <= 5.2.1, see MOPB-34-2007).
You can use the code from artlung's answer above to validate email..
I use this kind of code to prevent header injection ..
// define some mail() header's parts and commonly used spam code to filter using preg_match
$match = "/(from\:|to\:|bcc\:|cc\:|content\-type\:|mime\-version\:|subject\:|x\-mailer\:|reply\-to\:|\%0a|\%0b)/i";
// check if any field's value containing the one or more of the code above
if (preg_match($match, $name) || preg_match( $match, $message) || preg_match( $match, $email)) {
// I use ajax, so I call the string below and send it to js file to check whether the email is failed to send or not
echo "failed";
// If you are not using ajax, then you can redirect it with php header function i.e: header("Location: http://example.com/anypage/");
// stop the script before it reach or executing the mail function
die();
}
The mail()'s header filtering above is too strict, since some users may be using the filtered strings in their message without any intention to hijack your email form, so redirect it to a page that is explaining what kind of strings that is not allowed in the form or explain it on your form page.