I am still learning PHP and am now completely stuck - any help would be so much appreciated! Scenario: HTML form for user to complete, among other things, they have to select with a radio button how many tickets they want to buy. My PHP file compiles all the values into an email and sends it off - that part works perfectly - and then redirects the browser to my "thank you for completing the form" page. I would now like to display a value collected in the form on this thank you page: the amount of tickets the user selected with the radio button. How do i call the 'tickets' value to the thank you page?
Thank you ever so much!
Here is the HTML form:
http://menusolutions.co.za/maidens2014_booking_form.html
Here is my "sendmail3.php" file that sends my mail:
$webmaster_email = "carin#menusolutions.co.za";
$feedback_page = "maidens2014.html";
$error_page = "maidens_error_message.html";
$thankyou_page = "maidens_thank_you.php";
$name = $_POST['name'] ;
$telephone = $_POST['telephone'] ;
$cell = $_POST['cell'] ;
$email_address = $_POST['email_address'] ;
$address = $_POST['address'] ;
$tickets = $_POST['tickets'] ;
$mail_body = "Name: $name \n Telephone: $telephone \n Cell: $cell \n Email: email_address \n Address: $address \n Tickets: $tickets";
mail( "$webmaster_email", "Maidens Bowled Over 2014",
$mail_body, "From: $email_address" );
header( "Location: $thankyou_page" );
}
?>
And here is my thank you page, upon which I need to display the 'tickets' value so that people can be reminded how many tickets they bought and the amount they need to pay:
http://menusolutions.co.za/maidens_thank_you.php
Your help will be greatly appreciated! Thank you!
You can send ticket value inside URL or using session.
header( "Location:". $thankyou_page.'?ticket='.$tickets );
and on thanks you page add below code,
$tickets = $_GET['tickets'];
echo $tickets . ' tickets.';
The easiest way would be to redirect to the "thank you"-page and add the ticket value as a get-parameter
Link
maidens_thank_you.php?tickets=$tickets
You could use a GET parameter for this. For example,
header('Location: ' . $thankyou_page . '?tickets=' . $tickets);
And then in your thank you page (which I assume is a PHP script), you could retrieve that value using.
$tickets = $_GET['tickets'];
echo 'Thank you! You bought ' . $tickets . ' tickets.';
You can set a session or pass the values in the url by making your $thankyou page something like
$thankyoupage + "?numberoftickets=" + $numberoftickets;
header('Location:' + $thankyoupage);
and get the value back by
$_GET['numberoftickets']
in your actual thankyoupage.
only use the session method if you need the var in other pages than the thankyoupage too. sessions make this value available in your hole application.
more information about sessions can be found here: http://www.w3schools.com/php/php_sessions.asp
You can use sessions to accomplish that.
An other option is redirecting and using a GET value.
On your sendmail.php page you can use header to redirect the user :
header('location: thanks_page.php?ticketValue='.$ticketValue);
Be careful that : header() must be called before any actual output is sent. (see doc.)
And then get it back in your thanks_page in $_GET['ticketValue'] and do not forget to espace the value with htmlspecialchars or an equivalent for security !
Never use a varible in double quotes ("") it's will be string so use direct. you need to more learn php
for mail tuts :- http://php.net/manual/en/function.mail.php
mail( $webmaster_email, "Maidens Bowled Over 2014",
$mail_body, $email_address );
header( "Location:". $thankyou_page );
Related
How to populate current page title (or current url) to the subject line via mailto?
Been using the code below as a starting point, obviously modifying the "Page Title Here" bit, but can't find a solution:
<?php echo "<a href='mailto:test#test.com" . $to . "?subject=Page Title Here" . $subject . "'>Send an email</a>";?>
Set page title to php var as
$title = 'Example';
and use it for
<title><?=$title;?></title>
and mail
<?php echo "<a href='mailto:test#test.com" . $to . "?subject=" . $title . $subject . "'>Send an email</a>";?>
This is not generically possible with PHP. PHP has no knowledge of what the page title is, or your HTML structure at all.
You will have to go to your code where you set the page title, and use that same variable in your e-mail. If this PHP code is handling a post from some page or something, you need that page title posted with your form data (which you can get with JavaScript document.title).
I am making a report problem link on my website and I want it to email me the last address they were on before clicking on the report link. I know/think you use $_SERVER['HTTP_REFERER'] but I dont know how to put that in the mail code?So how would you write that here is my mail code with out it.
Mail("email#email.com", "Subject", "Message");
echo "Report Sent";
The message should be a variable that you can put information in:
$message = "Error report: <p>Last site visited: {$_SERVER['HTTP_REFERER']}</p>....";
mail("email#email.com", "Subject", $message);
Note that the HTTP_REFERER bit is placed within {} in the string. That's to force it to extrapolate the value (I don't like string concatenation).
Also note that, as has been said above, there's no guarantee that the REFERER will have the right value, or any value at all.
Beside everything that has been told about http referers that can be sniffed, anonymizing proxies and so on, relying on the HTTP_REFERER is not a good programming standard.
Instead, if you have, for example:
http://www.example.com/application/client.php
Where users can click on
http://www.example.com/application/report_problem.php
Just pass the "...client.php" string to the "...report_problem.php" report problem handler you will create.
It's easy to pass the "originating" page link to the "report_problem", and can be done like this:
<?php
// pages where you will append the "problem link"
// $this_page holds an "url encoded" version of the request uri ( e.g. /application/client.php )
$this_page = rawurlencode ( $_SERVER["REQUEST_URI"] );
?>
Report problem
Then, in the "report_problem.php" code:
<?php
// report_problem.php
$originating_page = ( array_key_exists ( 'originating_page', $_GET ) && ! empty ( $_GET['originating_page'] ) ? rawurldecode ( $_GET['originating_page'] ) : null;
if ( ! empty ( $originating_page ) ) {
$message = 'Error report: <p>Last site visited: ' . $originating_page . '</p>....';
mail("email#email.com", "Subject", $message);
}
else mail("email#email.com", "Subject", "Problem from unkown page");
?>
I hope I'm missing something pretty basic here but: An empty form is getting submitted randomly, sometimes 3-8 times a day, then none for a few days and so on.
The empty submits always email with the subject as "[Website Contact Form]." Even though there is no validation in my php, in the html code the subject is chosen from a drop-down menu with the default as "General Enquiry." Notice in the php code below, there is no way for a human to submit an empty form with the above subject line, that is, it would always be "[Website Contact Form]General Enquiry" if I press submit without entering anything.
I have contact.html call this contact.php file:
<?
$email = 'info#mail.com';
$mailadd = $_POST['email'];
$headers = 'From: ' . $_POST['email'] . "\r\n";
$name = $_POST['name'];
$subject = '[Website Contact Form] ' . $_POST['subject'];
$message = 'Message sent from: ' . $name . '. Email: ' . $mailadd . '. Organization: ' . $_POST['company'] . '. Phone: ' . $_POST['phone'] . '. ';
$message .= 'Message: ';
$message .= $_POST['message'];
if (mail($email,$subject,$message, $headers)) {
echo "<p>Thank You! We'll get back to you shortly.</p>";
}
else {
echo "<p>Error...</p>";
}
?>
I use this code for many websites, but have never encountered this issue. Is there something so obviously wrong with this code that I'm missing? Any help would be greatly appreciated!
I suspect that you may not be checking that these variables are set before you send the email. Someone requesting contact.php directly (without any form data) may produce the results you have described. If this is the case, the following code should work like a charm:
<?php
if (isset($_POST['submit']) {
// form code
}
else {
// The form was not submitted, do nothing
}
?>
Even if that's not that case, such a simple check is always good practice.
Furthermore, you should always validate any user input just as a good habit. You don't want your server flooding your inbox with emails. I suggest using regexs to validate the input provided and possibly use a captcha service (such as ReCaptcha).
If you've been using this code and it's been working fine then I'd check what variables you changed with this case for example your submit form.
Try out your form with all common possibilities and see if it works. And empty Subject will give your form the subject "[Website Contact Form]". Check that your script actually get's the post variables and your form submits the right variables. Your dropdown might have an option with value of "" and the innerHTML "General Enquiry". The value is what will get submitted.
It's good to check inputs server-side as well
<?php
if(isset($_POST['subject'],$_POST['email'])){
}
?>
A client recently got a spam warning from their host.
I think I have pin pointed the issue to an old contact us form. Simple html on the front end and a simple PHP script on the back end.
if ($_POST['submit'] == "Send"){
//START SEND MAIL SCRIPT
$mail = $_POST['email'];
$to = "me#gmail.com";
$subject = "Message from Website Contact Us Form";
$headers = "From: Contact us Form <webmaster#website.co.uk>";
$message = "Message from Contact Us Form\n\n";
$message .= "\nName: " . $_POST['contactname'];
$message .= "\nEmail: " . $_POST['contactemail'];
$message .= "\nTelephone: " . $_POST['contactphone'];
$message .= "\n\n\nMessage:\n" . $_POST['contactmessage'];
if(mail($to,$subject,$message,$headers)) {
header('Location: http://www.website.co.uk/contact-us/?action=success');
}else{
header('Location: http://www.webisite.co.uk/contact-us/?action=fail');
}//END IF MAIL
}//END SCRIPT
I know the remedies to fix it such as sanitizing post vars properly, using captchas, using a hidden 'honeypot' blank field, js tricks etc etc (I also like the look of this script too http://www.alt-php-faq.com/local/115/)
But to help me understand what was going on I want to know how this script is being manipulated. A foreign script posting vars to it but how do they send email to anyone apart from
'me#gmail.com' or if they are forcing cc / bcc fields somehow why do I not get all spam as well??
Thanks
Line like this $message .= "\nName: " . $_POST['contactname']; can be dangerous.
If $_POST['contactname']='MegaSteve4 \r\nCc: email1#mail.com, email2#mail.com'; are set, 2 uses will get spam mail.
See carefully. Its appending more headers. In this case Cc. I am not sure if Cc is a raw email header. But I hope you get the idea.
You're not doing any escaping of the post data. That means that this form is vulnerable to injection attacks.
I couldn't tell you how they did it, but that's probably what happened.
I have a simple PHP mailer script that takes values from a form submitted via POST and mails them to me:
<?php
$to = "me#example.com";
$name = $_POST['name'];
$message = $_POST['message'];
$email = $_POST['email'];
$body = "Person $name submitted a message: $message";
$subject = "A message has been submitted";
$headers = 'From: ' . $email;
mail($to, $subject, $body, $headers);
header("Location: http://example.com/thanks");
?>
How can I sanitize the input?
Sanitize the post variable with filter_var().
Example here. Like:
echo filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
Since you're not building an SQL query or anything here, the only relevant validation that I can see for those inputs is an email validation for $_POST["email"], and maybe an alphanumeric filter on the other fields if you really want to limit the scope of what the message can contain.
To filter the email address, simply use filter_var:
$email = filter_var($email, FILTER_SANITIZE_EMAIL);
As per Frank Farmer's suggestion, you can also filter out newlines in the email subject:
$subject = str_replace(array("\r","\n"),array(" "," "),$subject);
As others have noted, filter_var is great. If it's not available, add this to your toolchest.
The $headers variable is particularly bad security-wise. It can be appended to and cause spoofed headers to be added. This post called Email Injection discusses it pretty well.
filter_var is great, but another way to assure that something is an email address and not something bad is to use an isMail() function. Here's one:
function isEmail($email) {
return preg_match('|^[_a-z0-9-]+(\.[_a-z0-9-]+)*#[a-z0-9-]+(\.[a-z0-9-]{2,})+$|i', $email);
};
So to use this, you could do:
if (isset($_POST['email']) && isEmail($_POST['email'])) {
$email = $_POST['email'] ;
} else {
// you could halt execution here, set $email to a default email address
// display an error, redirect, or some combination here,
}
In terms of manual validation, limiting the length using substr(), running strip_tags() and otherwise limiting what can be put in.
You need to remove any newlines from input provided by users in $headers, which gets passed to mail() ($email in your case)! See Email injection.
PHP should take care of sanitizing $to and $subject, but there are versions of PHP with bugs (Affected are PHP 4 <= 4.4.6 and PHP 5 <= 5.2.1, see MOPB-34-2007).
You can use the code from artlung's answer above to validate email..
I use this kind of code to prevent header injection ..
// define some mail() header's parts and commonly used spam code to filter using preg_match
$match = "/(from\:|to\:|bcc\:|cc\:|content\-type\:|mime\-version\:|subject\:|x\-mailer\:|reply\-to\:|\%0a|\%0b)/i";
// check if any field's value containing the one or more of the code above
if (preg_match($match, $name) || preg_match( $match, $message) || preg_match( $match, $email)) {
// I use ajax, so I call the string below and send it to js file to check whether the email is failed to send or not
echo "failed";
// If you are not using ajax, then you can redirect it with php header function i.e: header("Location: http://example.com/anypage/");
// stop the script before it reach or executing the mail function
die();
}
The mail()'s header filtering above is too strict, since some users may be using the filtered strings in their message without any intention to hijack your email form, so redirect it to a page that is explaining what kind of strings that is not allowed in the form or explain it on your form page.