I'm good with HTML, CSS and not too bad with jQuery but php I'm a total loss! Could I get some help with this Form, what is the best way to add protection into this existing php code I use on my site.
This is the page with the tutorial for all the code http://jorenrapini.com/blog/css/jquery-validation-contact-form-with-modal-slide-in-transition
This is my site REMOVED LINK
This is the php from the tutorial used for the form that I would appreciate some assistance with adding proper protection.
<?php
//declare our variables
$name = $_POST['name'];
$email = $_POST['email'];
$message = nl2br($_POST['message']);
//get todays date
$todayis = date("l, F j, Y, g:i a") ;
//set a title for the message
$subject = "Message from Your Website";
$body = "From $name, \n\n$message";
$headers = 'From: '.$email.'' . "\r\n" .
'Reply-To: '.$email.'' . "\r\n" .
'Content-type: text/html; charset=utf-8' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
//put your email address here
mail("youremail#domain.com", $subject, $body, $headers);
?>
<!--Display a thankyou message in the callback -->
<div id="mail_response">
<h3>Thank you <?php echo $name ?>!</h3><br />
<p>I will answer your message soon as possible.</p><br /><br /><br />
<h5>Message sent on: </h5>
<p><?php echo $todayis ?></p>
</div>
------ Okay to clarify this a bit more ------
http://codeutopia.net/blog/2008/10/16/how-to-csrf-protect-all-your-forms/
This is one of the many articles I've been reading over the past two weeks on Cross-Site Request Forgeries so how do you apply or add basic protection similar to this to a form like I am using
mail("youremail#domain.com", $subject, $body, $headers);
can send you the mail, obviously, but you need to create a message to check if the mail function was not successful.
So,
if(mail("youremail#domain.com", $subject, $body, $headers)){
echo 'Your email is sent';
}else{
echo 'email is not sent';
}
The above code, will guarantee, that if there was a problem with mail() the user would see a costume-built message than the actual error exposing your code and directory
You have to filter the postvalues against xss. For txt-mails u should strip out all tags in a professional way. Dont use only strip_tags()! For your header data strip out all whitespaces too.
You should take a look at the ESAPI project, while the PHP version is not suitable for production use (based on what they write), you can still get an understanding of what input validation and security means for your service.
Related
I'm trying to send an email from a MODx template, either just using PHPmail or with MODx's ModMail class. Needless to say neither way is working.
I'm writing the code in a MODx snippet, and including that snippet in my template. When using PHPmail, and with the form action omitted (so that the form submits to the current URL), the page refreshes but no mail is sent.
When I try to use ModMail, nothing happens at all. But I'm not quite sure how to actually call the send mail code in this case, so the code is just sitting there doing nothing.
This is my PHPmail attempt:
<?php
$to = $_POST['email'];
$name = $_POST['name'];
$query = $_POST['message'];
$subject = "Query from " . $name;
$message = "You're received a query from " . $name . ", their email address is " . $to . ".\r\nThey said:\r\n" . $query;
$headers = 'From: MyPersonalEmail#gmail.com' . "\r\n" .
'Reply-To: MyPersonalEmail#gmail.com' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
echo $to;
echo $name;
echo $query;
echo $subject;
echo $message;
echo $headers;
mail($to, $subject, $message, $headers);
?>
And this is with ModMail:
<?php
$message = $_POST['message'];
$modx->getService('mail', 'mail.modPHPMailer');
$modx->mail->set(modMail::MAIL_BODY,$message);
$modx->mail->set(modMail::MAIL_FROM,'MyPersonalEmail#gmail.com');
$modx->mail->set(modMail::MAIL_FROM_NAME,'Johnny Tester');
$modx->mail->set(modMail::MAIL_SUBJECT,'Check out my new email template!');
$modx->mail->address('to','MyPersonalEmail#gmail.com');
$modx->mail->address('reply-to','MyPersonalEmail#gmail.com');
$modx->mail->setHTML(true);
if (!$modx->mail->send()) {
$modx->log(modX::LOG_LEVEL_ERROR,'An error occurred while trying to send the email: '.$modx->mail->mailer->ErrorInfo);
}
$modx->mail->reset();
There is a MODX extra available called QuickEmail, that could check the internal mail functionality.
I do all the email handling via the MODX extra FormIt. Look at the rtm for it, it is quite easy to get running. It can handle a lot of the stuff you want to do and prevent (like spam, multisubmit) when having a form.
https://docs.modx.com/extras/revo/formit/formit.tutorials-and-examples/formit.examples.simple-contact-page
Don't try and invent a new solution. Most stuf can be done by using or extending existant MODX extras.
I have a php page that includes an inquiry form that refers to itself as the form action.
Once completed the form writes to a database within a try-catch construct. I want to send an email to the administrator to say that someone has added themselves to the database.
All of the code works until:
if(mail($to, $subject, $message, $headers, '-f' . $from))
{ #And finally send them a thanks
header('Location: thanks.html.php');
exit();
} else {
echo 'Email did not send';
exit();
}
The code above this block all works because I get a write into the database, and the 'if' test passes because the redirect to the thanks page also works! What have I missed?
Seems like you are trying to make use of additional parameters.
Exerpt from PHP Manual
The additional_parameters parameter can be used to pass an additional
parameter to the program configured to use when sending mail using the
sendmail_path.
<?php
mail('nobody#example.com', 'the subject', 'the message', null, '-fwebmaster#example.com');
?>
Route : 2
Try something like this.
Your $from is contained in the $headers variable itself , so you don't have to specify.
<?php
$to = 'nobody#example.com';
$subject = 'the subject';
$message = 'hello';
$headers = 'From: webmaster#example.com' . "\r\n" .
'Reply-To: webmaster#example.com' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
if(mail($to, $subject, $message, $headers))
{ #And finally send them a thanks
header('Location: thanks.html.php');
exit();
} else {
echo 'Email did not send';
exit();
}
?>
AT last...The answer. Nothing wrong with the code! I was falling over the web hosts anti spam filter in mail. Because I was testing the script with my own email address, it refused to send the mail assuming it was spam! As soon as I put in a completely new email address it sent the email!
Thanks to everyone that offered help!
i am working on one static website, in which there is a contact us page. Here what i want to do is when the contact form is submitted it should show the message that - Email has been sent successfully. But the problem is i am calling the html page and we cannot pass php message in html view. So is there any way to get it done.
conatctus.php
<?php
$error = '';
$mailTo = $_POST['email'];
$mailFrom = 'info#sample.com';
//$headers = 'MIME-Version: 1.0' . "\r\n";
//$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
$fullname = $_POST['username'];
$phoneno = $_POST['mobile'];
$emailaddress = $_POST['email'];
$msgsubject =$_POST['message'];
$new = "\n";
$msg = $fullname.$new.$emailaddress.$new.$phoneno.$new.$msgsubject;
$to = $email;
$subject = 'Inquiry';
$messageclient = '<div>
<p>Thank you For Inquiry.</p>
<p> We will reach back to you shortly. Have a Nice Day!</p>
<p>Company © 2013</p>
</p></div>
';
$headers = 'From: info#email.com' . "\r\n" .
'Reply-To: info#email.com' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=utf-8\r\n";
$headers .= "From: Company<info#email.com>\r\n";
//$res = mail($to, $subject, $message, $headers);
//$message ='Thank you For Inquiry. We will reach back to you shortly. Have a Nice Day';
mail( $mailTo , $subject, $messageclient, $headers);
$message .= "<p>Name: $fullname</p><br /><p>Contact Number : $phoneno</p><br /> <p>Email: $emailaddress</p><br /><p>Message: $msgsubject</p>";
mail( $mailFrom, $subject,$message, $headers);
header("location:home.html");
?>
Your help is much appreciated, thanks in advance.
There are a lot of problems here, but to answer your question, you can't redirect after content has been sent.
If you add ob_start() to the top of the page it will buffer the contents and allow the redirect.
Upon, further re-reading of your post, maybe I misinterpreted. It doesn't look like you are sending content which means that your redirect IS working, but what you want is to add a message after it's been redirected.
You have options.
Redirect to a static HTML page that reflects the message you want to convey.
Redirect to a PHP page that has the logic to give the user a message.
Use Ajax to send the email and don't redirect at all.
You might want to do either an ajax request on the submit to prevent changing the page or make a landing page to which you will redirect after processing the mailing function
Have this email sent function performed as an ajax call and on it's success show user the success message.
If you can configure the web server, you can change it in a way to treat html pages like php pages. For example in APACHE's httpd.conf:
AddType application/x-httpd-php .php .htm .html
Hope that works for you.
How do I send an email to the user with the data they submitted in the form that includes a little message using there name and thanking them on submit of php form.
Here is my current php code. It currently just shows them a message that says there name and that the message has been sent and then sends me an email to my email address.
<?php
if(isset($_POST['submit'])){
$to = "benlevygraphics#gmail.com";
$headers = "From: " . $_POST['email'];
$subject = "Ben, you have been contacted...";
$body = "Name: " . $_POST['name'] . "\nEmail: " . $_POST['email'] . "\nWebsite: " . $_POST['web'] . "\nMessage: " . $_POST['message'];
if(mail($to, $subject, $body, $headers)){
echo("<p class=contactformsent>".$_POST['name'].", your message has been sent!</p>");
}
else{
echo("<p class=contactformnotsent>".$_POST['name'].", Message delivery failed...</p>");
}
}
?>
I am new to php and I have read stuff online and I still don't understand so if you could be clear in your examples or help I would greatly appreciate it very much. Thanks!
Assuming your current code is already working fine, you can do this to send yourself an email together with the recipient:
Set $to to $_POST['email']
Set $headers to "From: {$_POST['email']}\r\nBcc: benlevygraphics#gmail.com"
Adjust $body and $subject to your needs.
Btw, I can't say this often enough; make sure that your page has some form of CSRF protection.
How to properly add CSRF token using PHP
The above is just one way, there are others, just search for it :)
Look into your php.ini beacuse you have to enter a SMTP Server.
At my file it begins in line 1087 with "[mail function]"
I have a pretty standard contact form with inputs for name, email address and phone number. As well as sending the email to the specified email address as per a standard form,
$to = 'diysoakwells#hotmail.com';
I would also like to send the email to the user using the address from the email address input from the form. I was thinking using the post variable from the email input like this would work:
$to = 'diysoakwells#hotmail.com', $email;
but no luck. Can someone point me in the right directiona and are there any security risks in using this approach? I ultimately aim to provide the user with a checkbox that if checked sends a copy of the email to themselves.
Here is a link to my form
http://www.diysoakwells.com.au/cart.php
Thankyou in advance : )
<?php
include_once("wsp_captcha.php");
if(WSP_CheckImageCode() != "OK") {
header('location:/form-rejected.php');
die();
}
$to = 'diysoakwells#hotmail.com';
$subject = 'Order Inquiry';
$jcitems = " <p><b>ORDER:</b></p><p> " . $_POST['jcitems']."<p/>" . "<p><b>Total:</b> $" . $_POST['jctotal']."</p>";
$time = date ("h:i A");
$date = date ("l, F jS, Y");
$headers = "MIME-Version: 1.0\r\n";
$headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";
$headers .= 'From: inquiry#diysoakwells.com' . "\r\n" .
'Reply-To: noreply#diysoakwells.com' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
$name = $_POST['name'];
$phone = $_POST['phone'];
$emaile = $_POST['emaile'];
$textbox = $_POST['textbox'];
$text = "<html><body><p><b>Message:</b>\n$textbox</p><p>This form was submitted on Your Web Site on \n $date at\n $time</p><p><b>Customers Email Address:</b> $emaile</p><p><b>Customers Name:</b> $name </p><p><b>Customers Phone Number:</b> $phone </p></html> </body>";
$body = $text . $jcitems;
mail($to, $subject, $body, $headers);
Header('Location: ../form-accepted.php');
?>
What your doing is not what you want to do. Concatenating two strings in PHP is done with the . not the , so the correct syntax is:
$to = 'diysoakwells#hotmail.com'.", ".$emaile;
or simply
$to = "diysoakwells#hotmail.com, $emaile";
That's assuming that the code in charge of sending the email uses php's mail() function, which allows multiple emails in the $to argument. If that doesn't work, I can't be of more use without seeing the actual code.
The 'to' field on emails accepts a string, with the email address comma-separated.
$to = 'diysoakwell#hotmail.com, ' . $emaile;
should do the trick.
You should check the email address that they provide is formatted as an email address, and it would be a good idea to have a CAPTCHA to prevent automated bots from using your form as a spamming tool.
If you use php mail() function you can send copy by specifying additional headers like that:
$headers = 'Cc: '.$emaile;
mail($to, $subject, $message, $headers);