I have this Contact form that works well. If someone sends me an email I get it. But for whatever reason I keep getting empty emails sent to me. Since no one could access that page im sure its not someone sending me the empty emails. I dont know what the problem is. Any help?
<form method="post" id="contactform" name="contactform" action="comment.php" id="ContactForm" name="ContactForm" method="post">
<fieldset>
<label>Email *</label>
<input class="text" type="text" name="email">
<label>Name *</label>
<input class="text" type="text" name="name" />
</fieldset>
<input class="submit-button" type="submit" name="submit" id="submit" value="Send" />
</form>
and my contact.php
<?php
$email.= "<b>Email : </b>".trim($_POST['company'])."<br/>";
$email.= "<b>Name : </b>".trim($_POST['name'])."<br/>";
//Replace YourEmailAddress#Yourdomain.com with yours, eg:contactus#mywebsite.com
//Both on the next line and on the mail function below.
$headers = "From: email#email.com\r\n";
$headers .= "Content-Type: text/html";
mail(
"Your Name<myname>",
"Header",
$email,
$headers
);
header("www.google.com");
?>
the "header" part in my php form is to redirec the user to a page after sending the form.
Thanks in advance.
You are probably getting visits from bots. Your script will always trigger an E-Mail, even if no POST data is present.
In your contact script, as a basic measure of protection, add something like
if ($_POST["submit"] != "Send")
die();
add further validation (as pointed out in the comments) as needed.
Might be because you don't appear to be validating the form inputs, so it can be submitted blank.
Sometimes I do this to websites (test validation, end up sending blank email), but I usually add a message later to "Validate your input!".
Excuse me if you are indeed doing validation, but that was my gut instinct because I see a lot of people fail to validate even the presence of a required input, let alone the integrity.
Company doesnt exist in your form but you try to parse it.
And maybe 2 form name declaration is not that good but its not your answer.
Related
I have a contact form that I wrote in the html document and this then is executed by an external php file. How do I validate it? All tutorials that I've looked at have shown the validation and the html form in the actual php file and so how can my validation be accomplished?
HTML5:
<form id="form-area" action="email-processor.php" method="POST">
<div id="name-area"><p>Name (required)</p><input class="form-input" type="text" name="name"></div>
<div id="email-area"><p>Email (required)</p> <input class="form-input" type="text" name="email"></div>
<div id="phone-area"><p>Telephone</p> <input class="form-input" type="text" name="phone"></div>
<div id="msg-area"><p>Message</p><textarea id="msg-input" name="message" rows="6" cols="25"></textarea><br /></div>
<input id="sendbtn" type="submit" value="Send">
</form>
PHP:
<?php
$name = $_POST['name'];
$email = $_POST['email'];
$phone = $_POST['phone'];
$message = $_POST['message'];
$formcontent="From: $name \n Phone Number: $phone \n \n Message: \n \n$message";
$recipient = "sampleemail#hotmail.com"
$subject = "Contact Form";
$mailheader = "From: $email \r\n";
mail($recipient, $subject, $formcontent, $mailheader) or die("Error!");
echo "Thank You!";
?>
You need to put required behind the input fields. If you want to make an email required as the standard format xxx#xxx.xxx instead simple text use type="email". For the telephone number you can use type="number" to allow numbers only, otherwise simply use text.
NEW HTML
<form id="form-area" action="email-processor.php" method="POST">
<div id="name-area"><p>Name (required)</p><input type="text" class="form-input" type="text" name="name" required></div>
<div id="email-area"><p>Email (required)</p> <input class="form-input" type="email" name="email" required></div>
<div id="phone-area"><p>Telephone</p> <input class="form-input" type="number" name="phone" required></div>
<div id="msg-area"><p>Message</p><textarea id="msg-input" name="message" rows="6" cols="25" required></textarea><br /></div>
<input id="sendbtn" type="submit" value="Send">
</form>
As has already been pointed out, for client-side validation, you can use the required attribute, which will trigger appearance changes in most web browsers.
However, you MUST do server-side validation as well. Failure to do so will result in vulnerabilities in your application code. For example, your mail() call currently allows unsanitized input for the additional_headers parameter. That means that malicious actors can easily inject whatever headers they want to - e.g. injecting an additional To: or CC: header can turn your server into an open mail relay (i.e. that's bad). Attackers are ALWAYS looking for incorrect usage of the PHP mail() function such as demonstrated by your code.
Because of the poor design of the PHP mail() function, my view is that no one should directly call it. The function is actually much more complicated to use correctly since it is only a basic layer over sendmail and, without significant effort, ignores all sorts of IETF RFCs that govern e-mail. You should use a library such as Ultimate E-mail Toolkit, PHP Mailer, etc. that offer a nicer layer over mail() and/or SMTP to do the actual sending of the e-mail and avoid turning your server into an open relay.
The server is the final authority on what is and is not allowed. For this reason, I use CubicleSoft FlexForms, which aids me in generating HTML forms and processing user input server-side. How you handle things server-side is far more critical than client-side validation, which can and will be ignored by malicious users. You can't control what a client will send and there are plenty of malicious actors out there. So you have to make the unfortunate assumption that all users will attack your software. You should always start with server-side validation and then add client-side validation afterwards.
In addition, your code won't work as you expect. Most mail servers are configured to deny spoofing attempts. You can't assume that you can send e-mail From: someone whose e-mail servers you don't control. The messaging will bounce back and if you send enough spoofed mail messages your server will eventually be added to a global blacklist (via DNSRBL) and denied sending e-mail to anyone else. You can only send "From" an address that you have control over AND have set up things such as a SPF record or DMARC for. Sending e-mail is hard thanks to spammers and the lack of direction by the Internet Engineering Task Force (IETF) to solve the problem.
You can, however, use the Reply-To: header with any sanitized e-mail address that you want to use. Most e-mail clients respect the Reply-To header and will use it instead of the From header when it exists.
PHP isn't my strength and when I was asked to implement a modal newsletter subscription popup I cringed because I knew I was going to have to use PHP. I have scoured the internet all day trying various things, but I cannot seem to get anything to work and I am really hoping that someone will be able to point me in the right direction. It is super simple, I only need a name and email address which is then sent to an account I specify. I am sure this is really basic, but with my lack of experience with PHP I am totally lost as to where I am going wrong. My code is below.
<?php
if($_POST["submit"]) {
$recipient="my#emailaddress.com";
$subject="Newsletter Subscription";
$senderName=$_POST["name"];
$senderEmail=$_POST["email"];
$mailBody="Name: $senderName\nEmail: $senderEmail\n\nThis is a test!";
mail($recipient, $subject, $mailBody, "From: $senderName <$senderEmail>");
header('Location:http://www.urltoredirect.com/');
}
?>
<html>
<head>
<title></title>
</head>
<body>
<form method="post" action="sendmail.php">
<div class="rbm_input_txt">
<input type="name" name="name" placeholder="name" required>
</div>
<div class="rbm_input_txt">
<input type="email" name="email" placeholder="email" required>
</div>
<div class="rbm_form_submit">
<button type="submit" class="rbm_btn_x_out_shtr">subscribe</button>
</div>
</form>
</body>
</html>
I save the file as sendmail.php and upload to my server. When I fill out the form, the page just reloads, it isn't redirecting to the URL specified and I am not receiving any email. I suspect the issue is in the send mail and once that is sorted, the redirect will work. Can anyone see anything obvious that I am missing?
EDIT: Added the name attribute to my code as suggested below. Issue is still unresolved.
You're checking to see if $_POST['submit'] is truthy, but your form never actually sets that value. There are two changes you can make to fix this:
In order for the submit key to be present in your request, you need to assign it to a field in your form. You'll likely want to add it to the submit button, which can be done by simply adding the name parameter to your submit button:
<button name="submit" type="submit" class="rbm_btn_x_out_shtr">subscribe</button>
Even with the above change, $_POST['submit'] will still evaluate to false since its value will be empty. (You can see this in the rules for boolean conversions.) You can get around this by checking to see if its set, rather than if it's truthy:
if (isset($_POST['submit']))
Alternatively, you could just look for a different field such as name or email, since you know both of those fields will be set on submit.
there must be name in tags
<div class="rbm_input_txt"><input type="name" placeholder="name" name="name" required><input type="email" placeholder="email" name="email``" required
I have this question about why my form is not posting data to my PHP script. To unsubscribe from an emailing list I've set up, I send the user that has unsubscribed an email with a form that posts some data.
<html>
<body>
<div>
<p>This is a confirmation message to confirm that you unsubscribed from the sci-eng email list.</p>
<p>Click on the button below to confirm your unsubscription.</p>
<form id="unsubform">
<div class="form-in">
<input type="hidden" id="emailkey" name="emailkey" value="key">
<input type="hidden" id="email" name="email" value="email#domain.com">
<button class="btn" id="submit" type="submit" formaction="http://redlinks.ca/sci-eng/db/unsubscribe.php" formmethod="post">Unsubscribe</button>
</div>
</form>
</div>
</body>
</html>
When on the page that the form is POSTed to, I get the "no data" error that I have set up if there is no data in the $_POST["email"] variable. I have tried using var_dump($_POST), but that just returns with array(0) { } and that isn't working for me.
The thing that confuses me the most is when I copy the exact html from the email, and paste it into a blank page, when I click on submit/unsubscribe it posts the data just fine, and elsewhere on my site I have the exact same script, the only different being the formaction is without the /db in it. The page that one is sent to behaves how it should, showing the propper array of data instead of nothing. That's the only difference.
If it makes any difference, I use Thunderbird for Windows 10 as my email client.
Anyone who thinks they can help would be appreciated :)
Due to security issues forms are not supported and not recommended within emails. Most of email clients will warn the user of a risk or simply will disable it and it will not work, like in your case.
The best practice for enabling unsubscribing is by using a link. You can pass any requierd parameter for unsubscribing on the link, for example http://www.example.com/unsubscribe.php?usermail=mail#gmail.com.
TRY WITH:
<html>
<body>
<div>
<p>This is a confirmation message to confirm that you unsubscribed from the sci-eng email list.</p>
<p>Click on the button below to confirm your unsubscription.</p>
<form id="unsubform" action="http://redlinks.ca/sci-eng/db/unsubscribe.php" method="post">
<div class="form-in">
<input type="hidden" id="emailkey" name="emailkey" value="key">
<input type="hidden" id="email" name="email" value="email#domain.com">
<button class="btn" id="submit" type="submit">Unsubscribe</button>
</div>
</form>
</div>
</body>
</html>
IF you won't use POST method so how your form values could be posted to phpScript. Try the following code.
<html>
<body>
<div>
<p>This is a confirmation message to confirm that you unsubscribed
from the sci-eng email list.</p>
<p>Click on the button below to confirm your unsubscription.</p>
<form id="unsubform" method="POST" action="http://redlinks.ca/sci-eng/db/unsubscribe.php">
<div class="form-in">
<input type="hidden" id="emailkey" name="emailkey" value="key">
<input type="hidden" id="email" name="email" value="email#domain.com">
<button class="btn" id="submit" type="submit" >Unsubscribe</button>
</div>
</form>
</div>
</body>
The default method is GET, not POST; you need to specify
<form method="post" ...>
Maybe a link to this form hosted online might be a better idea; some mail clients do not support showing mails; and maybe more clients might refuse to submit or post them due to security concerns (e.g. webmail interfaces).
Do not send form for confirmation.Try these steps :
Generate unique encrypted key for those email who unsubscribe and store in database
Send confirmation link to particular user email with key as (http://domainurl/confirm.php?key=1533c67e5e70ae7439a9aa993d6a3393)
Now check key for corresponding email and unsubscribe and also remove key from database
I am having trouble getting my code validation to work. I have written validation for a name, surname and email address, however, I don't know where to insert a command for the php code to be called in my main html.
I was thinking I have to add an action into a form like this:
<body>
<div class="logo"></div>
<div class="login-block">
<h1>Create Account</h1>
<form action="insert_data.php" method="post">
<form action="validate_data.php">
<input type="text" value="" placeholder="First Name" name="first_name" />
<input type="text" value="" placeholder="Last Name" name="last_name" />
<input type="email" value="" placeholder="E-mail Address" name="email_address" />
However, I don't know if that is correct. All three of the validation notes are saved in a file called 'validate_data.php'.
My code for name and surname validation is pretty much the same, with the main 'name' spaces changed:
<?php
$first_name = test_input($_POST["first_name"]);
if (!preg_match("/^[a-zA-Z ]*$/",$first_name)) {
$first_nameErr = "Incorrect name format.";
}
?>
and for my email:
<?php
$email_address = test_input($_POST["email_address"]);
if (!filter_var($email_address, FILTER_VALIDATE_EMAIL)) {
$email_addressErr = "Invalid email format.";
}
?>
Is there any particular place I will have to call this? Or am I just doing some stupid mistake and missing it?
You don't put it in the HTML unless you are sending the page to itself, in which case it is usually best to put the PHP at the top of the page. It would need to be named as a .php page not .html then. That way if, for example, you wanted to make the values of the form stay as what was submitted you could echo them after they are cleaned up by setting the textbox value
value="<?php echo $first_name; ?>"
for example. If you are submitting to insert_data.php all the PHP just lives on that page at the top. You seem to have too many <form actions - you can only submit once. Best to put your cleanup code at the top of insert_data.php and submit to that.
If it is on the same page you would need to wrap it in
if( isset($_POST["first_name"])){
// do the cleanup
}
or you will get messages for the empty inputs which have not had the chance to be submitted as the page loads. And do the same for the email address which you definitely don't want to have blank if you are subsequently going to use it for a mail form's Reply-To: address (the From: should always be an address on your server or you will be back here posting wondering why it doesn't work!)
You could include the validation script but that is possibly a bit risky and for the length of the code there is probably little advantage in having it as an include. Risks of including unsafely: http://www.webhostingtalk.com/showthread.php?t=199419
You would then use - assuming your includes are in a folder called inc/
include "inc/validate_data.php";
at the top of your insert_data.php page - without the brackets shown in that article - it is a declaration, not a function.
Another good article on includes:
http://green-beast.com/blog/?p=144
If you were looping out posts, for example, the code to do that would be somewhere among the HTML inside the div where you wanted them to appear.
I've got your run of the mill form, with a PHP script to validate and email it off.
<form id="contactForm" action="contact.php" method="post">
<fieldset>
<p>
<label>NAME:</label>
<input name="name" id="name" type="text" />
</p>
<p>
<label>EMAIL:</label>
<input name="email" id="email" type="text" />
</p>
<p>
<label>COMMENTS:</label>
<textarea name="comments" id="comments" rows="5" cols="20" ></textarea>
</p>
<p><input type="submit" value=" " name="submit" id="submit" /></p>
</fieldset>
<p id="error" class="warning">Message</p>
</form>
The problem is, that when I click submit, it takes me off the page I was on (filling out the form) and takes me to a blank white page - contact.php.
Is there any way I can stay on the original contact.html page after clicking submit and just let the emailing happen in the background?
Ajax is your best best. If not, the quick and dirty way would be to put a php block at the top of you page and put all the stuff from your contact.php in an if(isset($_post['data'])) statement.
Brief example
<?php
if(isset($_POST['variable_from_form']))
{
// send mail, insert in database, etc. stuffs
}
?>
Basically, if there is post data, do something, if not, just write the page as normal
Php is doing the job assigned: it is redirecting to the page you asked for in the action="" tag.
If you need to validate an email or login, you should use the same contact.php form to do both: enter user email and validate and/or login or whatever you want to do.
At the begining of the contact.php use php script to receive submitted fields, validate, sanitize and insert or whatever.
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST")
{
$email=$_POST['email'];
$email=filter_var($id_post, FILTER_SANITIZE_EMAIL);
if(empty($email) )
{$error=['email']="enter a valid email"}
else {
$user_email=$email;
}
}
if(empty($errors) && $_POST)
{
//with $user_email defined and sanitized you can do whatever you want: insert, edit, query, email.
}
elseif ($errors || !$_POST)
{
?>
Here, put all the html form, at the end, close the open php.
<?php
}
?>
You could put an iframe on your page that initially loads a blank page within it and have the form's target be the iframe so it will post into the iframe.
Have the iframe large enough so that you can put a simple message like "Your information has been accepted" can be printed by contact.php
Here's a link that tells you how to do it.
How do you post to an iframe?
you might use javascript (Ajax) to communicate with your server, that way it will continue using the same html file.
Another way it is to rename your html file to .php extension and work on this file.
Good luck!