PHP Form Scrip - Not forwarding form information to email...

N

nd.walleye42

New Member
Messages
6
Reaction score
0
Points
0
Was wondering if someone could please look this over and help me out. I know nothing about PHP and I'm not sure why this isn't forwarding my form submissions to my email.

PHP: 
<?php
if(isset($_POST['email'])) {
     
    // EDIT THE 2 LINES BELOW AS REQUIRED
    $email_to = "***@***.com";
    $email_subject = "GRAPHIC_FLAW Forum Email";
     
     
    function died($error) {
        // your error code can go here
        echo "We are very sorry, but there were error(s) found with the form you submitted. ";
        echo "These errors appear below.<br /><br />";
        echo $error."<br /><br />";
        echo "Please go back and fix these errors.<br /><br />";
        die();
    }
     
    // validation expected data exists
    if(!isset($_POST['first_name']) ||
        !isset($_POST['last_name']) ||
        !isset($_POST['email']) ||
        !isset($_POST['telephone']) ||
        !isset($_POST['comments'])) {
        died('We are sorry, but there appears to be a problem with the form you submitted.');      
    }
     
    $first_name = $_POST['first_name']; // required
    $last_name = $_POST['last_name']; // required
    $email_from = $_POST['email']; // required
    $telephone = $_POST['telephone']; // not required
    $comments = $_POST['comments']; // required
     
    $error_message = "";
    $email_exp = '/^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}$/';
  if(!preg_match($email_exp,$email_from)) {
    $error_message .= 'The Email Address you entered does not appear to be valid.<br />';
  }
    $string_exp = "/^[A-Za-z .'-]+$/";
  if(!preg_match($string_exp,$first_name)) {
    $error_message .= 'The First Name you entered does not appear to be valid.<br />';
  }
  if(!preg_match($string_exp,$last_name)) {
    $error_message .= 'The Last Name you entered does not appear to be valid.<br />';
  }
  if(strlen($comments) < 2) {
    $error_message .= 'The Comments you entered do not appear to be valid.<br />';
  }
  if(strlen($error_message) > 0) {
    died($error_message);
  }
    $email_message = "Form details below.\n\n";
     
    function clean_string($string) {
      $bad = array("content-type","bcc:","to:","cc:","href");
      return str_replace($bad,"",$string);
    }
     
    $email_message .= "First Name: ".clean_string($first_name)."\n";
    $email_message .= "Last Name: ".clean_string($last_name)."\n";
    $email_message .= "Email: ".clean_string($email_from)."\n";
    $email_message .= "Telephone: ".clean_string($telephone)."\n";
    $email_message .= "Comments: ".clean_string($comments)."\n";
     
     
// create email headers
$headers = 'From: '.$email_from."\r\n".
'Reply-To: '.$email_from."\r\n" .
'X-Mailer: PHP/' . phpversion();
@mail($email_to, $email_subject, $email_message, $headers); 
?>
 
<!-- include your own success html here -->
 
Thank you for contacting us. We will be in touch with you very soon.
 
<?php
}
?>


---------- Post added at 05:08 AM ---------- Previous post was at 05:07 AM ----------

Also! :) Instead of having a generic message on a page, how would I redirect to a HTML file, or have a timed redirect through the PHP script.
 
essellar

essellar

Community Advocate
Community Support
Messages
3,295
Reaction score
227
Points
63
You are not allowed to send email with forged headers from your web site on Free Hosting -- people use that for spam and email phishing, so it's disabled for security reasons. That means you can't set the From header to any address that is not associated with your hosting account, so the whole notion of having people email you from your web site via a contact form for easy reply is going to have to be abandoned.

You can have your users save their information to your site and send yourself (or your team) a notification email with a link to the entry and reply from there, or you can send the email to yourself from your web site using an email address that's on your domain, but then you'll have to use a forward action rather than simply reply.
 
M

misson

Community Paragon
Community Support
Messages
2,572
Reaction score
72
Points
48
Setting "Reply-To" to a non-local address may not cause e-mail to be dropped. Try using a local e-mail address for "From:" and the visitor's address for "Reply-To".

nd.walleye42 said:
Instead of having a generic message on a page, how would I redirect to a HTML file, or have a timed redirect through the PHP script.
Click to expand...

Use the header function to set an HTTP Location header.

PHP: 
if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') {
    $scheme = 'https';
} else {
    $scheme = 'http';
}
header("Location: $scheme://$_SERVER[HTTP_HOST]/message/success");

By default, when you set a Location header, PHP will set the HTTP status to 302. If for some reason you want a different status, pass it as the second argument to header (as described in the PHP manual page).

nd.walleye42 said:
PHP: 
    function died($error) {
        ...
        die();
    }
Click to expand...
If you use a redirect, this point becomes moot, but don't use die when outputting HTML. You'll get invalid HTML.

nd.walleye42 said:
PHP: 
    $email_exp = '/^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}$/';
  if(!preg_match($email_exp,$email_from)) {
Click to expand...
PHP's filter extension includes a filter to validate e-mails (FILTER_VALIDATE_EMAIL). It's regex based, so isn't perfect, but it's one less thing you'll have to maintain.

nd.walleye42 said:
PHP: 
    $string_exp = "/^[A-Za-z .'-]+$/";
  if(!preg_match($string_exp,$first_name)) {
Click to expand...
This doesn't allow for international names, such as accented letters or characters from non-latin alphabets. To match letters, use Unicode character properties:

PHP: 
    $string_exp = "/^[\p{L}\d .,'-]$/";

This may still block valid personal names and will pass non-names consisting of random letters (which you'll get from spambots). Make sure the error message informs users which letters are allowed. Alternatively, don't bother to filter these fields (other than perhaps for length), as it's unnecessary. There are better ways of addressing security concerns.

See also "Regular expression for validating names and surnames?"

nd.walleye42 said:
PHP: 
    function clean_string($string) {
      $bad = array("content-type","bcc:","to:","cc:","href");
      return str_replace($bad,"",$string);
    }
     
    $email_message .= "First Name: ".clean_string($first_name)."\n";
    $email_message .= "Last Name: ".clean_string($last_name)."\n";
    $email_message .= "Email: ".clean_string($email_from)."\n";
    $email_message .= "Telephone: ".clean_string($telephone)."\n";
    $email_message .= "Comments: ".clean_string($comments)."\n";
Click to expand...

Blacklists provide less security than whitelists. However, as all the user input you're filtering is output only in the message body, only the "href" will have any positive affect on security. The only injection attacks possible in the body are those that target mail readers; SMTP injection is only possible via the headers (and the visitor's e-mail address is the only field that makes it into the headers). Pass the fields through htmlspecialchars will prevent any HTML injection, which is about the only cross-reader vulnerability you should consider addressing.

The one thing that's missing is a Turing test to prevent spam. Captchas are one possibility, though they're only somewhat effective these days. Textchas are another. Since the form is getting submitted to a person for processing, the Turing test doesn't need to be 100% effective, just enough to cut down spam to a non-annoying level.
 
You must log in or register to reply here.
Top