40 replies to this topic

[manager]

I use this "form setup" on all my websites it has served me very well.
It does not show the email address, making it vulnerable to spanbots. Just make the few changes and upload the 2 files to your server.

First up here is the form:

<form id="form" method="post" action="email.php">

        <table width="100%" border="0" cellspacing="0" cellpadding="0">

          <tr> 

            <td width="55%" height="25">Your Name</td>

          </tr>

          <tr> 

            <td><input type="text" name="Name" value="<?php echo $Name; ?>" />

            </td>

          </tr>

          <tr> 

            <td height="24">Your Email</td>

          </tr>

          <tr> 

            <td><input type="text" name="Email" value="<?php echo $Email; ?>" />

            </td>

          </tr>

          <tr> 

            <td height="25">Comments and/or Questions</td>

          </tr>

          <tr> 

            <td><textarea name="Comments" rows="5" cols="32"><?php echo $Comments; ?></textarea>

            </td>

          </tr>

        </table>

        <p> <!-- you can create custom error or success pages, otherwise remove the domain name for below-->

          <input type="submit" name="Submit" value="Submit" />

          <input type="reset" name="Reset" value="Clear Form" />

          <input type="hidden" name="subject" value="website email" />

          <input type="hidden" name="required_fields" value="Name,Comments" />

          <input type="hidden" name="required_email_fields" value="Email" />

          <input type="hidden" name="recipient_group" value="0" />

          <input type="hidden" name="error_page" value="http://www.yourdomain.co.uk/error.php" />

          <input type="hidden" name="thanks_page" value="http://www.yourdomain.co.uk/thanks.php" />

          <input type="hidden" name="send_copy" value="no" />

          <input type="hidden" name="copy_subject" value="Thanks for your Email" />

          <input type="hidden" name="copy_tomail_field" value="Email" />

          <input type="hidden" name="mail_type" value="vert_table" />

          <input type="hidden" name="mail_priority" value="3" />

          <input type="hidden" name="reply_to_field" value="Email" />

          <input type="hidden" name="return_ip" value="1" />

        </p>

      </form>

no configuration here apart from specifying the success ans error pages.

Now for the php processor:

<?php

// configuration you only neeed two changes 

	$tomail[0]="you@yourdomain.co.uk";//change this to your email address

	$cc_tomail[0]="";

	$bcc_tomail[0]="";

	$tomail[1]="";

	$cc_tomail[1]="";

	$bcc_tomail[1]="";

	$tomail[2]="";

	$cc_tomail[2]="";

	$bcc_tomail[2]="";

	$check_referrer=1;

	$referring_domains="http://yourdomain.co.uk/,http://www.yourdomain.co.uk/"; //change this in the same format

// Error and Success Page Variables

	$error_page_title="Error - Missed Fields";

	$error_page_text="Please use your browser's back button to return to the form and complete the required fields.";

	$thanks_page_title="Message Sent";

	$thanks_page_text="Thank you for your inquiry";



//don't change anything below this-----------------------------------------------

ob_start();

$required_fields=$_POST["required_fields"];

$required_email_fields=$_POST["required_email_fields"];

$recipients=$_POST["recipient_group"];

$error_page=$_POST["error_page"];

$thanks_page=$_POST["thanks_page"];

$subject=$_POST["subject"];

$send_copy=$_POST["send_copy"];

$copy_subject=$_POST["copy_subject"];

$copy_tomail_field=$_POST["copy_tomail_field"];

$mail_type=$_POST["mail_type"];

$mail_priority=$_POST["mail_priority"];

$return_ip=$_POST["return_ip"];

if($_POST["Submit"]=="Submit")

{

	if($check_referrer==1)

	{

  $ref_check=preg_split('/,/',$referring_domains);

  $ref_run=sizeof($ref_check);

  $referer=$_SERVER['HTTP_REFERER'];

  $domain_chk="no";

  for($i=0;$i<$ref_run;$i++)

  {

  	$cur_domain=$ref_check[$i];

  	if(stristr($referer,$cur_domain)){$domain_chk="yes";}

  }

	}

	else

	{

  $domain_chk="yes";

	}

	if($domain_chk=="yes")

	{

  $mail="yes";

  $req_check=preg_split('/,/',$required_fields);

  $req_run=sizeof($req_check);

  $error_message="";

  for($i=0;$i<$req_run;$i++)

  {

  	$cur_field_name=$req_check[$i];

  	$cur_field=$_POST[$cur_field_name];

  	if($cur_field=="")

  	{

    $error_message=$error_message."You are missing the ".$req_check[$i]." field<br />";

    $mail="no";

  	}

  }

  $email_check=preg_split('/,/',$required_email_fields);

  $email_run=sizeof($email_check);

  for($i=0;$i<$email_run;$i++)

  {

  	$cur_email_name=$email_check[$i];

  	$cur_email=$_POST[$cur_email_name];

  	if($cur_email=="" || !eregi("^[_.0-9a-z-]+@([0-9a-z][0-9a-z-]+.)+[a-z]{2,6}$",$cur_email))

  	{

    $error_message=$error_message."You are missing the ".$email_check[$i]." field or the email is not a valid email address.<br />";

    $mail="no";

  	}

  }

  if($mail=="yes")

  {

  	if(getenv(HTTP_X_FORWARDED_FOR))

  	{$user_ip=getenv("HTTP_X_FORWARDED_FOR");}

  	else

  	{$user_ip=getenv("REMOTE_ADDR");}

  	if($mail_type=="vert_table")

  	{

    $message="<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">

      	<html>

      	<head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></head>

      	<body>

      	<table cellpadding="2" cellspacing="0" border="0" width="600">n";

    foreach($_POST as $key=>$value)

    {

    	$value=stripslashes($value);

    	$value=preg_replace("/(http://+.[^s]+)/i",'<a href="1">1</a>', $value);

    	$value=nl2br($value);

    	if($key != "Submit" && $key != "subject" && $key != "required_fields" && $key != "required_email_fields" && $key != "recipient_group" && $key != "error_page" && $key != "thanks_page" && $key != "send_copy" && $key != "copy_subject" && $key != "copy_tomail_field" && $key != "mail_type" && $key != "mail_priority" && $key != "return_ip")

    	{

      $message=$message."<tr>n<td align="left" valign="top" style="white-space:nowrap;"><b>".$key."</b></td>n<td align="left" valign="top" width="100%">".$value."</td></tr>";

    	}

    }

    if($return_ip==1)

    {

    	$message=$message."<tr>n<td align="left" valign="top" style="white-space:nowrap;"><b>Sender IP</b></td>n<td align="left" valign="top" width="100%">".$user_ip."</td></tr>";

    }

    $message=$message."n</table></body></html>";

  	}

  	else if($mail_type=="horz_table")

  	{

    $message="<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">

      	<html>

      	<head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></head>

      	<body>

      	<table cellpadding="2" cellspacing="0" border="1">n

      	<tr>";

    foreach($_POST as $key=>$value)

    {

    	if($key != "Submit" && $key != "subject" && $key != "required_fields" && $key != "required_email_fields" && $key != "recipient_group" && $key != "error_page" && $key != "thanks_page" && $key != "send_copy" && $key != "copy_subject" && $key != "copy_tomail_field" && $key != "mail_type" && $key != "mail_priority" && $key != "return_ip")

    	{

      $message=$message."n<td align="left" valign="top" style="white-space:nowrap;"><b>".$key."</b></td>";

    	}

    }

    if($return_ip==1)

    {

    	$message=$message."<td align="left" valign="top" style="white-space:nowrap;"><b>Sender IP</b></td>";

    }

    $message=$message."</tr>n<tr>n";

    foreach($_POST as $key=>$value)

    {

    	$value=stripslashes($value);

    	$value=preg_replace("/(http://+.[^s]+)/i",'<a href="1">1</a>', $value);

    	$value=nl2br($value);

    	if($key != "Submit" && $key != "subject" && $key != "required_fields" && $key != "required_email_fields" && $key != "recipient_group" && $key != "error_page" && $key != "thanks_page" && $key != "send_copy" && $key != "copy_subject" && $key != "copy_tomail_field" && $key != "mail_type" && $key != "mail_priority" && $key != "return_ip")

    	{

      $message=$message."n<td align="left" valign="top" style="white-space:nowrap;">".$value."</td>";

    	}

    }

    if($return_ip==1)

    {

    	$message=$message."<td align="left" valign="top" style="white-space:nowrap;">".$user_ip."</td>";

    }

    $message=$message."n</tr>n</table></body></html>";

  	}

  	else

  	{

    $message="Form Results";

    foreach($_POST as $key=>$value)

    {

    	$value=stripslashes($value);

    	$value=nl2br($value);

    	if($key != "Submit" && $key != "subject" && $key != "required_fields" && $key != "required_email_fields" && $key != "recipient_group" && $key != "error_page" && $key != "thanks_page" && $key != "send_copy" && $key != "copy_subject" && $key != "copy_tomail_field" && $key != "mail_type" && $key != "mail_priority" && $key != "return_ip")

    	{

      $message=$message."n".$key.": ".$value;

    	}

    }

    if($return_ip==1)

    {

    	$message=$message."Sender IP: ".$user_ip;

    }

  	}

  	$extra="From: ".$_POST[$reply_to_field]."n";

  	$extra.="X-Priority: $mail_priorityn";

  	$cc_tomail=$cc_tomail[$recipients];

  	$bcc_tomail=$bcc_tomail[$recipients];

  	if($cc_tomail!="")

  	{

    $extra.="Cc: $cc_tomail;n";

  	}

  	if($bcc_tomail!="")

  	{

    $extra.="Bcc: $bcc_tomail[$recipients]n";

  	} 

  	if($mail_type=="horz_table" || $mail_type=="vert_table")

  	{

    $extra.="MIME-Version: 1.0nContent-type: text/html; charset=iso-8859-1n";

  	}

  	$subject=$_POST["subject"];

  	$tomail=$tomail[$recipients];

  	mail ("$tomail", "$subject", "$message", "$extra");

  	if($send_copy=="yes")

  	{

    $copy_extra="From: $Name<$Email>nX-Priority: $mail_priorityn";

    if($mail_type=="horz_table" || $mail_type=="vert_table")

    {

    	$copy_extra.="MIME-Version: 1.0nContent-type: text/html; charset=iso-8859-1n";

    }

    $copy_address=$_POST[$copy_tomail_field];

    mail ("$copy_address", "$copy_subject", "$message", "$copy_extra");

  	}

  	if($thanks_page=="")

  	{

    echo "<p>$thanks_page_title</p>";

    echo "<p>$thanks_page_text</p>";

  	}

  	else

  	{

    ob_end_clean();

    $redirect="Location: ".$thanks_page;

    header($redirect);

  	}

  }

  else

  {

  	if($error_page=="")

  	{

    echo "<p>$error_page_title</p>";

    echo $error_message;

    echo "<p>$error_page_text</p>";

  	}

  	else

  	{

    ob_end_clean();

    $redirect="Location: ".$error_page;

    header($redirect);

  	}

  }

	}

	else

	{

  echo "<p>Sorry, mailing request came from an unauthorized domain.</p>";

	}

}

else

{

	echo "<p>Error</p>";

	echo "<p>No form data has been sent to the script</p>";

}

ob_end_flush();

?>

Hope this helps yall who have trouble with php forms.

TreV

[usability_guy]

ohhhh!
Tx Trev for the detailed answer.
I will try and test it.
I never worked on php earlier
you always do something for the first time.
So if at all i'll working on php more or less, I 'll give a good credit to You...
(I didn't test this script yet, I'll come back after a while to let u know if worked)

Rams..

[manager]

usability_guy,

If your'e gonna use this code:

call the php form processor email.php


to check if your server supports php just create a file and insert the following

<?php phpinfo(); ?>

save this file as info.php and upload it to your server.

browse to the file you created: eg http://www.domainxyz.com/info.php

I never worked on php earlier 
you always do something for the first time. 
So if at all i'll working on php more or less, I 'll give a good credit to You

I didn't write the php processor, I merely adapted and extended it. I wish I could remember the authors' name to give credit where it is due. I just wanted to share a reasonably safe and powerful form.
TreV

[usability_guy]

Humm, Its gives the error as,
Fatal error: Call to undefined function: mail() in /home/www/sites/123bingo.com/htdocs/network/email.php on line 180

Let me put the email.pho file here:-
<?php
// configuration you only neeed two changes
$tomail[0]="grafix_dzyner@yahoo.com";//change this to your email address
$cc_tomail[0]="";
$bcc_tomail[0]="";
$tomail[1]="";
$cc_tomail[1]="";
$bcc_tomail[1]="";
$tomail[2]="";
$cc_tomail[2]="";
$bcc_tomail[2]="";
$check_referrer=1;
$referring_domains="http://www.123bingo.com/,http://www.123bingo.com/"; //change this in the same format
// Error and Success Page Variables
$error_page_title="Error - Missed Fields";
$error_page_text="Please use your browser's back button to return to the form and complete the required fields.";
$thanks_page_title="Message Sent";
$thanks_page_text="Thank you for your inquiry";

//don't change anything below this-----------------------------------------------
ob_start();
$required_fields=$_POST["required_fields"];
$required_email_fields=$_POST["required_email_fields"];
$recipients=$_POST["recipient_group"];
$error_page=$_POST["error_page"];
$thanks_page=$_POST["thanks_page"];
$subject=$_POST["subject"];
$send_copy=$_POST["send_copy"];
$copy_subject=$_POST["copy_subject"];
$copy_tomail_field=$_POST["copy_tomail_field"];
$mail_type=$_POST["mail_type"];
$mail_priority=$_POST["mail_priority"];
$return_ip=$_POST["return_ip"];
if($_POST["Submit"]=="Submit")
{
if($check_referrer==1)
{
$ref_check=preg_split('/,/',$referring_domains);
$ref_run=sizeof($ref_check);
$referer=$_SERVER['HTTP_REFERER'];
$domain_chk="no";
for($i=0;$i<$ref_run;$i++)
{
$cur_domain=$ref_check[$i];
if(stristr($referer,$cur_domain)){$domain_chk="yes";}
}
}
else
{
$domain_chk="yes";
}
if($domain_chk=="yes")
{
$mail="yes";
$req_check=preg_split('/,/',$required_fields);
$req_run=sizeof($req_check);
$error_message="";
for($i=0;$i<$req_run;$i++)
{
$cur_field_name=$req_check[$i];
$cur_field=$_POST[$cur_field_name];
if($cur_field=="")
{
$error_message=$error_message."You are missing the ".$req_check[$i]." field<br />";
$mail="no";
}
}
$email_check=preg_split('/,/',$required_email_fields);
$email_run=sizeof($email_check);
for($i=0;$i<$email_run;$i++)
{
$cur_email_name=$email_check[$i];
$cur_email=$_POST[$cur_email_name];
if($cur_email=="" || !eregi("^[_.0-9a-z-]+@([0-9a-z][0-9a-z-]+.)+[a-z]{2,6}$",$cur_email))
{
$error_message=$error_message."You are missing the ".$email_check[$i]." field or the email is not a valid email address.<br />";
$mail="no";
}
}
if($mail=="yes")
{
if(getenv(HTTP_X_FORWARDED_FOR))
{$user_ip=getenv("HTTP_X_FORWARDED_FOR");}
else
{$user_ip=getenv("REMOTE_ADDR");}
if($mail_type=="vert_table")
{
$message="<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html>
<head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></head>
<body>
<table cellpadding="2" cellspacing="0" border="0" width="600">n";
foreach($_POST as $key=>$value)
{
$value=stripslashes($value);
$value=preg_replace("/(http://+.[^s]+)/i",'<a href="1">1</a>', $value);
$value=nl2br($value);
if($key != "Submit" && $key != "subject" && $key != "required_fields" && $key != "required_email_fields" && $key != "recipient_group" && $key != "error_page" && $key != "thanks_page" && $key != "send_copy" && $key != "copy_subject" && $key != "copy_tomail_field" && $key != "mail_type" && $key != "mail_priority" && $key != "return_ip")
{
$message=$message."<tr>n<td align="left" valign="top" style="white-space:nowrap;"><b>".$key."</b></td>n<td align="left" valign="top" width="100%">".$value."</td></tr>";
}
}
if($return_ip==1)
{
$message=$message."<tr>n<td align="left" valign="top" style="white-space:nowrap;"><b>Sender IP</b></td>n<td align="left" valign="top" width="100%">".$user_ip."</td></tr>";
}
$message=$message."n</table></body></html>";
}
else if($mail_type=="horz_table")
{
$message="<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html>
<head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></head>
<body>
<table cellpadding="2" cellspacing="0" border="1">n
<tr>";
foreach($_POST as $key=>$value)
{
if($key != "Submit" && $key != "subject" && $key != "required_fields" && $key != "required_email_fields" && $key != "recipient_group" && $key != "error_page" && $key != "thanks_page" && $key != "send_copy" && $key != "copy_subject" && $key != "copy_tomail_field" && $key != "mail_type" && $key != "mail_priority" && $key != "return_ip")
{
$message=$message."n<td align="left" valign="top" style="white-space:nowrap;"><b>".$key."</b></td>";
}
}
if($return_ip==1)
{
$message=$message."<td align="left" valign="top" style="white-space:nowrap;"><b>Sender IP</b></td>";
}
$message=$message."</tr>n<tr>n";
foreach($_POST as $key=>$value)
{
$value=stripslashes($value);
$value=preg_replace("/(http://+.[^s]+)/i",'<a href="1">1</a>', $value);
$value=nl2br($value);
if($key != "Submit" && $key != "subject" && $key != "required_fields" && $key != "required_email_fields" && $key != "recipient_group" && $key != "error_page" && $key != "thanks_page" && $key != "send_copy" && $key != "copy_subject" && $key != "copy_tomail_field" && $key != "mail_type" && $key != "mail_priority" && $key != "return_ip")
{
$message=$message."n<td align="left" valign="top" style="white-space:nowrap;">".$value."</td>";
}
}
if($return_ip==1)
{
$message=$message."<td align="left" valign="top" style="white-space:nowrap;">".$user_ip."</td>";
}
$message=$message."n</tr>n</table></body></html>";
}
else
{
$message="Form Results";
foreach($_POST as $key=>$value)
{
$value=stripslashes($value);
$value=nl2br($value);
if($key != "Submit" && $key != "subject" && $key != "required_fields" && $key != "required_email_fields" && $key != "recipient_group" && $key != "error_page" && $key != "thanks_page" && $key != "send_copy" && $key != "copy_subject" && $key != "copy_tomail_field" && $key != "mail_type" && $key != "mail_priority" && $key != "return_ip")
{
$message=$message."n".$key.": ".$value;
}
}
if($return_ip==1)
{
$message=$message."Sender IP: ".$user_ip;
}
}
$extra="From: ".$_POST[$reply_to_field]."n";
$extra.="X-Priority: $mail_priorityn";
$cc_tomail=$cc_tomail[$recipients];
$bcc_tomail=$bcc_tomail[$recipients];
if($cc_tomail!="")
{
$extra.="Cc: $cc_tomail;n";
}
if($bcc_tomail!="")
{
$extra.="Bcc: $bcc_tomail[$recipients]n";
}
if($mail_type=="horz_table" || $mail_type=="vert_table")
{
$extra.="MIME-Version: 1.0nContent-type: text/html; charset=iso-8859-1n";
}
$subject=$_POST["subject"];
$tomail=$tomail[$recipients];
mail ("$tomail", "$subject", "$message", "$extra");
if($send_copy=="yes")
{
$copy_extra="From: $Name<$Email>nX-Priority: $mail_priorityn";
if($mail_type=="horz_table" || $mail_type=="vert_table")
{
$copy_extra.="MIME-Version: 1.0nContent-type: text/html; charset=iso-8859-1n";
}
$copy_address=$_POST[$copy_tomail_field];
mail ("$copy_address", "$copy_subject", "$message", "$copy_extra");
}
if($thanks_page=="")
{
echo "<p>$thanks_page_title</p>";
echo "<p>$thanks_page_text</p>";
}
else
{
ob_end_clean();
$redirect="Location: ".$thanks_page;
header($redirect);
}
}
else
{
if($error_page=="")
{
echo "<p>$error_page_title</p>";
echo $error_message;
echo "<p>$error_page_text</p>";
}
else
{
ob_end_clean();
$redirect="Location: ".$error_page;
header($redirect);
}
}
}
else
{
echo "<p>Sorry, mailing request came from an unauthorized domain.</p>";
}
}
else
{
echo "<p>Error</p>";
echo "<p>No form data has been sent to the script</p>";
}
ob_end_flush();
?>


and feedback_form.php as

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<link href="styles.css" rel="stylesheet" type="text/css">
<head>
</head>
<body>
<table width="450" border="0" align="center" cellpadding="1" cellspacing="0" bgcolor="#333333">
<tr>
<td><table width="450" border="0" align="center" cellpadding="5" cellspacing="0" bgcolor="#FFFFFF">
<tr>
<td align="center"><img src="../images/network_sites.jpg" width="451" height="102"></td>
</tr>
<tr>
<td height="1" bgcolor="#000000"></td>
</tr>
<tr>
<td align="center" class="titulo">Player's Feedback </td>
</tr>
<tr>
<td class="text">
<form id="form" method="post" action="email.php">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="55%" height="25" class="text">Your Name</td>
</tr>
<tr>
<td><input type="text" name="Name" value="<?php echo $Name; ?>" />
</td>
</tr>
<tr>
<td height="24" class="text">Your Email</td>
</tr>
<tr>
<td><input type="text" name="Email" value="<?php echo $Email; ?>" />
</td>
</tr>
<tr>
<td height="25" class="text">Comments and/or Questions</td>
</tr>
<tr>
<td><textarea name="Comments" rows="5" cols="32"><?php echo $Comments; ?></textarea>
</td>
</tr>
</table>
<p> <!-- you can create custom error or success pages, otherwise remove the domain name for below-->

<input type="submit" name="Submit" value="Submit" />
<input type="reset" name="Reset" value="Clear Form" />
<input type="hidden" name="subject" value="website email" />
<input type="hidden" name="required_fields" value="Name,Comments" />
<input type="hidden" name="required_email_fields" value="Email" />
<input type="hidden" name="recipient_group" value="0" />
<input type="hidden" name="error_page" value="http://www.123bingo.com/network/error.php" />
<input type="hidden" name="thanks_page" value="http://www.123bingo.com/network/thanks.php" />
<input type="hidden" name="send_copy" value="no" />
<input type="hidden" name="copy_subject" value="Thanks for your Email" />
<input type="hidden" name="copy_tomail_field" value="Email" />
<input type="hidden" name="mail_type" value="vert_table" />
<input type="hidden" name="mail_priority" value="3" />
<input type="hidden" name="reply_to_field" value="Email" />
<input type="hidden" name="return_ip" value="1" />
</p>

</form></td>
</tr>
</table></td>
</tr>
</table>
</body>
</html>


I have two files as trhanks.php ans error.php
(I have php server)

How do I Do This!!

[manager]

HI,

I’ve tested this all is ok; I have altered the top bit of the email.php specifically for you. I noticed you had added a spare www to the referring domains.


// recipient configuration
$tomail[0]=" grafix_dzyner@yahoo.cohm ";
$cc_tomail[0]="";
$bcc_tomail[0]="";
$tomail[1]="";
$cc_tomail[1]="";
$bcc_tomail[1]="";
$tomail[2]="";
$cc_tomail[2]="";
$bcc_tomail[2]="";
// General Variables
$check_referrer=1;
$referring_domains="http://123bingo.com/,http://www. 123bingo.com /";
// Default Error and Success Page Variables
$error_page_title="Error - Missed Fields";
$error_page_text="Please use your browser's back button to return to the form and complete the required fields.";
$thanks_page_title="Message Sent";
$thanks_page_text="Thank you for your inquiry";


If you still have probs try using an email address with no underscore in it.
Maybe the mail function is not available to you to use.
TreV

[usability_guy]

Quote:-(Maybe the mail function is not available to you to use. )

Ya that is the problem it seems at the moment.
We need to setup the mail server.
So again this task is in the "to do" list
TYVM

Rams..........................

[Minna]

This seems to work and there isn't too many unnecessary features to weed out. Thanks.

[Dr_Livingston]

No!!

This is just about the worst kind of script that you could use :eek: First of all, there is absolutely no validation against the users inputs. For all you know, they could easily inject any kind of script for your server to process via this form.

Deadly. Secondly you are mixing PHP with HTML, which is a serious lack of software design methodologies. You could be forgiven for this, since the script and form are simple and the responsibility is self contained, but the first mistake?

Nope, in todays world you really need to prepare yourself (and others who are going to use your script) from hackers and teeny bopping script kiddies. Security is the number one concern and issue for web development, no matter what the scale is, and the task of securing your web site is never finished.

It's a never ending process of preventitive measures

[Minna]

Nope, in todays world you really need to prepare yourself (and others who are going to use your script) from hackers and teeny bopping script kiddies.

Sigh .... So one should do what?

[TheManBehindTheCurtain]

Here's a detailed and fascinating article on preventing SQL injection attacks. Although the server-side language is ASP, the general principles are very much the same:

http://www.sitepoint...on-attacks-safe

Although SQL injection attacks are the most commonly talked about, hackers also try submitting Javascript and actual server-side code into your form fields as well. Some are malicious, some are just idle miscreants, and some of course are thieves.

Some good prophylaxis is to pre-process form input to strip special characters that can't possibly be meaningful inside a form field but could be used within script languages: * = + - ( ) etc. The article above also mentions escaping characters such as a single quote, which could be a meaningful part of a submission but which is also a frequently used character in injection attacks. Restrict the length of fields to a minimum to provide less opportunity for injection of lengthy scripts. Surely some of the forum folks know of some good sites with best practices for hardening forms?

Although I think Dr. Livingston was a bit harsh, he's got a point, especially when you consider that the hidden fields in the HTML source provide an excellent roadmap into the properties that are being manipulated by the serverside script. Back mumblty-mumble years ago our gang used to get white papers from competitors without filling out registrations forms because we viewed the source, found the url to the download page, and just went there straight. (In an ironic turn of events, we later merged with one of those companies. I eventually wound up managing a combined site that had that source code, and it took us a couple of years to weed it all out. What goes around comes around.) Anyway, as a general principle, all business logic and details ought to be inside the firewall. The source reveals way, way too much about the application behind it.

I think in all fairness you have to say that form applications are one of the hardest to cleanly divide between content and functionality, especially when a single application must filter fields based on context, campaign, or whatever, and when you start doing a really good job of server-side validations. If you don't need to write a mammoth form application, one modest first step is simply to pull out the HTML chunks and load them into variables that are then referenced inside the script itself. Put all these variables into a single section and it makes it much easier to spot the repetitive bits that can be re-used.

And also in fairness I think we should note that gadzillions of sites still use script like this, and it's great of manager to help colleagues. With a little extra work, this is the start of useful learning experience. The amount of exposure and risk varies greatly depending on your server environment. In general, thieves and hackers are after big fish, and most of us are not big fish. Probably the most common exploit is hijack a mail server to use for spam. Point being, many of us can probably get away with something like this and never suffer any harm. Just like you can live without health insurance. It's the kind of thing, though, that it's too late to go out and get after you've gotten infected.

[manager]

Hi, to Dr Livingston, Frank and Minna

Thanks for your useful comments

It was my intention to share a script; that was much better than “the worse” examples around. This would mainly be used on remotely hosted sites. Where the Webmaster has no access to the server’s smtp, and the server’s php ini file. Several factors in the “remotely hosted environment” can have a bearing on the security of scripts.

The main features of this simple script are as follows:

This script checks to see if the request comes for your domain, this is supposed to prevent people from copying your “form code”, uploading it to their domain and pointing to your mail script.

Hides your email address from “bots” which harvest emails.

Sends the visitors ip address to you

In addition this script attempts to check the validity of the email address, and whether required fields are left empty. It’s also easy to add customised error or success pages.


To Frank: Thanks for your kind words. This script has no connection to a database, yet you say it’s vulnerable to sql injection attacks. How do we address this issue?

Could I just use regex with say preg replace to eliminate / replace words like INSERT DROP, DELETE, SHOW, FROM, and WHERE.

Many of the hidden fields values are unnecessary. If I stripped it to its “bare essentials”, will it still provide a road map for naughty people?


To Dr Livingstone,
Can you please “paste us in” your secure alternative script/ or method? Then my objective will be achieved (sharing a nice form)

Deadly. Secondly you are mixing PHP with HTML, which is a serious lack of software design methodologies.

Is this just in the context of php forms, or generally? Looking forward to hearing more on this...........

TreV

[TheManBehindTheCurtain]

Hi manager ...

Sorry if it sounded like I was saying the script was vulnerable to SQL injection attacks specifically. I was just giving that as example. That particular essay is a favorite of mine - it shows you some of the techniques that hackers employ to use entry fields to get deeper inside your system, in ways that are quite remarkable and, one must admit, clever. It's worth a read just for the level of insight. Later I mentioned that other methods of attack include injecting JavaScript (in case the server executes server-side JS) and also native script as well. Go googling for "php injection attack" and you'll find eye-opening stuff.

It would be interesting to hear to what extent other folks on the forums harden their forms against hacking. I bet many of us know the best practice and yet don't always follow it when time is short and the scope of the form we are doing is limited. I plead guilty (with "extenuating circumstances"!) myself.

What would be great is to see this form evolve with a few hardening routines. It would be very instructive to see it taken to the next level. I'd love to hear what other programmers on the forum do in this regard.

[Dr_Livingston]

Well, I can't share any script due to contractual obligations, but what I can do is help spread some experience and I'll get back to you on that once I have some time.

Is this just in the context of php forms, or generally?

I'd say in general terms, you need to separate your PHP from your HTML. For example, if you have PHP in a HTML template, and your web designer makes changes, they could in all probability, mess up your PHP and thus introduce all sorts of problems?

That is one example. What I do is to have placeholders in the HTML template, which are replaced at runtime by other HTML fragments via the Composite View design pattern. Each Composite represents a part of the page, and is responsible in generating the content of it's HTML fragment.

For a better understanding of this, and what I am talking about, you may want to check out www.sitepointforums.com, under the PHP Application Design sub-forum? Search for the term 'MVC', find out more about this, read up on it and you'll have a far better methodology to developing server-side.

MVC stands for Model, View and Controller, and it works like this:

Model

This is where the business logic goes, for example you want to check if someone is who they say they are when they attempt to log in? You need to verify their username/email and their password against your database records, so this is where this happens.

It's said to be business logic.

View

This is how you represent your data to the user, typically it's a web page in our case via a browser. The View takes the Model data, and places it into the HTML template. How it does this is up to you the developer, there are countless methods of doing this.

You also have what is called Presentational Logic, such as for example this would be when you have a negative number, and you need to show it as red, and not black as in an on-line bank statement? Another example of Presentational Logic, is having alternating coloured rows...

Controller

This is what decided what action to take based on what the user requested to do. So the user clicks a link or button? The Controller is the first place everything starts from. The Controller decides which Model(s) to use, and how they should be used, and passes these Model(s) to the View.

You have a FORM and it's submitted? The Controller handles the processing of the FORM, from validating the user inputs, to passing the validated inputs to the Model layer, ready to be inserted into your database for example.

The Controller handles sending an email if that is required as well for example?

Hope this gives you a few clues, but when I'm talking about MVC (or anyother design pattern), I'm talking in terms of object oriented programming, and not (as shown in the examples you've posted) procedural programming, which may be a hinderance to you?

That is not to say that you can't use MVC with procedural programming, it just means that the implementation is going to be different, that's all

[DaveChild]

Deadly. Secondly you are mixing PHP with HTML, which is a serious lack of software design methodologies. You could be forgiven for this, since the script and form are simple and the responsibility is self contained, but the first mistake?

That's not quite as bad as many people think. PHP is intended to be used in exactly this fashion. It is a feature of the language, and while it goes against traditional software design methodologies (e.g. MVC), it is still a perfectly valid way to do things in PHP. It's not the best way to do things, by any means, but for many it is the only way.

One major problem with the above (aside from it being a perfect spam relay) is the referrer check. First, anyone wanting to manipulate the form could easily spoof the referrer. Second, plenty of people have their referrer field intentionally hidden. This script may prevent normal users from emailing you (which is completely unacceptable in any serious site).

[aboyd]

Sigh .... So one should do what?

There is a thread here on Cre8asite that discusses ways to stop bad data from killing your server:

http://www.cre8asite...der=asc&start=0

What's interesting is, almost everyone posting that thread is also posting here now. So I think you guys have seen a lot of example code for how to clean up data. Now it's just time to put it into practice!

-Tony

[Dr_Livingston]

PHP is intended to be used in exactly this fashion.

True. Sometimes I forget that I am scripting large and at times complex applications for office networks...

In that event you do need to be using large scale methodologies and best practices, to not only offer better software to your clients, but also, so that other developers can see how the software it's self, expresses it's self.

If on the other hand you have a typical web site with small to medium growth you could in an average, get away with 'spagetti' code, as it's known. That solves the prolem short to medium term, but long term with sustained growth, content or otherwise, you are going to be faced with a seriously major overhaul of the entire website.

I've been there, and it's frightening :eek:

[aboyd]

By the way, if y'all want to see an ingenious hacking attempt and how it was done, check out the third comment down (by thomas at nospam dot deliduka dot com) on this page:

http://www.php.net/mail

I haven't yet tried to duplicate his problem, to see if my addslashes/htmlspecialchars methodology will prevent the badness he found.

I hate black hats, but I admire their smartness.

-Tony

[manager]

Folks:
I have now significantly modified the original script, taking on board all constructive comments made here, and recommendations on the “php.net link”, posted by Tony.

I feel that now I have relatively secure script, as I have failed to replicate several exploits.

I my opinion, this post has nothing to do with the scale or complexity of the application. Whether you take an OOP/procedural approach to this problem is completely irrelevant. That is to say, that if you haven’t got the appropriate “validation functions” in your class, you’re just as vulnerable.

To “high fliers” with superior knowledge of php: Telling us what’s wrong with the script is great! but it would be even better, if you could post code samples illustrating possible solutions .

TreV

[Scratch]

Great, manager! Please would you post it up?

[manager]

I’m not ready for another mauling!

On a serious note, I wanted to post my new code straight away, but concluded that I could not, for commercial reasons.

TreV