...

View Full Version : How to point to another page for email thankyou message



mypointofview
09-06-2005, 03:31 AM
Hi all, I'm currently using this line of code in my simple email form to thank the visitor for sending me a message:


$thankyou="Thank you for writing. Your message has been sent."
How do I change this line so that the visitor is presented with a new page?

Here's the full code which I use (field verification is done via JavaScript and input is an image):


<?php
$sendto="myname@mydomain.com";
$emailsubject="From website";
$thankyou="Thank you for writing. Your message has been sent.";

if ($submit_x) {
mail("$sendto", "$emailsubject", "Tel: $visitorPhone\r\n" . stripslashes($comments) . "", "From: $visitorName <$visitorEmail>");
echo ("$thankyou");
die();
}

?>
Thanks, Martin.

e-Raser
09-06-2005, 05:46 AM
You could just redirect them.
header("Location: thanks.php"); or use a regular meta tag.

mypointofview
09-06-2005, 07:44 AM
Thanks e-Raser and greetings to Australia :) Could you or somebody tell me how to implement this trick?

Like, where to write this, and what to replace? I tried some variations..

I tried amongst others the following, but now it shows the link as message :eek:


<?php
$sendto="myname@mydomain.com";
$emailsubject="Reply from Website";
$thankyou="http://www.mydomain.com/thanks.html";

if ($submit_x) {
mail("$sendto", "$emailsubject", "Tel: $visitorPhone\r\n" . stripslashes($comments) . "", "From: $visitorName <$visitorEmail>");
echo ("$thankyou");
die();
}

?>

Martin

Tynan
09-06-2005, 11:29 AM
what i do is make the action of the submit button a php page

the php page as well as genertain your 'thank-you' page also first runs the php to send the email and write to the database if wanted

you can cram as much php as you want into it obviously

you'll need to pass your variables across to the php page obviously but that simple stuff once you've done it

cyphix
09-06-2005, 01:52 PM
Like this..



<?php
$sendto="myname@mydomain.com";
$emailsubject="Reply from Website";
$thankyou="http://www.mydomain.com/thanks.html";

if ($submit_x) {
mail("$sendto", "$emailsubject", "Tel: $visitorPhone\r\n" . stripslashes($comments) . "", "From: $visitorName <$visitorEmail>");
header("Location: $thankyou");
}

?>


Also some more tips..

1. I gather "$submit_x, $visitorName & $visitorEmail" are form variables; you should always reference POST variables as "$_POST['postvar']" even if a simple $postvar works. I believe in PHP5 POST variables no longer work by just referencing them as $postvar.

2. There is no need to enclose variables in double quotes unless they are occupied with any other non-variable data.

3. You should always include a new line character at the end of the "From:" field.

4. It's cleaner to format your message text (& anything else for that matter) outside of the mail() function. Makes it easier to read! ;)

Improved code..



<?php
$sendto="myname@mydomain.com";
$emailsubject="Reply from Website";
$thankyou="http://www.mydomain.com/thanks.html";
$msg = 'Tel: ' . $visitorPhone . "\r\n" . stripslashes($comments);
$from = "From: $_POST['visitorName'] <$_POST['visitorEmail']>\n";

if ($_POST['submit_x']) {
mail($sendto, $emailsubject, $msg, $from);
header("Location: $thankyou");
}

?>


:)

mordred
09-06-2005, 09:59 PM
Just a quick hint: The email sending code used in this thread is vulnerable to an email injection attack.
http://securephp.damonkohler.com/index.php/Email_Injection

cyphix
09-06-2005, 11:03 PM
Wow... thanks for the link! :thumbsup:

So all we would need to do really would be to do this on user submitted fields?



<?php
$from=$_POST["sender"];
if (eregi("\r",$from) || eregi("\n",$from)){
die("Why ?? :(");
}
?>


:confused:

mcdougals4all
09-06-2005, 11:54 PM
So all we would need to do really would be to do this on user submitted fields?The example checks to see if the field contains a line break, which for most fields will indicate the attacker has tried to add extra headers.

However, line breaks in the message itself are to be expected. So using this technique on all fields would prevent legitimate messages from being delivered. I tried a different approach which so far has been successful, blocking 20+ attempts just over the weekend (after first seeing these attacks about a week ago).

I'm sure this could be improved if anyone has suggestions. For instance, I believe the email headers can also contain spaces, so it may be necessary to check for "content - type" as well as "content-type".



<?
function email_injection_filter($formInput)
{
$injectionStrings = array("apparently-to",
"bcc",
"boundary=",
"charset",
"content-disposition",
"content-type",
"content-transfer-encoding",
"errors-to",
"in-reply-to",
"message-id",
"mime-version",
"multipart/mixed",
"multipart/alternative",
"multipart/related",
"reply-to",
"x-mailer",
"x-sender",
"x-uidl"
);
foreach ($injectionStrings as $spam)
{
$pos = strpos(strtolower($formInput), $spam);
if ($pos !== false)
{
error_log(...)
exit("<html><title>Fatal Error</title><body><p>We're sorry, your message could not be processed due to a fatal error.</p><p>Please contact us at 1-800-xxx-xxxx.</p></body></html>");
}
}
}

foreach ($_POST as $formInput)
{
email_injection_filter($formInput);
}
?>

cyphix
09-07-2005, 04:21 PM
Thanks for the function! :thumbsup:

Although; as for the message.. as long as you filter all other fields I think you shoud be fine... as


Any data to be added will always be located *after* the injection point (ex : "From").

From reading that page it seems you can't directly inject the message text so I don't think there would be a problem leaving it out of checking for new line chars & other checks.

Also. as for your header list.. shoudln't you add "To:" to it? :confused:

mcdougals4all
09-07-2005, 04:49 PM
From reading that page it seems you can't directly inject the message text.

My experience indicates otherwise. Below is the body of a message where the attacker successfully added an additional recipient and attachments.


xgjpv
--===============1300305249==-->
Reply-To: "dunnjjqzz@mydomain.com dunnjjqzz@mydomain.com" <dunnjjqzz@mydomain.com
Content-Type: multipart/mixed; boundary="===============1300305249=="
MIME-Version: 1.0
Subject: 710e7676
To: dunnjjqzz@mydomain.com
bcc: spammer@aol.com
From: dunnjjqzz@mydomain.com

This is a multi-part message in MIME format.


I left To: out of the array on the likelyhood that it may occur legitimately in a message.

mypointofview
09-08-2005, 04:28 AM
1. This anti hacker code from MACDOUGALS4ALL looks promising. As a novice -- just a quick question for implementation: Do I simply just put that PHP on the beginning of my page which has the email form?

2. Back to the initial subject... ;) CYPHIX: thanks for your code snippet - I got it to work after dealing with one bug -- see thread here (http://www.codingforums.com/showthread.php?t=67693) -- however only up to the point until I try to get another page to open. I get the error:

Warning: Cannot modify header information - headers already sent by (output started at [...]

3. TYNAN: I think I kinda understand -- you mean that the html with the form is on a different page than the php? How shall I make the submit button (in my case an image) call up that other php and how to take it from there?

This is what I got so far:



<?php
$sendto="myname@mydomain.com";
$emailsubject="Reply from Website";
$thankyou="http://www.mydomain.com/thanks.html";
$msg = 'Tel: ' . $visitorPhone . "\r\n" . stripslashes($comments);
$from = "From: ".$_POST['visitorName']." <".$_POST['visitorEmail'].">\r\n";

if ($_POST['submit_x']) {
mail($sendto, $emailsubject, $msg, $from);
header("Location: $thankyou");
}

?>

Thanks, Martin.

mypointofview
09-08-2005, 07:06 AM
I placed the PHP code totally at the very beginning of the page, nothing, not even a space in front of it. Then it worked and I did not get that "headers already sent" error anymore. :D

cyphix
09-08-2005, 12:16 PM
Try this code with the function..



<?php

function email_injection_filter($formInput)
{
$injectionStrings = array("apparently-to",
"bcc",
"boundary=",
"charset",
"content-disposition",
"content-type",
"content-transfer-encoding",
"errors-to",
"in-reply-to",
"message-id",
"mime-version",
"multipart/mixed",
"multipart/alternative",
"multipart/related",
"reply-to",
"x-mailer",
"x-sender",
"x-uidl"
);
foreach ($injectionStrings as $spam)
{
$pos = strpos(strtolower($formInput), $spam);
if ($pos !== false)
{
error_log(...)
exit("<html><title>Fatal Error</title><body><p>We're sorry, your message could not be processed due to a fatal error.</p><p>Please contact us at 1-800-xxx-xxxx.</p></body></html>");
}
}
}

$sendto="myname@mydomain.com";
$emailsubject="Reply from Website";
$thankyou="http://www.mydomain.com/thanks.html";
$msg = 'Tel: ' . $visitorPhone . "\r\n" . stripslashes($comments);
$from = "From: ".$_POST['visitorName']." <".$_POST['visitorEmail'].">\r\n";

if ($_POST['submit_x']) {

foreach ($_POST as $formInput)
{
email_injection_filter($formInput);
}

mail($sendto, $emailsubject, $msg, $from);
header("Location: $thankyou");
}
?>

mypointofview
09-10-2005, 07:55 AM
Got this error when using the code:

Parse error: parse error, unexpected '.', expecting ')' in ... on line 28


Line 28 is where the "{" sign is:


if ($pos !== false)
{
error_log(...)

If somebody could give me a hint about the unexpected '.' ...

Thanks, Martin.

mcdougals4all
09-10-2005, 11:55 PM
error_log() (http://www.php.net/error_log) sends an error message to the destination you choose. Usually written to an error log file.

Or you can send yourself a message via email. Such as:
error_log("Email injection attempt - From IP: " . $_SERVER['REMOTE_ADDR'] . " | Server Time: " . date('m\/d\/y, h:i:s A'), 1, "you@yourdomain.com");

mypointofview
09-11-2005, 05:09 AM
Thanks a lot. I thought that there must be something about those 3 dots ... ;)

I'll start a new thread about this interesting topic of email verification with some questions regarding java script in a moment.


Martin

tokolosche
09-16-2005, 10:40 PM
Hello,

I am very new to php, and so have very limited knowledge. I have been trying to fiddle around with the above code by mcdougals4all but everywhere I have tried just gives me a white page when I hit submit on my web form.

My web form is html, and upon submit it sends the results to a php file. This is where I have been trying to put the injections filter in. The code above from cyphix looks like it is for the actual form where a user inputs their information. Although I could be wrong!?

Any help would be appreciated, I am getting about 20-40 injection e-mails a day.


<?php


/* $sendto is the email where form results are sent to */
$sendto = "admin@website.com.au";

/* $ccto is the email where form results can be carbon copied to */
$ccto = "";


$setokurls = "1";

$okurls = "http://www.website.com.au/contact.htm";


$footer = "<br><br><br><br><br><center><font face=\"Arial\"><a href=\"http://www.noviceform.com/\" target=\"_blank\"><font color=\"#ff0000\">Form processing script provided by Novice Form</font></a> </center></font>";

$backbutton = "<br><br><b>Hit your browsers back button and resubmit the form.</b>";



/* check to see if posted */
if ($HTTP_GET_VARS || ! $HTTP_POST_VARS || $_GET || ! $_POST) {
include("qwserror.php");
no_pst();

}else{


/* IF OLDER VERSION OF PHP CONVERT TO NEWER VARIABLES */
if (! $_POST) {
$_POST = "$HTTP_POST_VARS";
}

if (! $_SERVER) {
$_SERVER = "$HTTP_SERVER_VARS";
}


$year = date("Y");
$month = date("m");
$day = date("d");
$hour = date("h");
$min = date("i");
$tod = date("a");


$ip=$_SERVER["REMOTE_ADDR"];

$SEND_prnt = "The form below was submited by " . $_POST{"email"} . " from Ip address: $ip on $monthnameactual $month/$day/$year at $hour:$min $tod \r\n";
$SEND_prnt .= "-------------------------------------------------------------------------\r\n";


/* CHECK TO SEE IF $_POST{"required"} IS SET */
if ($_POST{"required"}){


$post_required = $_POST{"required"};
$required = split(",", $post_required);
$reqnum = count($required);

for ($req=0; $req < $reqnum; $req++) {

$REQ_name = $required[$req];
$REQ_value = $POST{"$REQ_name"};


if ($REQ_name == "email") {
$goodem = ereg("^[^@ ]+@[^@ ]+\.[^@ \.]+$", $_POST{"email"}, $trashed);

if (! $goodem) {
include("qwserror.php");
msng_email();
} /* end ! $goodem */

}
elseif (! $_POST{"$REQ_name"}) {
$isreqe = "1";
$REQ_error .= "<li> $REQ_name ";
} /* end ! req val */

} /* end REQ for loop */


/* IF THERE ARE ANY REQUIRED FIELDS NOT FILLED IN */

if ($isreqe == "1") {
include("qwserror.php");
msng_required();
}


} /* END CHECK TO SEE IF $_POST{"required"} IS SET */


/* END IF THERE ARE ANY REQUIRED FIELDS NOT FILLED IN */


/* GET POSTED VARIABLES */


foreach ($_POST as $NVPOST_name => $NVPOST_value) {

/* GET LEADS EMAIL */

$email_lower = strtolower($NVPOST_name);

if ($email_lower == "email") {
$SEND_email = "$NVPOST_value \r\n";
}

/* END GET LEADS EMAIL */

if (! $_POST{"sort"}) {


/* CHECK TO SEE IF CONFIG FIELD */
if ($NVPOST_name == "subject" || $NVPOST_name == "sort" || $NVPOST_name == "required" || $NVPOST_name == "success_page"){}else{
$SEND_prnt .= "$NVPOST_name: $NVPOST_value \r\n";
}
} /* end ! sort */


} /* end foreach */


/* END GET POSTED VARIABLES */




if ($_POST{"sort"}) {

/* SORT VARIABLES */

$sortvars = split(",", $_POST{"sort"});
$sortnum = count($sortvars);

for ($num=0; $num < $sortnum; $num++) {
$SEND_prnt .= "$sortvars[$num]: " . $_POST{"$sortvars[$num]"} . " \r\n";
}

} /* END SORT VARIABLES */




/* send mail */


if (! $ccto) {
$header = "From: $SEND_email\r\n\r\nReply-to: $SEND_email\r\n\r\n";
}else{
$header = "From: $SEND_email\r\n\r\nReply-to: $SEND_emai\r\nCc: $ccto\r\n\r\n";
}


mail($sendto, $_POST{"subject"}, $SEND_prnt, $header);

/* END sendmail */

/* CHECK TO SEE IF FORM SPECIFYS A SUCCESS PAGE */
if (! $_POST{"success_page"}) {

include("qwserror.php");
default_success();

}else{
$successpage=$_POST{"success_page"};
header("Location: $successpage"); /* redirect */
exit;
}



} /* END IF POSTED */


?>

I am not sure if it makes any difference to the above, but the code below is what submits to the php form.


<form action="qwsform.php" method="post" name="Subscribe" target="_parent" id="Subscribe" onsubmit="return validate_form ( );">
<p>
<input type="hidden" name="subject" value="Web Enquiry" />
<input type="hidden" name="success_page" value="success.htm" />
</p>

mypointofview
09-17-2005, 12:41 AM
Hi Tokolosche and welcome to the club of PHP newbies, like me.

I got my PHP based email form - including the injection filter from MCDOUGALS4ALL running. I'm not a specialist myself, but maybe I have the eyes to help you with my limited background.

First off, the situation that is working for me is this:

1. The injection filter code is on the same page as the form. Note, that this filter code is at the absolute very beginning of the page, even before any html code starts. NO space allowed in front. (otherwise errors as mentioned earlier in this thread).

2. The above page with that email form is having .php as a suffix.

Maybe this helps already? I do not have a email-CC or BCC in my code. If you want, I can post the complete code. Also what I found VERY interesting, especially for a novice, is the fact that the server plays a crucial role in the whole setup. In my situation for example I have to have the php.ini file on the same level as the document that has the email form! My php.ini had to be set to all registers ON as well. I then set its permissions to 400 so nobody could read it and it still works.

I have included also to my email form code a JavaScript verification for the people who sometimes don't pay attention what they are writing into the fields or who simply forget to enter something. What I like about this JavaScript solution is that a small popup comes up, so the page does not redesign itself with the possible side effect that the user has to scroll back down to the form, thus maybe even missing any alert message.

Good luck,

Martin.

tokolosche
09-17-2005, 02:39 AM
Hi Mypointofview. Thanks, I appreciate you taking the time to look at my post.

I had actually tried recreating my html contact form in a page with a .php suffix, but when I tried uploading it with the injection code, the page was completely blank. I had inserted the php code directly before any html code with no spaces before or after it. The php contact form worked fine without the injection code.

The problem I would face if I used the code and your e-mail sending details in the same form would mean that my e-mail address would be exposed to anyone searching through the code, which could also cause problems with spam. So that was why I was wanting the form to submit to the php form with all the sending code in it.

That was why I was hoping this injection code would work in the php form I am linking to.

mypointofview
09-17-2005, 07:21 AM
Here's what I'm using and it works:

A file, let's say mypage.php. In that page there are 2 important parts, the anti injection code together with the actual email sending part and the form. As form I use an external document which I mirror into mypage.php via php include technique (I have more pages that have the form and it makes the page code of mypage.php not so long). See here:

First the PHP code (anti injection code AND email "engine") at the very top of the page, even before the html header and no space before it. Keep in mind that nobody will be able to see your email address because anything inside the php tags will be invisible to visitors (that's what brought me, as you I believe, to php in the first place). Again: anything inside the php tags will be invisible to any visitor :)


<?php

function email_injection_filter($formInput)
{
$injectionStrings = array("apparently-to",
"bcc",
"boundary=",
"charset",
"content-disposition",
"content-type",
"content-transfer-encoding",
"errors-to",
"in-reply-to",
"message-id",
"mime-version",
"multipart/mixed",
"multipart/alternative",
"multipart/related",
"reply-to",
"x-mailer",
"x-sender",
"x-uidl"
);
foreach ($injectionStrings as $spam)
{
$pos = strpos(strtolower($formInput), $spam);
if ($pos !== false)
{
error_log("Email injection attempt - From IP: " . $_SERVER['REMOTE_ADDR'] . " | Server Time: " . date('m\/d\/y, h:i:s A'), 1, "yourname@yourdomain.com");
exit("<html><title>Fatal Error</title><body><p>Sorry, your message could not be processed due to a fatal error.</p><p>Please contact your name here by telephone.</p></body></html>");
}
}
}

$sendto="yourname@yourdomain.com";
$emailsubject="Message from website";
$thankyou="http://www.yourdomain.com/thanks.html";
$msg = 'Tel: ' . $visitorPhone . "\r\n" . stripslashes($comments);
$from = "From: ".$_POST['visitorName']." <".$_POST['visitorEmail'].">\r\n";

if ($_POST['submit_x']) {

foreach ($_POST as $formInput)
{
email_injection_filter($formInput);
}

mail($sendto, $emailsubject, $msg, $from);
header("Location: $thankyou");
}
?>


Now the email form code which I use is just anywhere in the page.


<!-- The following PHP include code represents the mail form and works together with PHP mail code at the verty top of the page -->
<?php include 'http://www.yourdomain.com/phpincludes/message.txt'; ?>


Now here's what I have in that "message.txt" document, the actual email form code:


<!-- START CONTACT FORM -->


<script language="JavaScript" type="text/javascript">

function check(form){

if (form.visitorName.value == "") {
alert("Please enter your name.");
form.visitorName.focus();
return false;
}
else if (form.visitorPhone.value == "") {
alert("Please enter your phone number.");
form.visitorPhone.focus();
return false;
}
else if (form.visitorEmail.value == "") {
alert("Please enter your email.");
form.visitorEmail.focus();
return false;
}
else if(!(/^\w+([\.-]?\w+)*@\w+([\.-]?\w+)*(\.\w{2,3})+$/.test(form.visitorEmail.value))){
alert("Please enter a valid email address.");
form.visitorEmail.focus();
return false;
}
else if (form.comments.value == "") {
alert("Please enter a comment/question.");
form.comments.focus();
return false;
}
else{
return true;
}
}

</script>



<form method="post" onSubmit="return check(this);">



<DIV CLASS="regular">Your name:</DIV>

<input type="text" size="26" maxlength="64" name="visitorName">

<DIV CLASS="regular">Your phone number:</DIV>

<input type="text" size="26" maxlength="64" name="visitorPhone">

<DIV CLASS="regular">Your email address:</DIV>

<input type="text" size="26" maxlength="64" name="visitorEmail">

<DIV CLASS="regular">Your message:</DIV>

<textarea name="comments" rows="3" cols="40" wrap="physical"></textarea>


<DIV ID="logo", NAME="logo"><input type="image" name="submit" src="http://www.yourdomain.com/basicimages/send.gif" ALT="Send" width="20" height="20" onmouseover="javascript:this.src='http://www.yourdomain.com/basicimages/send_2.gif';" onmouseout="javascript:this.src='http://www.yourdomain.com/basicimages/send.gif';"></DIV>

</form>

<!-- END CONTACT FORM -->

Above code could of course be placed right into mypage.php.

I have all my includes in a folder called phpincludes. I also use absolute links to make sure, that the stuff will work anywhere in my site when I do changes.

If it still does not work it could be a thing with the provider... I learned above with the friendly masters of this forum - thanks guys, you know who you are. Great group!

Tokoloshe say if it worked! So long, Martin.

Note: I use little gifs as submit button, that's why it's "submit_x". Also those buttons give a rollover effect which I like. I also give as name and ID to the gifs "logo" - a definition that let's me disable their printout via a css print stylesheet.

tokolosche
10-05-2005, 01:39 AM
Sorry I took so long to reply to this, I had problems finding it again. Silly me!

Thanks for your help on this mypointofview, I appreciate it! :)



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum