Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New Coder
    Join Date
    Apr 2004
    Posts
    12
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Basic PHP email/form help?

    Hi everyone,
    I'm obviously new to the forum - & new to php as well. I've read the guidelines & stuff, so I hope I'm making a proper post. I know these are probably pretty basic questions & I'm hoping they haven't been answered repeatedly here. I have a couple of beginner PHP books & have done an extraordinary amount of reading & tutoring over the past 7-10 days. I've done a search, but I'm not absolutely sure what it is I'm even looking for, i.e.: variable, function, argument, etc. & never seem to come up with what I'm looking for.

    I have successfully set up a form that uses the php mail function. Upon submitting the form, the user is taken to my *success* page, where their comments are echoed, along with some other text & a signature by the web's admin. An e-mail is also sent to my specified address along with a copy to a Cc: address containing all the data from the form.

    My questions are:

    Where would I place html tags to add a little bit of formatting to my success page? For instance, having the user's comments & email address appear in bold and/or italics?

    Does anyone have any idea why I am not getting my *new lines* in the email that is received by my send_to?

    Is it a security risk for my form to be handled by a PHP page within my public_html folder? For instance, with a file named *handler.php* that is not linked within my site?

    Is there anyway I can avoid the spoofing or spamming of the "send to" email address in the *PHP form-handler* (or any others for that matter, including the Cc: address)??

    Below is the code I am currently using with brief explanations:

    My form - just a simple look at it:

    Code:
    <form action="handler.php" method="post" name="feedback">
    	  <table width="90%" border="1" align="center" cellpadding="10" cellspacing="0">
    	    <tr>
    	      <td width="45%" align="left" valign="top">Name:</td>
    	      <td width="45%" align="left" valign="top"><input name="username" type="text" id="username" size="30" maxlength="50" /></td>
    	      </tr>
    	    <tr>
    	      <td width="45%" align="left" valign="top">E-mail address:</td>
    	      <td width="45%" align="left" valign="top"><input name="useraddr" type="text" id="useraddr" size="30" maxlength="50" /></td>
    	      </tr>
    	    <tr>
    	      <td width="45%" align="left" valign="top">Age:</td>
    	      <td width="45%" align="left" valign="top"><input name="userage" type="text" id="userage" size="5" maxlength="2" /></td>
    	      </tr>
    	    <tr>
    	      <td width="45%" align="left" valign="top">Location <span class="quote">(City/State/Country)</span></td>
    	      <td width="45%" align="left" valign="top"><input name="userlocale" type="text" id="userlocale" size="30" maxlength="50" /></td>
    	      </tr>
    	    <tr>
    	      <td width="45%" align="left" valign="top">Comments:</td>
    	      <td width="45%" align="left" valign="top"><textarea name="comments" cols="30" rows="5" id="comments"></textarea></td>
    	      </tr>
    	    </table>
    	  <br />
    	  <table width="90%" border="1" cellspacing="0" cellpadding="10">
            <tr align="center" valign="middle">
              <td width="45%"><input type="reset" name="Reset" value="Reset" /></td>
              <td width="45%"><input type="submit" name="Submit" value="Submit" /></td>
            <br>
    		
    		</tr>
          </table>
          <br />
          </form>


    My handler (handler.php) & *success* page - which I was helped with by a friend.


    Code:
    <?php
    
    $to = "webmaster@mydomain.com";
    $re = "Feedback";
    
    // retrieve POSTed variables
    $username = $_POST['username'];
    $useraddr = $_POST['useraddr'];
    $userage = $_POST['userage'];
    $userlocale = $_POST['userlocale'];
    $comments = $_POST['comments'];
    
    //construct message
    $msg = ""
    $msg = "You have received feedback from ". $username. "/n/n";
    $msg = "Their address is ". $useraddr. "/n";
    $msg = "They are ". $userage. ' and from ". $userlocale. "/n/n";
    $msg = "Their comments were as follows: /n/n";
    $msg = "$comments";
    
    //construct headers
    $headers = "MIME-Version: 1.0\r\n";
    $headers .= "Content-type: text/html; ";
    $headers .= "charset=iso-8859-1\r\n";
    
    // set FROM
    $headers .= "From: $useraddr /r/n";
    
    // set Cc
    $headers .= "Cc: joeblow@somewhere.com /r/n";
    
    // send command
    mail($to,$re,$msg,$headers);
    
    ?>

    This is the actual *success* part of the html - my *thank-you* (located on the bottom half of *handler.php*):

    Code:
    <html>
    <head>
    <title>Untitled Document</title>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    </head>
    
    <body>
    
    <table width="90%" border="0" align="center" cellpadding="10" cellspacing="0">
    <tr><td align="left" valign="top">
    
    <p>Your comments:
    <br>
    <br>
    
    <?php echo($comments) ?>
    
    <br>
    <br>
    
    Have been received at My Domain. If a reply is appropriate or necessary, 
    we will get back to you at <?php echo($useraddr); ?>
    
     as soon as possible. As you can see by the user count at the <a href="http://www.mydomain.com/forum">MyDomain
    Forum</a>, we are simply overwhelmed by the amounts of e-mail we are receiving!!
    
    <br>
    			
    <p>Thanks for your comments, <?php echo ($username; ?>...</p>
    
    <p>The Admin at V4C</p>
    
    </td></tr></table>
    
    </body>
    </html>
    As I said, I'm very new to PHP & my only *coding* knowledge & experience is in HTML, so any help, tips, ideas, or suggestions are greatly, greatly appreciated.

    Thanks again everyone,

    Humble Dude

  • #2
    Regular Coder
    Join Date
    Jul 2002
    Location
    The Netherlands
    Posts
    252
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hi there,

    as you already expected there are lots of possibilities with the mail() function.

    Where would I place html tags to add a little bit of formatting to my success page? For instance, having the user's comments & email address appear in bold and/or italics?
    You can add extra headers to the mailfunction to let the receiving mailclient know that he's dealing with a html mail. There is an example on php.net (http://www.php.net/manual/en/function.mail.php - example 4).


    Does anyone have any idea why I am not getting my *new lines* in the email that is received by my send_to?
    When you send a formatted mail, this shouldn't be a problem as you would use <br> and <p> for newlines and paragraphes. When you send 'normal' mails you should use \n for a new line instead of /n.

    With respect to your questions about security and the possibilities for spamming I must admit that I'm not sure how to go about that, sorry But I'm sure there will be someone that can give you more insight on that.

    Cheers. Michiel

  • #3
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Is it a security risk for my form to be handled by a PHP page within my public_html folder? For instance, with a file named *handler.php* that is not linked within my site?
    Security-risk? What risk? That the code of your mail-feature would be disclosed? You just posted it here + there are thousands of mailscripts freely available.
    If you are concerned about disclosing the posted formcontent, then you should realise that that has not much to do with what server side laguage you use or where the script is located.
    The weak link is then the datatransmission which for all html goes through http (regarles of the browser or server side scripting). So you'll then need to look at setting up an SSL conection between client and server. (still uses http as transferprotocol, but all content is encrypted with a session key)

    Is there anyway I can avoid the spoofing or spamming of the "send to" email address in the *PHP form-handler* (or any others for that matter, including the Cc: address)??
    Spoofing --> the emailadress doesn't need to be spoofed since the user typoes it in himself. What would he gain by spoofing your CC adress? sending mail to himself? It's not like you need to pay to be able to get a mailadress and anyone with 5 minutes knowledge in PHP knows how to send mail with whatever mailheader he wants. So i don't see why anyone would take an efford in fideling with your mailscript.
    But yes, it would be possible. If you give us the oportunity to post content to your site, as you do with any textarea, then their's always a chance we'll inject some PHP or SQL code into your script and if there is some kind of execution of the content (like a db-query, an eval() or so; well then ...) But nobody will bother with that in this case.
    About spamming : there is no bulletproof way against it. It has been discusssed several times in these forums and the conclusion is always the same : you can make it hard by requiring them to accept cookies, by logging and compairing the IP or parts of the IP, by asking the client to enter a dynamically generated number (sent as an image), requiring the user to login etc. All of these can be bypassed but they make it a bit harder. My advice is always : take these measures (since they are relatively easy to implement), doen't expect to much of them, set up an efficient monitoringsystem to periodically go over all activity and see if there are abuses.
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •