Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 21
  1. #1
    mypointofview
    Guest

    How to point to another page for email thankyou message

    Hi all, I'm currently using this line of code in my simple email form to thank the visitor for sending me a message:

    PHP Code:
    $thankyou="Thank you for writing. Your message has been sent." 
    How do I change this line so that the visitor is presented with a new page?

    Here's the full code which I use (field verification is done via JavaScript and input is an image):

    PHP Code:
    <?php
    $sendto
    ="myname@mydomain.com";
    $emailsubject="From website";
    $thankyou="Thank you for writing. Your message has been sent.";

    if (
    $submit_x) {
    mail("$sendto""$emailsubject""Tel: $visitorPhone\r\n" stripslashes($comments) . """From: $visitorName <$visitorEmail>");
                    echo (
    "$thankyou");
                    die();
            }

    ?>
    Thanks, Martin.

  • #2
    New Coder
    Join Date
    Jul 2005
    Location
    Perth, Australia. Age: 13
    Posts
    81
    Thanks
    0
    Thanked 0 Times in 0 Posts
    You could just redirect them.
    header("Location: thanks.php"); or use a regular meta tag.
    I lost my signature, have you seen it?
    I have the power to erase you...

  • #3
    mypointofview
    Guest

    Thanks

    Thanks e-Raser and greetings to Australia Could you or somebody tell me how to implement this trick?

    Like, where to write this, and what to replace? I tried some variations..

    I tried amongst others the following, but now it shows the link as message

    PHP Code:
    <?php
    $sendto
    ="myname@mydomain.com";
    $emailsubject="Reply from Website";
    $thankyou="http://www.mydomain.com/thanks.html";

    if (
    $submit_x) {
    mail("$sendto""$emailsubject""Tel: $visitorPhone\r\n" stripslashes($comments) . """From: $visitorName <$visitorEmail>");
                    echo (
    "$thankyou");
                    die();
            }

    ?>
    Martin

  • #4
    Regular Coder
    Join Date
    Oct 2004
    Location
    London E4 UK
    Posts
    320
    Thanks
    0
    Thanked 0 Times in 0 Posts
    what i do is make the action of the submit button a php page

    the php page as well as genertain your 'thank-you' page also first runs the php to send the email and write to the database if wanted

    you can cram as much php as you want into it obviously

    you'll need to pass your variables across to the php page obviously but that simple stuff once you've done it

  • #5
    Regular Coder
    Join Date
    Apr 2004
    Posts
    684
    Thanks
    24
    Thanked 1 Time in 1 Post
    Like this..

    PHP Code:
    <?php 
    $sendto
    ="myname@mydomain.com"
    $emailsubject="Reply from Website"
    $thankyou="http://www.mydomain.com/thanks.html"

    if (
    $submit_x) { 
    mail("$sendto""$emailsubject""Tel: $visitorPhone\r\n" stripslashes($comments) . """From: $visitorName <$visitorEmail>"); 
                    
    header("Location: $thankyou"); 
            } 

    ?>
    Also some more tips..

    1. I gather "$submit_x, $visitorName & $visitorEmail" are form variables; you should always reference POST variables as "$_POST['postvar']" even if a simple $postvar works. I believe in PHP5 POST variables no longer work by just referencing them as $postvar.

    2. There is no need to enclose variables in double quotes unless they are occupied with any other non-variable data.

    3. You should always include a new line character at the end of the "From:" field.

    4. It's cleaner to format your message text (& anything else for that matter) outside of the mail() function. Makes it easier to read!

    Improved code..

    PHP Code:
    <?php
    $sendto
    ="myname@mydomain.com";
    $emailsubject="Reply from Website";
    $thankyou="http://www.mydomain.com/thanks.html";
    $msg 'Tel: ' $visitorPhone "\r\n" stripslashes($comments);
    $from "From: $_POST['visitorName'] <$_POST['visitorEmail']>\n";

    if (
    $_POST['submit_x']) {
    mail($sendto$emailsubject$msg$from);
                    
    header("Location: $thankyou");
            }

    ?>

  • #6
    Senior Coder
    Join Date
    Jun 2002
    Location
    frankfurt, german banana republic
    Posts
    1,848
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Just a quick hint: The email sending code used in this thread is vulnerable to an email injection attack.
    http://securephp.damonkohler.com/ind...mail_Injection
    De gustibus non est disputandum.

  • #7
    Regular Coder
    Join Date
    Apr 2004
    Posts
    684
    Thanks
    24
    Thanked 1 Time in 1 Post
    Wow... thanks for the link!

    So all we would need to do really would be to do this on user submitted fields?

    PHP Code:
     <?php 
       $from
    =$_POST["sender"];
       if (
    eregi("\r",$from) || eregi("\n",$from)){
         die(
    "Why ?? :(");
       }
     
    ?>

  • #8
    Regular Coder
    Join Date
    Jul 2004
    Location
    mile high city
    Posts
    482
    Thanks
    0
    Thanked 0 Times in 0 Posts
    So all we would need to do really would be to do this on user submitted fields?
    The example checks to see if the field contains a line break, which for most fields will indicate the attacker has tried to add extra headers.

    However, line breaks in the message itself are to be expected. So using this technique on all fields would prevent legitimate messages from being delivered. I tried a different approach which so far has been successful, blocking 20+ attempts just over the weekend (after first seeing these attacks about a week ago).

    I'm sure this could be improved if anyone has suggestions. For instance, I believe the email headers can also contain spaces, so it may be necessary to check for "content - type" as well as "content-type".

    PHP Code:
    <?
    function email_injection_filter($formInput)
      {
      
    $injectionStrings = array("apparently-to",
                                
    "bcc",
                                
    "boundary=",
                                
    "charset",
                                
    "content-disposition",
                                
    "content-type",
                                
    "content-transfer-encoding",
                                
    "errors-to",
                                
    "in-reply-to",
                                
    "message-id",
                                
    "mime-version",
                                
    "multipart/mixed",
                                
    "multipart/alternative",
                                
    "multipart/related",
                                
    "reply-to",
                                
    "x-mailer",
                                
    "x-sender",
                                
    "x-uidl"
                                
    );
      foreach (
    $injectionStrings as $spam)
        {
        
    $pos strpos(strtolower($formInput), $spam);
        if (
    $pos !== false)
          {
          
    error_log(...)
          exit(
    "<html><title>Fatal Error</title><body><p>We're sorry, your message could not be processed due to a fatal error.</p><p>Please contact us at 1-800-xxx-xxxx.</p></body></html>");
          }
        }
      }

    foreach (
    $_POST as $formInput)
      {
      
    email_injection_filter($formInput);
      }
    ?>
    Computer, kill Flanders... Did I hear my name? My ears are burning...
    Good start. Now finish the job.

  • #9
    Regular Coder
    Join Date
    Apr 2004
    Posts
    684
    Thanks
    24
    Thanked 1 Time in 1 Post
    Thanks for the function!

    Although; as for the message.. as long as you filter all other fields I think you shoud be fine... as

    Any data to be added will always be located *after* the injection point (ex : "From").
    From reading that page it seems you can't directly inject the message text so I don't think there would be a problem leaving it out of checking for new line chars & other checks.

    Also. as for your header list.. shoudln't you add "To:" to it?

  • #10
    Regular Coder
    Join Date
    Jul 2004
    Location
    mile high city
    Posts
    482
    Thanks
    0
    Thanked 0 Times in 0 Posts
    From reading that page it seems you can't directly inject the message text.
    My experience indicates otherwise. Below is the body of a message where the attacker successfully added an additional recipient and attachments.
    Code:
    xgjpv
    --===============1300305249==-->
    Reply-To: "dunnjjqzz@mydomain.com dunnjjqzz@mydomain.com" <dunnjjqzz@mydomain.com
    Content-Type: multipart/mixed; boundary="===============1300305249=="
    MIME-Version: 1.0
    Subject: 710e7676
    To: dunnjjqzz@mydomain.com
    bcc: spammer@aol.com
    From: dunnjjqzz@mydomain.com
    
    This is a multi-part message in MIME format.
    I left To: out of the array on the likelyhood that it may occur legitimately in a message.
    Computer, kill Flanders... Did I hear my name? My ears are burning...
    Good start. Now finish the job.

  • #11
    mypointofview
    Guest

    Superbe !!

    1. This anti hacker code from MACDOUGALS4ALL looks promising. As a novice -- just a quick question for implementation: Do I simply just put that PHP on the beginning of my page which has the email form?

    2. Back to the initial subject... CYPHIX: thanks for your code snippet - I got it to work after dealing with one bug -- see thread here -- however only up to the point until I try to get another page to open. I get the error:

    Warning: Cannot modify header information - headers already sent by (output started at [...]

    3. TYNAN: I think I kinda understand -- you mean that the html with the form is on a different page than the php? How shall I make the submit button (in my case an image) call up that other php and how to take it from there?

    This is what I got so far:


    PHP Code:
    <?php 
    $sendto
    ="myname@mydomain.com";
    $emailsubject="Reply from Website";
    $thankyou="http://www.mydomain.com/thanks.html";
    $msg 'Tel: ' $visitorPhone "\r\n" stripslashes($comments);
    $from "From: ".$_POST['visitorName']." <".$_POST['visitorEmail'].">\r\n";

    if (
    $_POST['submit_x']) {
    mail($sendto$emailsubject$msg$from);
                    
    header("Location: $thankyou");
            }

    ?>
    Thanks, Martin.

  • #12
    mypointofview
    Guest

    Found it :)

    I placed the PHP code totally at the very beginning of the page, nothing, not even a space in front of it. Then it worked and I did not get that "headers already sent" error anymore.

  • #13
    Regular Coder
    Join Date
    Apr 2004
    Posts
    684
    Thanks
    24
    Thanked 1 Time in 1 Post
    Try this code with the function..

    PHP Code:
    <?php

    function email_injection_filter($formInput
      { 
      
    $injectionStrings = array("apparently-to"
                                
    "bcc"
                                
    "boundary="
                                
    "charset"
                                
    "content-disposition"
                                
    "content-type"
                                
    "content-transfer-encoding"
                                
    "errors-to"
                                
    "in-reply-to"
                                
    "message-id"
                                
    "mime-version"
                                
    "multipart/mixed"
                                
    "multipart/alternative"
                                
    "multipart/related"
                                
    "reply-to"
                                
    "x-mailer"
                                
    "x-sender"
                                
    "x-uidl" 
                                
    ); 
      foreach (
    $injectionStrings as $spam
        { 
        
    $pos strpos(strtolower($formInput), $spam); 
        if (
    $pos !== false
          { 
          
    error_log(...) 
          exit(
    "<html><title>Fatal Error</title><body><p>We're sorry, your message could not be processed due to a fatal error.</p><p>Please contact us at 1-800-xxx-xxxx.</p></body></html>"); 
          } 
        } 
      }

    $sendto="myname@mydomain.com"
    $emailsubject="Reply from Website"
    $thankyou="http://www.mydomain.com/thanks.html"
    $msg 'Tel: ' $visitorPhone "\r\n" stripslashes($comments); 
    $from "From: ".$_POST['visitorName']." <".$_POST['visitorEmail'].">\r\n"

    if (
    $_POST['submit_x']) { 

       foreach (
    $_POST as $formInput
         { 
         
    email_injection_filter($formInput); 
         }

    mail($sendto$emailsubject$msg$from); 
    header("Location: $thankyou"); 

    ?>

  • #14
    mypointofview
    Guest

    Ooops...

    Got this error when using the code:

    Parse error: parse error, unexpected '.', expecting ')' in ... on line 28


    Line 28 is where the "{" sign is:

    PHP Code:
     if ($pos !== false
          { 
          
    error_log(...) 
    If somebody could give me a hint about the unexpected '.' ...

    Thanks, Martin.

  • #15
    Regular Coder
    Join Date
    Jul 2004
    Location
    mile high city
    Posts
    482
    Thanks
    0
    Thanked 0 Times in 0 Posts
    error_log() sends an error message to the destination you choose. Usually written to an error log file.

    Or you can send yourself a message via email. Such as:
    PHP Code:
    error_log("Email injection attempt - From IP: " $_SERVER['REMOTE_ADDR'] . " | Server Time: " date('m\/d\/y, h:i:s A'), 1"you@yourdomain.com"); 
    Computer, kill Flanders... Did I hear my name? My ears are burning...
    Good start. Now finish the job.


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •