I have a basic form here that I wrote (very beginner mind you). Users can submit the form, but the e-mail sent from the server is blank. I recently had my server locked down, do you think that has anything to do with it?

Here is my form code


<?php

//Declare the variables
$recipient = "emailtosendto@domain.com";
$subject = "Form";
$message = "Name: $firstname\nCompany Name: $companyname\nStreet Address: $streetaddy\nCity: $city\nState: $state\nZip Code: $zipcode\nPhone Number: $phonenumber\nFax Number: $faxnumber\nE-mail Address: $email\n\nInformation about property to be appraised (subject property):\n\nBorrower/Owners Name: $ownername\nSubject Address: $subjectaddress\nSubject City: $selectcity\nSubject State: $subjectstate\nSubject Zip Code: $subjectzipcode\nSales Price: $salesprice\nEstimated Value: $estvalue\nLoan Amount: $loanamnt\nProperty Type: $propertytype\nPurpose of Appraisal: $purposeappr\nFormat Needed: $formatneeded\nContact for Access: $contactaccess\nPhone Work: $phonedw\nPhone Home: $phonehome\n\n\nComments: $comments";

//mail() function sends the mail
mail($recipient,$subject,$message,"From: $email");


//Contents of form
$firstname=$_POST['firstname'];
$companyname=$_POST['companyname'];
$streetaddy=$_POST['streetaddy'];
$city=$_POST['city'];
$state=$_POST['state'];
$zipcode=$_POST['zipcode'];
$phonenumber=$POST['phonenumber'];
$faxnumber=$_POST['faxnumber'];
$email=$_POST['email'];
$ownername=$_POST['ownername'];
$subjectaddress=$_POST['subjectaddress'];
$selectcity=$_POST['selectcity'];
$subjectstate=$_POST['subjectstate'];
$subjectzipcode=$_POST['subjectzipcode'];
$salesprice=$_POST['salesprice'] ;
$estvalue=$_POST['estvalue'];
$loanamnt=$_POST['loanamnt'];
$propertytype=$_POST['propertytype'];
$purposeappr=$_POST['purposeappr'];
$formatneeded=$_POST['formatneeded'];
$contactaccess=$_POST['contactaccess'];
$phonedw=$_POST['phonedw'];
$phonehome=$_POST['phonehome'];
$comments=$_POST['comments'];


Any ideas would be appreciated.

"//Contents of form" and everything after it needs to go at the beginning of the script, not at the end. With register_globals (google it) turned on this wouldn't matter so presumably the server lock down has turned register_globals off - a very good thing.

More important: once you get it working the form will be vulnerable to header injection. Bots are constantly scanning the web for scripts like this and when they find yours it WILL be exploited for sending spam.

More info (http://www.securephpwiki.com/index.php/Email_Injection) explaining the problem and some options for fixing it.

"//Contents of form" and everything after it needs to go at the beginning of the script, not at the end. With register_globals (google it) turned on this wouldn't matter so presumably the server lock down has turned register_globals off - a very good thing.

More important: once you get it working the form will be vulnerable to header injection. Bots are constantly scanning the web for scripts like this and when they find yours it WILL be exploited for sending spam.

More info (http://www.securephpwiki.com/index.php/Email_Injection) explaining the problem and some options for fixing it.
Good point about injection, in simple words, how can you avoid it (good strategy)

Validate all user inputs against what you're expecting to get, eg. intval() for integers, floatval() for decimal numbers, regexp for strings (especially e-mail addresses). If you don't get what you expect, either reject the form or quarantine the data, eg. urlencode it and DON'T PUT IT IN THE MAIL HEADERS! ;)

Also, use libraries for php where possible: pear, adodb and phpmailer come to mind from my limited experience.

foobic,

Thank you very much. That fixed the issue with the e-mail being blank. I'm not much of a programmer so I will read that link today and see what I can do to protect myself.

Thanks again!