Mail form help [Archive] - Web Hosting Talk

LMHart

04-15-2009, 10:43 AM

I have been trying to get the mail() function to work. I understand that it can only take on a max of 5 conditions. However I am stuck on getting the required info into the $message. What i would like is all the info from my page to be email to me.

Here is the code from my form

<html>
<body>
<strong>Contact Us or Request a Quote</strong>
<p>Please complete the form below and ensure that all information is accurate. </p>
<form action="form_email.php" method="post">
<p>Your Name: <span class="required">*</span><br /><input type="text" id="name" name="name" size="50" maxlength="80" /></p>
<p>Your Email: <span class="required">*</span><br /><input type="text" id="email" name="email" size="50" maxlength="80" /></p>
<p>Your Current Web Address (if applicable): <br /><input type="text" id="address" name="address" size="50" maxlength="80" /></p>

<p>Expected project budget: <br /><select name="budget" id="budget">
<option value="$500-$1200">$500 - $1200</option>
<option value="$1201-$2500">$1201-$2500</option>
<option value="$2501-$5000" selected>$2501-$5000</option>
<option value="$5001-$10,000">$5000-$10,000</option>
<option value="$10,001 - $25,000">$10,001-$25,000</option>

<option value="more than $25k">More than $25,000</option>
</select></p>
<p>Comments/Questions: <span class="required">*</span><br /><textarea cols="50" id="comments" rows="5" name="comments"></textarea></p>
<p><input type="submit" value="submit" /> </p>
<p>Items marked with a <span class="required">*</span> are required</p>

</form>
<p> </p>

</body>
</html>

and here is my script to email

<html>
<body>
<?php
if (isset($_REQUEST['form_email']))
//if "email" is filled out, send email
{
//send email
$email = $_REQUEST['email'] ;
$subject = "Information Request from Website";

$name = $_REQUEST['name'];
$contact = $_REQUEST['email'];
$address = $_REQUEST['address'];
$budget = $_REQUEST['budget'];
$comments = $_REQUEST['comments'];

$message = array('name','email', 'address','budget','comments');

mail( "info@mainstreetwebsolutions.com", "Subject: $subject",
$message, "From: $email");
echo "Thank you for using our mail form";
}
/*else
//if "email" is not filled out, display the form
// {
echo "<form method='post' action='mailform.php'>
Email: <input name='email' type='text' /><br />
Subject: <input name='subject' type='text' /><br />
Message:<br />
<textarea name='message' rows='15' cols='40'>
</textarea><br />
<input type='submit' />
</form>";
}*/

?>

Doh004

04-15-2009, 02:47 PM

foobic

04-15-2009, 07:14 PM

You really need to know about the dangers of email header injection (http://www.google.com/search?q=php+email+header+injection). If you put up that code on a live site then sooner or later (probably sooner) it will be exploited by spammers. At the very least you must validate all inputs from your form. You'd probably also be better off using a mail library like PHPMailer (http://sourceforge.net/projects/phpmailer/) instead of the native mail() function.

dreamrae.com

04-15-2009, 08:55 PM

You should sanitize your $message variable and put some restrictions on the last argument in the mail() function (From: $email). An attacker could easily inject the $email variable and set it to something like:
"user@domain.com\r\nCC: user@someotherdomain.net\r\nBCC: user@anotherdomain.org\r\n".

Or even worse:
"From: Staff <staff@yourdomainname.net>\r\nCC: somepooruser@domain.com\r\nReply-To:phisher@hacker.net\r\n"

PM me if you need any assistance securing this code.:bomb:

luespi

07-17-2009, 04:20 AM

You forgot the $ when you create the array with the values:

$message = array('name','email','address','budget','comments');

Should be

$message = array($name,$email,$address,$budget,$comments);

Although I've never sent an array as the message, so I'd suggest you put all of the values into one string

$message = "$name
$email
$address
$budget
$comments";

thaaaaaaaaaannnnnnnnkssssssss alotttt!!
this really really helped me alot!!!

gosh thanks!