PHP Newb with a problem

@wbrownOct 20.2006

I wouldn’t consider myself a php programmer by any means, but I feel comfortable messing around with pre-written scripts and such. A few years ago I started using php to submit forms on a lot of our websites. Recently we’ve fallen to some hacking due (from what we can tell) register_globals being on. When they are off, my forms do not work. The emails come through as if no one has filled out any of the form fields.

I would appreciate it if someone could look at my code and let me know what I’m doing wrong.

Here’s the code for the form.

[CODE]<form action=”contactaction.php” method=”post”> <table width=”357″ border=”0″ cellspacing=”0″ cellpadding=”2″> <tr align=”left” valign=”middle”> <td colspan=”2″>Or feel free to use the following email form. </td> </tr> <tr align=”left” valign=”middle”> <td width=”54″>Name:</td> <td width=”295″><input name=”name” type=”text” id=”name” size=”40″ /></td> </tr> <tr align=”left” valign=”middle”> <td>Email:</td> <td><input name=”thereemail” type=”text” id=”thereemail” size=”40″ /></td> </tr> <tr align=”left” valign=”middle”> <td>Subject:</td> <td><input name=”subject” type=”text” id=”subject” size=”40″ /></td> </tr> <tr align=”left” valign=”middle”> <td>Message:</td> <td><textarea name=”message” cols=”30″ rows=”5″ id=”message”></textarea></td> </tr> <tr align=”center” valign=”middle”> <td> </td> <td><input type=”submit” name=”Submit” value=”Submit” /></td> </tr> </table> </form>[/CODE]

And the action.

[CODE]<?php { $email = “Name:t$namenE- Mail:t$thereemailnSubject:t$subjectnMessage:t$messagenn”; $to = “*****@gmail.com”; $subject = “contact page”; $mailheaders = “From: $name”; $mailheaders = “Reply-To: $thereemail”; mail($to, $subject, $email, $mailheaders); include(“thanks.php”); } ?>[/CODE]

I’m sure it is something stupid, but this format has worked perfectly for me for quite a while. If anyone has any ideas or help I would GREATLY appreciate it.

to post a comment

PHP

4 Comments(s) _↴

@NogDogOct 20.2006 — #If register_globals is off (which is a good thing) then you must refer to any form variables from the $_GET or $_POST array, as applicable (based on the form method used). So instead of referring to [b]$name[/b], you must refer to [b]$_POST['name'][/b]. In order to avoid changing every instance in your code, at the start you could do the following for each form field you'll be using:

[code=php]
 $name = $_POST['name'];
 [/code]

@chazzyOct 20.2006 — #Also note, if you want to add 2 strings together use the . operator. so the two lines like this should be more like mine.

[code=php]
 $mailheaders = "From: $namern"; 
 $mailheaders .= "Reply-To: $thereemailrn"; 
 [/code]

This way, all of the headers get sent.

@wbrownauthorOct 20.2006 — #If register_globals is off (which is a good thing) then you must refer to any form variables from the $_GET or $_POST array, as applicable (based on the form method used). So instead of referring to [b]$name[/b], you must refer to [b]$_POST['name'][/b]. In order to avoid changing every instance in your code, at the start you could do the following for each form field you'll be using:

[code=php]
 $name = $_POST['name'];
 [/code]

[/QUOTE]

Alright, I was doing some experimentation and I kind of understand. With register_globals on (and trust me, this is all to get them turned off) the form/action I posted sends an email that looks like this:

Name: Wes Brown

E- Mail: *****@gmail.com

Subject: test

Message: message goes here.[/QUOTE]

With register_globals off I get this email:

Name:

E- Mail:

Subject:

Message: [/QUOTE]

In experimenting I wrote this into my action and it fixed it...although, I'm sure I'm doing it totally different than what you're saying.

[CODE]<?php 

 { 

 $name = $_POST['name'];
 $thereemail = $_POST['thereemail'];
 $subject = $_POST['subject'];
 $message = $_POST['message'];
 
 $email = "Name:t$namenE- Mail:t$thereemailnSubject:t$subjectnMessage:t$messagenn"; 
 $to = "*****@gmail.com"; 
 $subject = "contact page"; 
 $mailheaders = "From: $name"; 
 $mailheaders .= "Reply-To: $thereemail"; 
 mail($to, $subject, $email, $mailheaders); 
 include("thanks.php"); 
 } 
 ?>[/CODE]

I put them where I did because I don't understand where in the $email = line to place all of them. Am I supposed to put them in the action, the form, both? Is there a better way to do this? Do I need to use the . function like this?

[CODE]$email = $_POST['name'];
 $email .= $_POST['thereemail'];
 $email .= $_POST['subject'];[/CODE]

If so, how do I get the proper name in the email in front of the data input to the form?

Maybe I'm making this WAY too complicated, but I'm fairly new to all of this...

@lumenationOct 21.2006 — #You should also be aware that you are vulnerable to spammers injecting headers into your email. This [URL=http://www.securephpwiki.com/index.php/Email_Injection]page[/URL] has detailed info on the subject. By adding line feeds to $mailheaders, they can send emails to whomever they please through your script. I have seen it happen before, and by looking at the raw $_POST values on a lot of my current sites, I know people try it all the time. You should always consider user supplied input as tainted and be sure to check that it conforms to what you expect.

Also in #PHP _↴

Add fields to wp+wc cart.php and disable button(checkout->)for enable it with value [RESOLVED] Downloading Content Outside Webroot . . .Is there a way to get an id by specifying the name?

Success!

Help @wbrown spread the word by sharing this article on Twitter...

Tweet This

PHP Newb with a problem

4 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

PHP Newb with a problem

4 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

4 Comments(s) _↴

Also in #PHP _↴