Hello,
I really don’t know much about php, so I put this together piece by piece. I’m trying to figure out how to reply directly to the sender. So far, if I reply to a question, I end up replying to myself. Can anyone help?
Thanks! Here’s the code:
[code=php]
$name = $_POST[‘name’] ;
$email = $_POST[‘from’] ;
$subject = $_POST[‘subject’] ;
$message = “You have recieved a message from:” .”n”;
$message .= $name . “n”;
$message .= $email . “n”;
$message .= $subject . “n”;
$message .= $general . “n”;
$message .= $prayer . “n”;
$message .= stripslashes($_POST[‘message’]).””;
if (!$email) { //If no email…
echo “Sorry, you forgot to enter your email”; //The error message
die(); //Kills the rest of the script, so it doesn’t display and only the error
}
else { //Else if email entered…
mail( “contact@*********************.com”, “Message for Greater Grace Church”,$message, “From: [email]contact@*********************.com[/email]” );
header( “Location: http://www.*********************.com/thank-you.html” );
}
?>
[code=php]
$email = filter_var($_POST['from'], FILTER_SANITIZE_EMAIL);
[/code]
_
If I'm understanding correctly, I think if you add a "Reply-To:" header with the value being the user's email address, you'll be good to go.
You'll want to filter it though, to avoid mail header injection attacks. This would probably be sufficient:
[code=php]
$email = filter_var($_POST['from'], FILTER_SANITIZE_EMAIL);
[/code]
_[/QUOTE]
Thank you so much, yes, I'm trying to set up a "reply-to". Where on my php should I put this? $email = filter_var($_POST['from'], FILTER_SANITIZE_EMAIL);
Thanks![/QUOTE]
[code=php]
else { //Else if email entered...
mail(
"contact@*********************.com",
"Message for Greater Grace Church",
$message,
"From: contact@*********************.comrnReply-To: $email"
);
header( "Location: http://www.*********************.com/thank-you.html" );
}
[/code]
When posting code, please observe the fact that all web forums have some form of BB Code tags like the ones in my signature ?
As for the code...
You should sanitize the inputs or your site will be hacked in a few clicks.
IMHO you need to whitelist the form fields your form accepts, you should have HTML5 form fields and then use a validation in to a safe array (whitelisted) elements that are filtered, then format the email message...
eg.
[B]$email = filter_var( $_POST['from'], FILTER_SANITIZE_EMAIL );[/B] you also have FILTER_SANITIZE has several filters to filter inputs , if the item fails, then false is returned to protect the server from an attempted hack. Also use HTML5 form fields, setting the appropriate attributes is only going to help as you can also specify regular expressions in the HTML attribute so that the form can't be submitted until a field that is required has input, etc.
Your script assumes all went well, nothing checked by the return value from the mail() function. You can then decide to send the user back if the form fails validation or to issue a thank you message when all goes well and does not send a confirmation email to the client about their email.[/QUOTE]
[CODE]
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$name = $email = $subject = $message = $nameError = $emailError = $subjectError = $messageError = NULL;
// you could add error handling with input validation or just drop the entire else statement from this area
if (isset($_POST['name'])) { $name = holyWater($_POST['name']); } else { $nameError = 1; }
if (isset($_POST['from'])) { $email = filter_var($_POST['from'], FILTER_SANITIZE_EMAIL); } else { $emailError = 1; }
if (isset($_POST['subject'])) { $subject = holyWater($_POST['subject']); } else { $subjectError = 1; }
if (isset($_POST['message'])) { $message = cleanseMessage($_POST['message']); } else { $messageError = 1; }
// when everything is sanitized and validated, add your email script
$mailname = $name;
$mailsubject = $subject;
$mailfrom = $email;
$mailmessage = $message;
$mailTo = "[email protected]";
$headers = "From: " . $mailFrom;
$txt = "You have received an email from " . $name . "nn" . $message;
mail($mailTo, $subject, $txt, $headers);
header("Location: thankyoupage.php");
exit;
} else {
echo 'invalid request method.';
// echo an error or include a php error file or add a header redirect to an error page
// include 'requesterror.php';
//header("Location: requesterror.php");
exit;
}
function holyWater($s) { //string sanitization of some sort is necessary but this could damage textarea messages
$s = trim($s);
$s = stripslashes($s);
$s = strip_tags($s);
$s = htmlspecialchars($s);
}
function cleanseMessage($s) { //sanitization for textarea messages
$s = strip_tags($s);
$s = htmlspecialchars($s);
}
exit;
?>
[/CODE]
you just need to check the input (post) data before you do something with it because post data is especially dangerous in a mailer. as an example only:
[CODE]
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$name = $email = $subject = $message = $nameError = $emailError = $subjectError = $messageError = NULL;
// you could add error handling with input validation or just drop the entire else statement from this area
if (isset($_POST['name'])) { $name = holyWater($_POST['name']); } else { $nameError = 1; }
if (isset($_POST['from'])) { $email = filter_var($_POST['from'], FILTER_SANITIZE_EMAIL); } else { $emailError = 1; }
if (isset($_POST['subject'])) { $subject = holyWater($_POST['subject']); } else { $subjectError = 1; }
if (isset($_POST['message'])) { $message = cleanseMessage($_POST['message']); } else { $messageError = 1; }
// when everything is sanitized and validated, add your email script
$mailname = $name;
$mailsubject = $subject;
$mailfrom = $email;
$mailmessage = $message;
$mailTo = "[email protected]";
$headers = "From: " . $mailFrom;
$txt = "You have received an email from " . $name . "nn" . $message;
mail($mailTo, $subject, $txt, $headers);
header("Location: thankyoupage.php");
exit;
} else {
echo 'invalid request method.';
// echo an error or include a php error file or add a header redirect to an error page
// include 'requesterror.php';
//header("Location: requesterror.php");
exit;
}
function holyWater($s) { //string sanitization of some sort is necessary but this could damage textarea messages
$s = trim($s);
$s = stripslashes($s);
$s = strip_tags($s);
$s = htmlspecialchars($s);
}
function cleanseMessage($s) { //sanitization for textarea messages
$s = strip_tags($s);
$s = htmlspecialchars($s);
}
exit;
?>
[/CODE]
just sanitize the input at minimum. you can always add filtering and error handling.[/QUOTE]
[CODE]<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
session_start(); // continue the session from the form page.
//session_regenerate_id(true);
//for tighter security, uncomment the regenerate id line.
//wireless network lag could cause problems with regenerate id, thus storing old id helps. wait before destroy
if (hash_equals($_SESSION['tokenShield'], $_POST['token'])) {
//if the form token matches the session stored token (like server cookie holding the value) then process form
//i prefer a stronger encryption than an md5 with non-cryptographic randomness. I choose SHA-512
//it is a good idea to declare variables and set them before use. also avoids fixation problems.
$name = $email = $subject = $message = $nameError = $emailError = $subjectError = $messageError = NULL;
// you could add error handling with input validation or just drop the entire else statement from this area
if (isset($_POST['name'])) { $name = holyWater($_POST['name']); } else { $nameError = 1; }
if (isset($_POST['from'])) { $email = filter_var($_POST['from'], FILTER_SANITIZE_EMAIL); } else { $emailError = 1; }
if (isset($_POST['subject'])) { $subject = holyWater($_POST['subject']); } else { $subjectError = 1; }
if (isset($_POST['message'])) { $message = cleanseMessage($_POST['message']); } else { $messageError = 1; }
// when everything is sanitized and validated, add your email script
$mailname = $name;
$mailsubject = $subject;
$mailfrom = $email;
$mailmessage = $message;
$mailTo = "[email protected]";
$headers = "From: " . $mailFrom;
$txt = "You have received an email from " . $name . "nn" . $message;
mail($mailTo, $subject, $txt, $headers);
header("Location: thankyoupage.php");
exit;
} else {
//token doesn't match
$_POST = array();
//deleteing cookies here is a good idea too before you destroy session. also unset($_COOKIE['sessionnamegoeshere']; drops the server side cookie.
$_SESSION = array(); session_unset(); session_destroy();
header("Location: securityerror.php");
exit;
}
} else {
echo 'invalid request method.';
// echo an error or include a php error file or add a header redirect to an error page
// include 'requesterror.php';
//header("Location: requesterror.php");
exit;
}
function holyWater($s) { //string sanitization of some sort is necessary but this could damage textarea messages
$s = trim($s);
$s = stripslashes($s);
$s = strip_tags($s);
$s = htmlspecialchars($s);
}
function cleanseMessage($s) { //sanitization for textarea messages
$s = strip_tags($s);
$s = htmlentities($s);
}
exit;
?>
[/CODE]
[CODE]<?php
if ($_SERVER["REQUEST_METHOD"] == "GET") {
session_start();
$salt = "M@ke-a-key(or)Another-Rand0mByt3s-salt";
$makeToken = bin2hex(random_bytes(32)) . $salt;
$finalToken = hash('sha512', $makeToken);
$_SESSION['tokenShield'] = hash_hmac('sha512', $makeToken, $finalToken);
include 'formhtml.php';
exit;
} else {
//error handling for requests other than GET
header("Location: invalidrequest.php");
exit;
}
exit;
?>
[/CODE]
[CODE]<form method="post" action="formprocessor.php">
<input name="token" value="<?php echo hash_hmac('sha512', $makeToken, $finalToken); ?>" type="hidden" />
<input name="name" type="text" />
<!-- et cetera, et cetera ==>
</form>[/CODE]
[CODE]<?php
if ($_SERVER["REQUEST_METHOD"] == "GET") {
include dirname(__FILE__) . '/../../churchPHP/formpage.php';
exit;
} else {
header("Location: invalidrequest.php");
exit;
}
?>[/CODE]
[code=php]// true or false, is this a web form... with a submit button? Bots don't include submit buttons, they just "push"
$post = ($_SERVER["REQUEST_METHOD"] == "POST") && isset($_POST['submit']) && true;
// whitelist stuff in the form
$whitelist = array(
"name"=>FILTER_SANITIZE_STRING,
"from"=>FILTER_SANITIZE_STRING,
"subject"=>FILTER_SANITIZE_STRING,
"message"=>FILTER_SANITIZE_STRING,
"hash"=>FILTER_SANITIZE_STRING
);
// sanitize
foreach( $whitelist as $key=>&$value)
$value = filter_var( $_POST[ $key ], $value );
// did we pass?
if( !$post or ($whitelist['hash'] != $saltvalue) ) exit;
// headers were a little light
$headers = sprintf("From: %s%sReply-To: %s%sX-Mailer: PHP/%s", $whitelist['from'], PHP_EOL, $whitelist['from'], PHP_EOL, phpversion() );
// format the message section of the email
$emailtxt = sprintf("You have received an email from : %s. %s%s%s", $whitelist['name'], PHP_EOL, PHP_EOL, $whitelist['message']);
// send it and capture any error.
$goto = ( !mail("[email protected]", $whitelist['subject'], $emailtxt, $headers) ) ? "error.php" : "sent.php";
header("Location: {$goto}");
[/code]
0.1.9 — BETA 5.18