Php contactform handler with issues

[seccondbest]

I have been looking at several pages of sollutions but I am lost in the woods.

Obviously i am using a contactform on my website, I have found a working script written by Betty, and I have contacted this person for some support however that was 5 days ago and no answer yet.

the Html part of the contact form asks for:

name,
surname,
email address,
message,
phonenumber,

If any of these required fields are not or not correctly filled in the PHP script opens up a white pages filled with error messages.
Than the user has to arrow back to the form page and start from scratch, this is ot only anoying but painfull, if you just typed a message of 1000 words and you typed your phone number wrong you get to do it all again lol

further more there is no thank you except after submitting where it clears the form reloads the page and in the addressbar it states the name of the page/thankyou

I have tried to tweak a few things and messed it up badly, i ended up spamming my own e-mail with over 50 test messages I need help!

Since I can not upload the php script I have copied and past it here,

What I would like to have:

error messages in a windows popup without clearing the entire form
a thank you message in a windows popup and clear the form/reload the page

***** original php script ****

PHP Code:

<?php 

    #**********************************************
    # Contact Formulier vanBetty
    #**********************************************

if(isset($_POST['email'])) {
    
    // Pas deze twee regels aan.
    $email_to = "seccondbest@aol.com";
    $email_subject = "Bericht van een bezoeker";
    
    
    function died($error) {
        // je foutbericht staat hier
        echo "Het spijt ons, vanwege een fout is het formulier niet verzonden. ";
        echo "Deze fout(en) tonen zich hieronder.<br /><br />";
        echo $error."<br /><br />";
        echo "Ga aub terug om de velden correct in te vullen.<br /><br />";
        die();
    }
    
    // validation expected data exists
    if(!isset($_POST['first_name']) ||
        !isset($_POST['last_name']) ||
        !isset($_POST['email']) ||
        !isset($_POST['telephone']) ||
        !isset($_POST['comments'])) {
        died('Het spijt ons, er is een probleem opgetredn bij het verzenden van het formulier.');        
    }
    
    $first_name = $_POST['first_name']; // verplicht
    $last_name = $_POST['last_name']; // verplicht
    $email_from = $_POST['email']; // verplicht
    $telephone = $_POST['telephone']; // niet verplicht
    $comments = $_POST['comments']; // verplicht
    
    $error_message = "";
    $email_exp = "^[A-Z0-9._%-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$";
  if(!eregi($email_exp,$email_from)) {
      $error_message .= 'Het emailadres is niet geldig.<br />';
  }
    $string_exp = "^[a-z .'-]+$";
  if(!eregi($string_exp,$first_name)) {
      $error_message .= 'De voornaam is niet geldig.<br />';
  }
  if(!eregi($string_exp,$last_name)) {
      $error_message .= 'De achternaam is niet geldig.<br />';
  }
  if(strlen($comments) < 2) {
      $error_message .= 'Het bericht is niet geldig.<br />';
  }
  $string_exp = "^[0-9 .-]+$";
  if(!eregi($string_exp,$telephone)) {
      $error_message .= 'Het telefoonnummer is niet geldig.<br />';
  }
  if(strlen($error_message) > 0) {
      died($error_message);
  }
    $email_message = "Gegevens formulier.\n\n";
    
    function clean_string($string) {
      $bad = array("content-type","bcc:","to:","cc:","href");
      return str_replace($bad,"",$string);
    }
    
    $email_message .= "Voornaam: ".clean_string($first_name)."\n";
    $email_message .= "Achternaam: ".clean_string($last_name)."\n";
    $email_message .= "Email: ".clean_string($email_from)."\n";
    $email_message .= "Telefoon: ".clean_string($telephone)."\n";
    $email_message .= "Bericht: ".clean_string($comments)."\n";
    
    
// create email headers
$headers = 'From: '.$email_from."\r\n".
'Reply-To: '.$email_from."\r\n" .
'X-Mailer: PHP/' . phpversion();
@mail($email_to, $email_subject, $email_message, $headers); 
header("Location:contact.htm?thankyou"); 
?>



<?
}
?>
<?PHP
//Then outside the processing script add 
If (isset($_GET['thankyou'])){
echo "Thank you for your email!<br/><br/>";
}
?>

the last part of this script //Then outside the processing script add if (isset bla bla bla), was my latest attempt to get a thankyou page and dindt work either

I am at a lost here and realy any help is welcom but pease I am a beginner and learn by tweaking and seeing, i tryed reading and that didnt work

thanks for reading my post

[traq]

I think you've found a lot of the disadvantages of this script on your own. There are other serious disadvantages as well. I would recommend finding a new example to learn from. You might look at this one, which I was helping someone else with a while back.

[crobinson42]

What is your experience with php? I think you'll find a more enlightening approach if you used javascript/jquery to accomplish your requests. However, if you're going to stay with this form, a messy way to keep the form data would be to store user input in a session variable...

[ajfmrf]

This is one of my favorite scripts.

http://devingredients.com/2011/03/bu...-from-scratch/

It is easy to install,has current support by the script creator,and is easily added too

[traq]

... I think you'll find a more enlightening approach if you used javascript/jquery to accomplish your requests.

Part of what he was asking about was actually sending the email, which cannot be done with javascript.
Yes, JS is great for client-side validation. Still, remember that client-side is for the user's convenience only - you must always validate server-side.

This is one of my favorite scripts.
http://devingredients.com/2011/03/bu...-from-scratch/
It is easy to install,has current support by the script creator,and is easily added too

That's a nice example - it's always hard to find good ones! The only two things I'd suggest is 1) using filter_var to validate the email address instead of preg_match (it's quicker, uses a better pattern, and is kept updated along with PHP), and 2) putting the user's email in a Reply-to header (the From header should always have a address belonging to the domain (e.g., From: no-reply@example.com) in order to keep it out of spam traps).

[ajfmrf]

That's a nice example - it's always hard to find good ones! The only two things I'd suggest is 1) using filter_var to validate the email address instead of preg_match (it's quicker, uses a better pattern, and is kept updated along with PHP), and 2) putting the user's email in a Reply-to header (the From header should always have a address belonging to the domain (e.g., From: no-reply@example.com) in order to keep it out of spam traps).

Thanks Adrian,how would I make those changes exactly?

Just change the two things highlighted one for the other? or is there more than that to it?

[traq]

PHP Code:

/*
if (!preg_match("/^[_a-z0-9]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/i", $email)){ 
    $error .= "The e-mail address you entered is not valid. <br/>";
}
*/
if( ! filter_var( $email,FILTER_VALIDATE_EMAIL ) ){
    $error .= "The e-mail address you entered is not valid. <br/>";
} 


...

PHP Code:

/*
$from = 'From: ' . $name . ' <' . $email . '>';
*/
$from = "From: no-reply@example.com\r\n";  // <--change "example.com" to your domain name 


----------------------------------
Also, I missed this earlier: that script is vulnerable to email header injection. You need to make sure $_POST['name'] contains no newlines:

PHP Code:

/*
if (!empty($_POST['name'])) {
    $name = $_POST['name'];
}
*/ 


Two choices:

Quietly remove newlines and proceed as though nothing is wrong:

PHP Code:

if( ! empty( $_POST['name'] ) ){
    // remove any carriage returns (which can be used to inject a new header)
    // and any header names
    // note this is the case-insensitive function, str_ireplace()
    $name = str_ireplace( array( "\r","\n","%0a","%0d","Content-Type:","bcc:","to:","cc:" ),"",$_POST['name'] );
} 


OR, reject the submission in its entirety if there is any evidence of this attack:

PHP Code:

if( ! empty( $_POST['name'] ) ){
    // same as above...
    $name = str_ireplace( array( "\r", "\n", "%0a", "%0d", "Content-Type:", "bcc:","to:","cc:" ),"",$_POST['name'] );
    // test if the filtered and unfiltered strings match.
    // if they do not, that means the user put illegal characters in the "name" field.
    if( $_POST['name'] !== $name ){
        exit();  //<--don't even say anything. give them a blank page.
    }
} 


This is the safer (preferred) option.
It might seem unfriendly, but realistically, it is almost impossible for an honest user to trigger this by accident.
Practically speaking, if this happens, it is an attack, and you do not want to allow them to continue.

----------------------------------
Coming back to the "From" issue, the main reason people put the visitor's email address in the "From" header is so they can click the [Reply] button when they receive the email.

The correct way to allow this is to use the "Reply-to" header:

PHP Code:

// after $from = "From: no-reply@example.com\r\n";
$from .="Reply-to: $name <$email>\r\n"; 


[ajfmrf]

Ok,I made the changes here

PHP Code:

<?php session_start(); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title>PHP Contact Form - Dev Ingredients</title>
    <link rel="stylesheet" type="text/css" href="style.css" />
  </head>
  <body>
    <?php
    if (isset($_POST['submit'])) {
    $error = "";

     if( ! empty( $_POST['name'] ) ){
    // same as above...
    $name = str_ireplace( array( "\r", "\n", "%0a", "%0d", "Content-Type:", "bcc:","to:","cc:" ),"",$_POST['name'] );
    // test if the filtered and unfiltered strings match.
    // if they do not, that means the user put illegal characters in the "name" field.
    if( $_POST['name'] !== $name ){
        exit();  //<--don't even say anything. give them a blank page.
        }
    }  
     else {
    $error .= "You didn't type in your name. <br />";
    }

    if (!empty($_POST['email'])) {
    $email = $_POST['email'];
     if( ! filter_var( $email,FILTER_VALIDATE_EMAIL ) ){
    $error .= "The e-mail address you entered is not valid. <br/>";
    }  
    } else {
    $error .= "You didn't type in an e-mail address. <br />";
    }

    if (!empty($_POST['message'])) {
    $message = $_POST['message'];
    } else {
    $error .= "You didn't type in a message. <br />";
    }

    if (empty($error)) {
    $from = "From: no-reply@web-user.net\r\n";
    $to = "my@email.com";
    $subject = "New contact form message";
    $content = $name . " has sent you a message: \n" . $message;
    $success = "<h3>Thank you! Your message has been sent!</h3>";
    mail($to,$subject,$content,$from);
    }

Did I get it right

I am not sure about this part;

[traq]

yeah, that should work. You might want to add the "Reply-to" header:

PHP Code:

/*$from = "From: no-reply@web-user.net\r\n";*/
$from = "From: no-reply@web-user.net\r\nReply-to: $name <$email>\r\n";