Advanced Search

Results 1 to 9 of 9

Thread: Php contactform handler with issues

  1. #1
    Join Date
    May 2013
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Php contactform handler with issues

    I have been looking at several pages of sollutions but I am lost in the woods.

    Obviously i am using a contactform on my website, I have found a working script written by Betty, and I have contacted this person for some support however that was 5 days ago and no answer yet.

    the Html part of the contact form asks for:

    name,
    surname,
    email address,
    message,
    phonenumber,

    If any of these required fields are not or not correctly filled in the PHP script opens up a white pages filled with error messages.
    Than the user has to arrow back to the form page and start from scratch, this is ot only anoying but painfull, if you just typed a message of 1000 words and you typed your phone number wrong you get to do it all again lol

    further more there is no thank you except after submitting where it clears the form reloads the page and in the addressbar it states the name of the page/thankyou

    I have tried to tweak a few things and messed it up badly, i ended up spamming my own e-mail with over 50 test messages I need help!

    Since I can not upload the php script I have copied and past it here,

    What I would like to have:

    error messages in a windows popup without clearing the entire form
    a thank you message in a windows popup and clear the form/reload the page

    ***** original php script ****
    PHP Code:
    <?php 

        
    #**********************************************
        # Contact Formulier vanBetty
        #**********************************************

    if(isset($_POST['email'])) {
        
        
    // Pas deze twee regels aan.
        
    $email_to "seccondbest@aol.com";
        
    $email_subject "Bericht van een bezoeker";
        
        
        function 
    died($error) {
            
    // je foutbericht staat hier
            
    echo "Het spijt ons, vanwege een fout is het formulier niet verzonden. ";
            echo 
    "Deze fout(en) tonen zich hieronder.<br /><br />";
            echo 
    $error."<br /><br />";
            echo 
    "Ga aub terug om de velden correct in te vullen.<br /><br />";
            die();
        }
        
        
    // validation expected data exists
        
    if(!isset($_POST['first_name']) ||
            !isset(
    $_POST['last_name']) ||
            !isset(
    $_POST['email']) ||
            !isset(
    $_POST['telephone']) ||
            !isset(
    $_POST['comments'])) {
            
    died('Het spijt ons, er is een probleem opgetredn bij het verzenden van het formulier.');        
        }
        
        
    $first_name $_POST['first_name']; // verplicht
        
    $last_name $_POST['last_name']; // verplicht
        
    $email_from $_POST['email']; // verplicht
        
    $telephone $_POST['telephone']; // niet verplicht
        
    $comments $_POST['comments']; // verplicht
        
        
    $error_message "";
        
    $email_exp "^[A-Z0-9._%-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$";
      if(!
    eregi($email_exp,$email_from)) {
          
    $error_message .= 'Het emailadres is niet geldig.<br />';
      }
        
    $string_exp "^[a-z .'-]+$";
      if(!
    eregi($string_exp,$first_name)) {
          
    $error_message .= 'De voornaam is niet geldig.<br />';
      }
      if(!
    eregi($string_exp,$last_name)) {
          
    $error_message .= 'De achternaam is niet geldig.<br />';
      }
      if(
    strlen($comments) < 2) {
          
    $error_message .= 'Het bericht is niet geldig.<br />';
      }
      
    $string_exp "^[0-9 .-]+$";
      if(!
    eregi($string_exp,$telephone)) {
          
    $error_message .= 'Het telefoonnummer is niet geldig.<br />';
      }
      if(
    strlen($error_message) > 0) {
          
    died($error_message);
      }
        
    $email_message "Gegevens formulier.\n\n";
        
        function 
    clean_string($string) {
          
    $bad = array("content-type","bcc:","to:","cc:","href");
          return 
    str_replace($bad,"",$string);
        }
        
        
    $email_message .= "Voornaam: ".clean_string($first_name)."\n";
        
    $email_message .= "Achternaam: ".clean_string($last_name)."\n";
        
    $email_message .= "Email: ".clean_string($email_from)."\n";
        
    $email_message .= "Telefoon: ".clean_string($telephone)."\n";
        
    $email_message .= "Bericht: ".clean_string($comments)."\n";
        
        
    // create email headers
    $headers 'From: '.$email_from."\r\n".
    'Reply-To: '.$email_from."\r\n" .
    'X-Mailer: PHP/' phpversion();
    @
    mail($email_to$email_subject$email_message$headers); 
    header("Location:contact.htm?thankyou"); 
    ?>



    <?
    }
    ?>
    <?PHP
    //Then outside the processing script add 
    If (isset($_GET['thankyou'])){
    echo 
    "Thank you for your email!<br/><br/>";
    }
    ?>
    the last part of this script //Then outside the processing script add if (isset bla bla bla), was my latest attempt to get a thankyou page and dindt work either

    I am at a lost here and realy any help is welcom but pease I am a beginner and learn by tweaking and seeing, i tryed reading and that didnt work

    thanks for reading my post
    Last edited by traq; 05-22-2013 at 07:56 PM. Reason: please use the forum's [PHP] tags for php code

  2. #2
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,622
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    I think you've found a lot of the disadvantages of this script on your own. There are other serious disadvantages as well. I would recommend finding a new example to learn from. You might look at this one, which I was helping someone else with a while back.
    We Only Torture the Folks We Don't Like (You're Probably Gonna Be Okay)
    It's a Party in the CIA

  3. #3
    Join Date
    May 2010
    Location
    Sacramento, CA
    Posts
    91
    Thanks
    23
    Thanked 2 Times in 2 Posts

    Default

    What is your experience with php? I think you'll find a more enlightening approach if you used javascript/jquery to accomplish your requests. However, if you're going to stay with this form, a messy way to keep the form data would be to store user input in a session variable...

  4. #4
    Join Date
    Jan 2011
    Location
    Southeastern CT
    Posts
    586
    Thanks
    41
    Thanked 27 Times in 27 Posts

    Default

    This is one of my favorite scripts.

    http://devingredients.com/2011/03/bu...-from-scratch/

    It is easy to install,has current support by the script creator,and is easily added too
    Thanks,

    Bud

  5. The Following User Says Thank You to ajfmrf For This Useful Post:

    traq (06-10-2013)

  6. #5
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,622
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    Quote Originally Posted by crobinson42 View Post
    ... I think you'll find a more enlightening approach if you used javascript/jquery to accomplish your requests.
    Part of what he was asking about was actually sending the email, which cannot be done with javascript.
    Yes, JS is great for client-side validation. Still, remember that client-side is for the user's convenience only - you must always validate server-side.


    Quote Originally Posted by ajfmrf View Post
    This is one of my favorite scripts.
    http://devingredients.com/2011/03/bu...-from-scratch/
    It is easy to install,has current support by the script creator,and is easily added too
    That's a nice example - it's always hard to find good ones! The only two things I'd suggest is 1) using filter_var to validate the email address instead of preg_match (it's quicker, uses a better pattern, and is kept updated along with PHP), and 2) putting the user's email in a Reply-to header (the From header should always have a address belonging to the domain (e.g., From: no-reply@example.com) in order to keep it out of spam traps).
    We Only Torture the Folks We Don't Like (You're Probably Gonna Be Okay)
    It's a Party in the CIA

  7. #6
    Join Date
    Jan 2011
    Location
    Southeastern CT
    Posts
    586
    Thanks
    41
    Thanked 27 Times in 27 Posts

    Default

    Quote Originally Posted by traq View Post

    That's a nice example - it's always hard to find good ones! The only two things I'd suggest is 1) using filter_var to validate the email address instead of preg_match (it's quicker, uses a better pattern, and is kept updated along with PHP), and 2) putting the user's email in a Reply-to header (the From header should always have a address belonging to the domain (e.g., From: no-reply@example.com) in order to keep it out of spam traps).
    Thanks Adrian,how would I make those changes exactly?

    Just change the two things highlighted one for the other? or is there more than that to it?
    Thanks,

    Bud

  8. #7
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,622
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    PHP Code:
    /*
    if (!preg_match("/^[_a-z0-9]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/i", $email)){ 
        $error .= "The e-mail address you entered is not valid. <br/>";
    }
    */
    if( ! filter_var$email,FILTER_VALIDATE_EMAIL ) ){
        
    $error .= "The e-mail address you entered is not valid. <br/>";

    ...
    PHP Code:
    /*
    $from = 'From: ' . $name . ' <' . $email . '>';
    */
    $from "From: no-reply@example.com\r\n";  // <--change "example.com" to your domain name 

    ----------------------------------
    Also, I missed this earlier: that script is vulnerable to email header injection. You need to make sure $_POST['name'] contains no newlines:
    PHP Code:
    /*
    if (!empty($_POST['name'])) {
        $name = $_POST['name'];
    }
    */ 
    Two choices:
    Quietly remove newlines and proceed as though nothing is wrong:
    PHP Code:
    if( ! empty( $_POST['name'] ) ){
        
    // remove any carriage returns (which can be used to inject a new header)
        // and any header names
        // note this is the case-insensitive function, str_ireplace()
        
    $name str_ireplace( array( "\r","\n","%0a","%0d","Content-Type:","bcc:","to:","cc:" ),"",$_POST['name'] );

    OR, reject the submission in its entirety if there is any evidence of this attack:
    PHP Code:
    if( ! empty( $_POST['name'] ) ){
        
    // same as above...
        
    $name str_ireplace( array( "\r""\n""%0a""%0d""Content-Type:""bcc:","to:","cc:" ),"",$_POST['name'] );
        
    // test if the filtered and unfiltered strings match.
        // if they do not, that means the user put illegal characters in the "name" field.
        
    if( $_POST['name'] !== $name ){
            exit();  
    //<--don't even say anything. give them a blank page.
        
    }

    This is the safer (preferred) option.
    It might seem unfriendly, but realistically, it is almost impossible for an honest user to trigger this by accident.
    Practically speaking, if this happens, it is an attack, and you do not want to allow them to continue.


    ----------------------------------
    Coming back to the "From" issue, the main reason people put the visitor's email address in the "From" header is so they can click the [Reply] button when they receive the email.

    The correct way to allow this is to use the "Reply-to" header:
    PHP Code:
    // after $from = "From: no-reply@example.com\r\n";
    $from .="Reply-to: $name <$email>\r\n"
    We Only Torture the Folks We Don't Like (You're Probably Gonna Be Okay)
    It's a Party in the CIA

  9. #8
    Join Date
    Jan 2011
    Location
    Southeastern CT
    Posts
    586
    Thanks
    41
    Thanked 27 Times in 27 Posts

    Default

    Ok,I made the changes here

    PHP Code:
    <?php session_start(); ?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
      <head>
        <title>PHP Contact Form - Dev Ingredients</title>
        <link rel="stylesheet" type="text/css" href="style.css" />
      </head>
      <body>
        <?php
        
    if (isset($_POST['submit'])) {
        
    $error "";

         if( ! empty( 
    $_POST['name'] ) ){
        
    // same as above...
        
    $name str_ireplace( array( "\r""\n""%0a""%0d""Content-Type:""bcc:","to:","cc:" ),"",$_POST['name'] );
        
    // test if the filtered and unfiltered strings match.
        // if they do not, that means the user put illegal characters in the "name" field.
        
    if( $_POST['name'] !== $name ){
            exit();  
    //<--don't even say anything. give them a blank page.
            
    }
        }  
         else {
        
    $error .= "You didn't type in your name. <br />";
        }

        if (!empty(
    $_POST['email'])) {
        
    $email $_POST['email'];
         if( ! 
    filter_var$email,FILTER_VALIDATE_EMAIL ) ){
        
    $error .= "The e-mail address you entered is not valid. <br/>";
        }  
        } else {
        
    $error .= "You didn't type in an e-mail address. <br />";
        }

        if (!empty(
    $_POST['message'])) {
        
    $message $_POST['message'];
        } else {
        
    $error .= "You didn't type in a message. <br />";
        }

        if (empty(
    $error)) {
        
    $from "From: no-reply@web-user.net\r\n";
        
    $to "my@email.com";
        
    $subject "New contact form message";
        
    $content $name " has sent you a message: \n" $message;
        
    $success "<h3>Thank you! Your message has been sent!</h3>";
        
    mail($to,$subject,$content,$from);
        }
    Did I get it right

    I am not sure about this part;
    Thanks,

    Bud

  10. #9
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,622
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    yeah, that should work. You might want to add the "Reply-to" header:
    PHP Code:
    /*$from = "From: no-reply@web-user.net\r\n";*/
    $from "From: no-reply@web-user.net\r\nReply-to: $name <$email>\r\n"
    We Only Torture the Folks We Don't Like (You're Probably Gonna Be Okay)
    It's a Party in the CIA

Similar Threads

  1. Contactform with PHP
    By cljb in forum HTML
    Replies: 1
    Last Post: 01-15-2012, 05:06 PM
  2. Resolved onMouseout event handler
    By twQ in forum JavaScript
    Replies: 2
    Last Post: 12-31-2009, 03:51 AM
  3. JavaScript Handler file
    By Rocking in forum The lounge
    Replies: 6
    Last Post: 05-19-2009, 03:29 PM
  4. Upcoming Events Handler
    By PawClaw in forum Looking for such a script or service
    Replies: 6
    Last Post: 04-21-2009, 01:59 PM
  5. Form Handler Problem
    By belms in forum PHP
    Replies: 1
    Last Post: 06-24-2006, 08:20 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •