SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Addict
    Join Date
    Jan 2007
    Posts
    296
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Securing a PHP E-Mail form

    I have created an email form that works perfectly, however I am trying to add some code to it that makes it more secure.

    Firstly I would like it so that if a user just types in the url they get the first error. Also if they submit the form and go back to the submission page via the back button they donít resubmit the form.

    Code:
    echo "Sorry you must use the form page  first";
    I thought isset would do this but it doesnít work it always prints the error even if you go through the correct path.

    Also I would like some kind of validation code in there so that if a user doesnít fill in a required field it wonít submit the form. I have tried various ways but just canít get it to work correctly.

    ( I have removed al email addresses for security reasons)

    Code:
    <?php
    
    if (!isset($companyname) || !isset($contactname)) {
    echo "Sorry you must use the form page  first";
    }
    else
    {
    $emails="emailaddress";
    $emailsArray= explode(",", $emails);
    
    foreach($emailsArray as $key => $value) {
    $companyname = $_POST["companyname"];
    $contactname = $_POST["contactname"];
    $street = $_POST["street"];
    $city = $_POST["city"];
    $county = $_POST["county"];
    $postcode = $_POST["postcode"];
    $phonenumber = $_POST["phonenumber"];
    $mobile = $_POST["mobile"];
    $email = $_POST["email"];
    
    $returnreason = $_POST["returnreason"];
    $failuremode = $_POST["failuremode"];
    
    $headers = "MIME-Version: 1.0\r\n";
    $headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
    $headers .= "From:.... \r\n";
    $headers .= "Return-path:.... \r\n";
    $headers .= "From: $email " . "\r\n" .
    "CC: email, email "; 
    $subject = "Collection Service";
    $message = "<html><body>The following message has been sent: from $contactname at $companyname the message is listed below -
    
    <b>Contact Details</b></br>
    
    <b>Company Name:</b> $companyname
    <b>Contact Name:</b> $contactname
    <b>Street:</b> $street
    <b>City:</b> $city
    <b>County:</b> $county
    <b>Postcode:</b> $postcode
    <b>Phone Number:</b> $phone
    <b>Mobile:</b> $mobile
    <b>E-Mail:</b> $email
    
    <b>Reason For Return</b></br>
    
    <b>Return Reason:</b> $returnreason
    <b>Failure Mode:</b> $failuremode 
    
    </body></html>";
      
    
    $mailsent = mail($value, $subject, nl2br($message), $headers);
    if ($mailsent) {
    
    echo "<p class=\"pcenter\">Congratulations <span class=\"keyword\">$contactname</span> The following message has been sent to our specialist collection service:</p>";
      
      
    
    echo "<h3 class=\"h3\">Contact Details:</h3>"; 
    
    echo "<p class=\"pformtext\"><span class=\"keyword\">Company Name:</span> $companyname</p>";
    echo "<p class=\"pformtext\"><span class=\"keyword\">Contact Name:</span> $contactname</p>";
    echo "<p class=\"pformtext\"><span class=\"keyword\">Street:</span> $street</p>";
    echo "<p class=\"pformtext\"><span class=\"keyword\">City:</span> $city</p>";
    echo "<p class=\"pformtext\"><span class=\"keyword\">County:</span> $county</p>";
    echo "<p class=\"pformtext\"><span class=\"keyword\">Postcode:</span> $postcode</p>";
    echo "<p class=\"pformtext\"><span class=\"keyword\">Phone Number:</span> $phone</p>";
    echo "<p class=\"pformtext\"><span class=\"keyword\">Mobile:</span> $mobile</p>";
    echo "<p class=\"pformtext\"><span class=\"keyword\">E-mail:</span> $email</p>";
    
    echo "<h3 class=\"h3\">Reason For Return:</h3>"; 
    
    echo "<p class=\"pformtext\"><span class=\"keyword\">Return Reason:</span> $returnreason</p>";
    echo "<p class=\"pformtext\"><span class=\"keyword\">Failure Mode:</span> $failuremode</p>";
    } else {
      echo "There was an error...";
    }
    }}
    ?>


    Thank you for any help

  2. #2
    SitePoint Zealot shoorace's Avatar
    Join Date
    Jun 2005
    Location
    Florida
    Posts
    142
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Have u checked ur ini settings for register_globals, that is set to On?
    You have used $_POST variables directly, $companyname, without the use of super gobal array $_POST['companyname']

  3. #3
    SitePoint Addict
    Join Date
    Jan 2007
    Posts
    296
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have been playing around and now I have sorted the problem by doing this

    Code:
    if (!isset($_POST['companyname'])) {
    echo "Sorry you need to fill out the following form <a href=\"gearboxcollection.php\">Gearbox Collection</a>";
    }
    else if (empty($_POST['contactname'])) {
    echo "try again not filled in the fields";
    }
    else
    {
    So if the page is gone to directly they get a url on the screen to go back to the form or if they miss out a field and error message.

    Now my only problem is if you refresh the page it keeps sending the form is there a way to stop this happening???

    Cheers

  4. #4
    rajug.replace('Raju Gautam'); bronze trophy Raju Gautam's Avatar
    Join Date
    Oct 2006
    Location
    Kathmandu, Nepal
    Posts
    4,013
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Do like this by submitting the form to the same page where your email form is:
    1. Put your PHP code on the very top of your page.
    Code php:
    if($_SERVER['REQUEST_METHOD'] == "POST"){
      if($validation == true){
          // send email to ....
          // redirect to the same page or your desired page.
      }
    }
    //else dont do anything

    2. Put your other HTML down here. But the page is same.
    HTML Code:
    <form name="frm" method="post" action="">
    <input name="yourname" type="text" value="<?php echo $_POST['yourname'];?>" />
    likewise create other form elements here..
    </form>
    I think you got what i mean.
    Mistakes are proof that you are trying.....
    ------------------------------------------------------------------------
    PSD to HTML - SlicingArt.com | Personal Blog | ZCE - PHP 5

  5. #5
    SitePoint Wizard Hammer65's Avatar
    Join Date
    Nov 2004
    Location
    Lincoln Nebraska
    Posts
    1,161
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There are two main things to guard against with email forms.

    The first is header injection (Google for "PHP mail injection") and the second is automated submissions.

    Protecting against the first one is a matter of detecting certain characters present in any user input that will be used as part of the mail message.

    Protecting from the second is a little more complicated. There are a number of techniques that have been discussed here in various threads, but none of them except perhaps for captcha images are 100% effective.

    As far as double submissions go, there are several solutions, including checking for the request type, but I find that the key is keeping the submission out of the browser history. To do that, I like to do this with three separate pages using HTTP headers to redirect and manage caching accordingly.

    The form page submits to a submission page, which is faceless (no HTML) and sends headers to the browser telling it not to cache the page. Upon success, the user is either redirected to a thank you page or sent to a main page on the site with a friendly thank you message. This may seem like a lot more to go through, than just putting everything on a single page, but it works very effectively and consistently.

  6. #6
    SitePoint Zealot shoorace's Avatar
    Join Date
    Jun 2005
    Location
    Florida
    Posts
    142
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Now my only problem is if you refresh the page it keeps sending the form is there a way to stop this happening???
    After, your required things are done, u can redirect your page to the self page.

    Code PHP:
    header("Location:".$_SERVER['PHP_SELF']);


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •