SitePoint Sponsor

User Tag List

Results 1 to 13 of 13
  1. #1
    SitePoint Wizard
    Join Date
    Dec 2005
    Posts
    1,718
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Sending emails via my form - How can I stop unwanted code affecting my page layout?

    Hi all

    I've written a basic script to handle my contact form, name and email are required fields and will not submit until these are correct.

    My problem is if I place something like
    Code PHP:
    if (strlen($email) == 0) {$s_error_message .= "You forgot your email address<br>";}
    into any of my forms fields it executes the <br> and pushes my form field down, this shouldn't happen and I'm worried if this basic <br> is having effect to the page what other code will be able to run?

    Am I missing something? Why can this code be run? Thanks in advance

    Heres my full code:
    Code PHP:
    <?php
    session_start();
     
    $name                = '';
    $email                = '';
    $tel            = '';
    $comment            = '';
    $s_error_message    = '';
     
    if (isset($_POST['submit'])) //check for name of your submit button
    {
        if (isset($_POST['name'])) {$name = trim(stripslashes($_POST['name']));}
        if (isset($_POST['email'])) {$email = trim(stripslashes($_POST['email']));}
    	if (isset($_POST['tel'])) {$tel = trim(stripslashes($_POST['tel']));}
        if (isset($_POST['comment'])) {$comment = trim(stripslashes($_POST['comment']));}
        if (strlen($name) == 0) {$s_error_message .= "Please enter your name<br>";}
        if (strlen($email) == 0) {$s_error_message .= "You forgot your email address<br>";}
        elseif(!eregi("^[[:alnum:]][a-z0-9_.-]*@[a-z0-9.-]+\.[a-z]{2,4}$", $email)) {$s_error_message .= "Not a valid email address<br>";}
     
        if (strlen($s_error_message) == 0)
        {
            $to="example@hotmail.co.uk";
            $message = "Name: " . $name . "\n\n" . $comment . "\n\nTel: " . $tel . "\nEmail: " . $email;
            $subject = "Site Query";
     
            if (mail($to, $subject, $message, 'From: ' . $email)) {header('Location: index.php');}
            else {print('There was a problem sending the mail. Please check that you filled in the form correctly.');}
        }
    }
     
    ?>

    and below that code, this is where I've pasted the code from above into the input field:

    Code HTML4Strict:
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
    <html>
    <head>
    <body>
    .....
     
    <input id="name" name="name" class="text required" type="text" value="<?php print($name); ?>">
    <input id="email" name="email" class="email required" type="text" value="<?php print($email); ?>">
     
    some other stuff...
     
    <p class="errors"><?php if (strlen($s_error_message) > 0) {print($s_error_message);} ?></p>
     
    </body>
    </html>

    Thanks
    Last edited by computerbarry; Dec 28, 2008 at 12:06.
    The more you learn.... the more you learn there is more to learn.

  2. #2
    Use The Cloud
    Join Date
    Jan 2006
    Location
    Boise, ID
    Posts
    556
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You didn't include where you actually display the contents of $s_error_message, which is needed to give you an exact reason why <br> is being interpreted.

    The most likely solution is to run it through htmlentities()
    Brad Hanson, Web Applications & Scalability Specialist
    ► Is your website outgrowing its current hosting solution?
    ► PM me for a FREE scalability consult!
    ► USA Based: Available by Phone, Skype, AIM, and E-mail.

  3. #3
    SitePoint Wizard lorenw's Avatar
    Join Date
    Feb 2005
    Location
    was rainy Oregon now sunny Florida
    Posts
    1,101
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    if $email has not been set, strlen just might be 0, try adding isset to the if statement.
    What I lack in acuracy I make up for in misteaks

  4. #4
    SitePoint Wizard
    Join Date
    Dec 2005
    Posts
    1,718
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks

    Yes i forgot to add it, I've updated my code above

    And do you mean something like this:

    Code HTML4Strict:
    <input id="name" name="name" class="text required" type="text" value="<?php print htmlspecialchars($name), ENT_QUOTES; ?>">

    And what if somebody tries to run some php or some other scripts will this be safe?

    Update: How can I stop the browser for showing (Parse error: syntax error, unexpected ',' ...) if somethin is wrong?

    thanks
    The more you learn.... the more you learn there is more to learn.

  5. #5
    Use The Cloud
    Join Date
    Jan 2006
    Location
    Boise, ID
    Posts
    556
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You seem to be pretty confused and are mixing concepts.

    What is the issue with displaying $s_error_message like that, if the user never controls the value of it? You have complete control over the content (and containing HTML, or lack thereof).

    You didn't actually test HTML tags within the value attribute of your input fields... they work fine and as expected. As far as escaping input though, yes you should always do that.

    You can turn off the browser showing PHP errors by changing "display_errors" to off in your php.ini file, but you should never have a parse error in a production file anyway. I'm sure if you look closer at the code you posted you can see the mistake:

    PHP Code:
    <?php print htmlspecialchars($name), ENT_QUOTES?>
    Brad Hanson, Web Applications & Scalability Specialist
    ► Is your website outgrowing its current hosting solution?
    ► PM me for a FREE scalability consult!
    ► USA Based: Available by Phone, Skype, AIM, and E-mail.

  6. #6
    SitePoint Wizard
    Join Date
    Dec 2005
    Posts
    1,718
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thanks

    What is the issue with displaying $s_error_message like that, if the user never controls the value of it?
    This basically acts as a visual for the user and will show the errors on the page if the email is not valid or they forget the name.

    I'm sure if you look closer at the code you posted you can see the mistake:
    ??

    The more you learn.... the more you learn there is more to learn.

  7. #7
    Use The Cloud
    Join Date
    Jan 2006
    Location
    Boise, ID
    Posts
    556
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by computerbarry View Post
    thanks

    This basically acts as a visual for the user and will show the errors on the page if the email is not valid or they forget the name.

    ??

    You're still not understanding.

    You were worried about $s_error_message displaying HTML, and was concerned with a malicious user abusing that. Well, $s_error_message is never modified by the user, so there is no problem with it.

    Compare your code to the PHP manual, you'll see the parse error.
    Brad Hanson, Web Applications & Scalability Specialist
    ► Is your website outgrowing its current hosting solution?
    ► PM me for a FREE scalability consult!
    ► USA Based: Available by Phone, Skype, AIM, and E-mail.

  8. #8
    SitePoint Wizard
    Join Date
    Dec 2005
    Posts
    1,718
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You were worried about $s_error_message displaying HTML, and was concerned with a malicious user abusing that. Well, $s_error_message is never modified by the user, so there is no problem with it.
    Thanks I think you have miss understood me, the main problem was if somebody types "<br>" or what ever piece of code into any input field is that the code would get executed, I wanted a way to make sure this code can't be ran.

    $s_error_message works fine these no problem with this.

    The more you learn.... the more you learn there is more to learn.

  9. #9
    Use The Cloud
    Join Date
    Jan 2006
    Location
    Boise, ID
    Posts
    556
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by computerbarry View Post
    Thanks I think you have miss understood me, the main problem was if somebody types "<br>" or what ever piece of code into any input field is that the code would get executed, I wanted a way to make sure this code can't be ran.

    $s_error_message works fine these no problem with this.

    Look at your original post again, the example you provided suggested the problem you were having was with $s_error_message.

    My problem is...
    PHP Code:
    if (strlen($email) == 0) {$s_error_message .= "You forgot your email address<br>";} 
    If you're displaying text entered from input fields but do not want the HTML displayed, then use htmlentities as suggested above.
    Brad Hanson, Web Applications & Scalability Specialist
    ► Is your website outgrowing its current hosting solution?
    ► PM me for a FREE scalability consult!
    ► USA Based: Available by Phone, Skype, AIM, and E-mail.

  10. #10
    SitePoint Wizard
    Join Date
    Dec 2005
    Posts
    1,718
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes thanks bhanson

    I didn't explain probably
    if (strlen($email) == 0) {$s_error_message .= "You forgot your email address<br>";}
    That was just to highlight if I posted something like this into an input field that the <br> at the end would run and cause my page to change.

    I added <?php print htmlspecialchars($name); ?> and solved the problem

    -------------------

    You can turn off the browser showing PHP errors by changing "display_errors" to off in your php.ini file, but you should never have a parse error in a production file anyway.
    Just a little confused now how I can sort this problem, I have a number of sites running under 1 account so if I turn errors off I will lose all the information when testing and debugging... how can I get it to work for just this file/directory?

    Thanks for the time
    The more you learn.... the more you learn there is more to learn.

  11. #11
    Use The Cloud
    Join Date
    Jan 2006
    Location
    Boise, ID
    Posts
    556
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by computerbarry View Post
    Yes thanks bhanson

    I didn't explain probably


    That was just to highlight if I posted something like this into an input field that the <br> at the end would run and cause my page to change.
    A better example would have been one of the fields you were actually inserting into your input fields, instead of an unrelated variable.

    Quote Originally Posted by computerbarry View Post
    Just a little confused now how I can sort this problem, I have a number of sites running under 1 account so if I turn errors off I will lose all the information when testing and debugging... how can I get it to work for just this file/directory?

    Thanks for the time
    The only way to completely turn off errors is by editing your php.ini.

    You can get most of them by using:

    PHP Code:
    error_reporting(0);
    ini_set('display_errors'0); 
    Brad Hanson, Web Applications & Scalability Specialist
    ► Is your website outgrowing its current hosting solution?
    ► PM me for a FREE scalability consult!
    ► USA Based: Available by Phone, Skype, AIM, and E-mail.

  12. #12
    SitePoint Wizard
    Join Date
    Dec 2005
    Posts
    1,718
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Working great now thanks Brad

    So what you're saying is just keep:

    error_reporting(0);
    ini_set('display_errors', 0);

    and paste into your page for testing and when everything is ok remove it?
    The more you learn.... the more you learn there is more to learn.

  13. #13
    Use The Cloud
    Join Date
    Jan 2006
    Location
    Boise, ID
    Posts
    556
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by computerbarry View Post
    Working great now thanks Brad

    So what you're saying is just keep:

    error_reporting(0);
    ini_set('display_errors', 0);

    and paste into your page for testing and when everything is ok remove it?
    The opposite, actually.

    The "0" in each of those makes it so errors are not shown. In development you WANT to see errors, warnings, and notices so you can fix them. In a production environment you want to suppress them so users don't see them.

    So you would use the above code in a production environment. In development you want to use something more like this:

    PHP Code:
    error_reporting(E_ALL E_STRICT);
    ini_set('display_errors'1); 
    Brad Hanson, Web Applications & Scalability Specialist
    ► Is your website outgrowing its current hosting solution?
    ► PM me for a FREE scalability consult!
    ► USA Based: Available by Phone, Skype, AIM, and E-mail.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •