Dropdown Display BLUES -- help

seungew · July 4, 2010, 11:40pm

Hello PHP gurus:)

I’m new to PHP and I just recently registered a website that I am going to be designing
with a form in it.

The host server that I registered with has a CGI-BIN , PHP, MySQL capability.

My problem is that I am trying to get the information from my simple HTML form emailed to my account as a text message and also it will also tell me which email address it came from.

This is my HTML code for my form :

<form method=“post” action=“…/sendmail.php”>
Email:
<input name=“email” type=“text” /><br />
Message:<br />
<textarea name=“message” rows=“15” cols=“40”>
</textarea><br />
<h2>Select Your Car</h2>
<p>Type:<br />
<select name=“selType”>
<option value=“Porsche 911”>Porshe 911</option>
<option value=“Volkswagen Beetle”>Volkswagen Beetle</option>
<option value=“Ford Taurus”>Ford Taurus</option>
</select>
</p>
<p>Color:<br />
<select name=“selColor”>
<option value=“blue”>blue</option>
<option value=“yellow”>yellow</option>
<option value=“red”>red</option>
</select>
</p>
<p/>

Now for my PHP file, I’ve got only the email address to display who its from in my email but I can’t seem to get the information from the dropdown to display in my email. Here is the PHP code:

<?php
$email = $_REQUEST[‘email’] ;
$message = $_REQUEST[‘message’] ;
$type = $_POST[‘selType’];
$color=$_POST[‘selColor’];
mail( “name@mydomain.com”, “Feedback Form Results”,
$message,“From:$email”);
header( “Location: http://www.mydomain.com/thankyou.html” );
?>

Please help if you can. I appreciate your time on this.

Thanks in advance

bcafs7 · July 8, 2010, 5:29am

I just copied and pasted the code you have there and tried to run it, and I got three errors. The first two were spaces after the two <<<EOD. There can’t be anything after the opening of a heredoc, even a space, though a problem like this could just be from copying/pasting. For the third error, PHP threw a hissy fit for me because the EOD; was the last line of the script. Putting just a newline after that helped it.

If fixing those errors doesn’t help your script, then please post back with what the actual error outputted by PHP is. If you’re not getting any, try putting error_reporting(E_ALL) at the top of your script so that PHP will report all the errors it encounters.

seungew · July 8, 2010, 5:07am

Hey Mike –

I don’t think I did this PHP code right – can you give it a quick look?

I tried it against my html form and i didn’t even get the ‘Thank You’ response. I must have messed up the code:

Thanks again – I appreciate your time mate.

/* Subject and Email Varibles */

	$emailSubject = 'mydomain Booking';
	$webMaster = 'contactform@mydomain.com';
	
/* Gathering Data Varibles */
	
	$emailField = $_POST['email'];	
	$nameField = $_POST['name'];
	$phoneField = $_POST['phone'];
	$dentalField = $_POST['DentalService'];
	$monthField = $_POST['month'];
	$dayField = $_POST['day'];
	$timeField = $_POST['time'];
	$commentsField = $_POST['comments'];
	$newsletterField = $_POST['newsletter'];
	
	$body = <<<EOD
<br><hr><br>
Email: $emailField<br>
Name: $nameField <br>
Phone Number: $phoneField <br>
Dental Service: $dentalField <br>
Month: $monthField <br>
Day: $dayField <br>
Time: $timeField <br>
Comments: $commentsField <br>
Newsletter: $newsletterField <br>
EOD;

	$headers = "From: contactform@mydomain.com\\r\
";
	$headers .= "Content-type: text/html\\r\
";
if(mail($webMaster, $emailSubject, $body, $headers)) {
   $title = 'Thank You';
   $body = 'Thank You';
}
else {
   $title = 'Error';
   $body = 'Sorry, an error stopped your message from being delivered';
}

/* Results rendered as HTML */ 

echo <<<EOD
<html xmlns="http://www.w3.org/1999/xhtml"> 
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> 
<title>$title</title> 
</head> 

<body> 
$body 
</body> 
</html> 
EOD;

seungew · July 8, 2010, 1:50am

Thanks a bunch pal.

I’ll definitely try your suggestion of using the contactform address as return address.

I’ll let you know how it works out.

cranial_bore · July 7, 2010, 10:59pm

$headers = "From: $emailField\\r\
";

$emailField is the users email address, so the email in your inbox will appear to have been sent from their address directly, and pressing reply will address that message to their email address. Convenient, but this is where the risk of header injection is. Because $emailField has been set by a user, and it’s being used in the email header their is a vulnerability.

What I mean by hard-coding the from address is to set it as your own. The email will appear to come from yourself.
Eg.


$headers = "From: contactform@mydomain.com\\r\
";

You can’t use the reply button, as it will just point the message back to your own server. You’d need to copy and paste the senders email out of the body of the message. Less convenient, but safer. Unless you are confident at filtering the values none of the user-supplied data should make its way into the headers.

There are probably classes out there that could help with this. I’m sure the frameworks would have email validation functions, or phpclasses.org may have something, but I’ve never bothered. I’ve never been that put out by having the messages appear to come from my own server.

seungew · July 7, 2010, 7:44pm

Thanks again Mike.

Can you elaborate a bit more on what you said earlier,

“…your users email address, you would hard code it to your own.”

So I would have to change this part of my php code:

$headers = "From: $emailField\\r\
";     
$headers .= "Content-type: text/html\\r\
";     
$success = mail($webMaster, $emailSubject, $body, $headers);

I’m just not to clear on how the sender’s email would get retrieved from the recipient once they open up their email. You mentioned they won’t be able to click on reply.

Could you show me in pHp code how I would hard-write the sender’s email address to show on the recipient end.

Thanks again

cranial_bore · July 6, 2010, 10:06pm

It is still vulnerable.

$headers = "From: $emailField\\r\
";

$emailField is set directly by your users/attackers. They can append their own BCC parameters and send to their list, although the message they send might be the body you define in the code.
The simplest fix is not not have ANY of the user input make its way into the mail headers. It means the from address won’t be your users email address, you would hard code it to your own. You won’t be able to hit reply to write back to the sender.

Also your still assuming mail() worked. Try this so that users know if there was a problem sending the message


if(mail($webMaster, $emailSubject, $body, $headers)) {
   $title = 'Thank You';
   $body = 'Thank You';
}
else {
   $title = 'Error';
   $body = 'Sorry, an error stopped your message from being delivered';
}

/* Results rendered as HTML */ 

echo <<<EOD 
<html xmlns="http://www.w3.org/1999/xhtml"> 
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> 
<title>$title</title> 
</head> 

<body> 
$body 
</body> 
</html> 
EOD;

seungew · July 6, 2010, 2:21pm

Thanks for the tips buddy.

I figured out how to get this form to work with the below PHP.

Although I’m wondering if the below PHP would still be vunerable to spammers like you mentioned before.

Could you take a quick look and comment on it. Thanks.


<?php

/* Subject and Email Varibles */

	$emailSubject = 'mydomain booking';
	$webMaster = 'name@mydomain.com';
	
/* Gathering Data Varibles */
	
	$emailField = $_POST['email'];	
	$nameField = $_POST['name'];
	$phoneField = $_POST['phone'];
	$dentalField = $_POST['DentalService'];
	$monthField = $_POST['month'];
	$dayField = $_POST['day'];
	$timeField = $_POST['time'];
	$commentsField = $_POST['comments'];
	$newsletterField = $_POST['newsletter'];
	
	$body = <<<EOD
<br><hr><br>
Email: $emailField <br>
Name: $nameField <br>
Phone Number: $phoneField <br>
Dental Service: $dentalField <br>
Month: $monthField <br>
Day: $dayField <br>
Time: $timeField <br>
Comments: $commentsField <br>
Newsletter: $newsletterField <br>
EOD;

	$headers = "From: $emailField\\r\
";
	$headers .= "Content-type: text/html\\r\
";
	$success = mail($webMaster, $emailSubject, $body, $headers);
	
/* Results rendered as HTML */

	$theResults = <<<EOD
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>THANK YOU</title>
</head>

<body>
THANK YOU
</body>
</html>
EOD;
echo "$theResults";

?>

cranial_bore · July 5, 2010, 1:45am

I don’t know why selType isn’t coming through, but do var_dump($_POST) on sendmail.php to see what data you’re getting from the form. You will need to comment out the header redirect so that you actually see the debug message.

A few other notes, the first is very important:

Your script is vulnerable to email header injection (search that term). By putting the email value directly in an email header an attacker could pass in their own email headers and use your form and your server to send out spam to their list of victims. If you’re not confident researching and fixing this issue you should modify a more reliable contact form someone else has written.
Post code on this forum using [ php ] tags
No need to mix $_REQUEST and $_POST. If you’re expecting this data from a post form only use $_POST
You should check that mail() returned true before redirecting to a success message

if(mail(...)) {
  //success
}