csosa
April 26, 2016, 4:45pm
1
Hi I have this subscibe to mail list form and when a user sends
it, ,the end user receives a number instead of a name. Not sure why.
PHP:
<?php
$EmailFrom = "Mailing List Recipient";
$EmailTo = "email@example.com";
$Subject = "Impact-O-Graph Devices, LLC Mailing List";
$Name = Trim(stripslashes($_POST['YourFullname']));
$Email = Trim(stripslashes($_POST['Youremail']));
// validation
$validationOK=true;
if (!$validationOK) {
print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">";
exit;
}
// prepare email body text
$Body = "";
$Body .= "Full Name: ";
$Body .= $Name;
$Body .= "\n";
$Body .= "Email Address: ";
$Body .= $Email;
$Body .= "\n";
// send email
$success = mail($EmailTo, $Subject, $Body, "From: <$EmailFrom>");
// redirect to success page
if ($success){
print "<meta http-equiv=\"refresh\" content=\"0;URL=subscribethanks.php#subscribe\">";
}
else{
print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">";
}
/* Prepare autoresponder subject */
$respond_subject = "Thank you for your joining our e-mail list!";
//Change from address
$headers = 'From: email@example.com' . "\r\n" .
'Reply-To: ' . $email . "\r\n" .
'X-Mailer: PHP/' . phpversion();
/* Prepare autoresponder message */
$respond_message = "
We will e-mail you with all our latest news.
Regards,
Darryl L. Termine
VP Sales
www.impactograph.com
";
/* Send the message using mail() function */
mail($Email, $respond_subject, $respond_message, $headers);
?>
Either a) the form being submitted does not have an input entitled YourFullName or b) you’ve got some javascript which is replacing the value being submitted…
or c) the $_POST['YourFullname']
is being set to a number and since there is no validation it is as allowable as any other garbage for the content of the field
csosa
April 26, 2016, 7:36pm
4
This is what the form looks like
<form id="subscribe" action="maillistengine.php" method="post" role="form">
<label class="news-text">Fill in information: </label>
<label>
<input class="inside_search" type="text" name="YourFullname" placeholder=" Your Name" required="required" />
</label>
<label>
<input class="inside_search" type="text" name="Youremail" placeholder="Your Email" required="required" />
</label>
<label>
<input class="searchButton_mail" type="submit" name="submit" value="Subscribe" />
</label>
</form>
So there is nothing to prevent ‘99999999’ being entered as the name or even ‘;drop table user’
csosa
April 26, 2016, 8:52pm
6
I see so do I need modify my PHP?
Yes you need to validate the inputs properly and not just trim/stripslashes them.
csosa
April 26, 2016, 8:56pm
8
ok I am not too familiar with PHP what should I add to validate it?
should be:
if (filter_var($_POST['Youremail'], FILTER_VALIDATE_EMAIL)) {
$email = $_POST['Youremail'];
} else $validationOK = false;
for name it depends on what characters you are prepared to accept as part of a valid name
2 Likes
csosa
May 3, 2016, 6:46pm
10
So it should be this now?
<?php
$EmailFrom = "Mailing List Recipient";
$EmailTo = "dtermine@iogproducts.com";
$Subject = "Impact-O-Graph Devices, LLC Mailing List";
if (filter_var($_POST['YourFullname'], FILTER_VALIDATE_EMAIL)) {
$email = $_POST['YourFullname'];
} else $validationOK = false;
if (filter_var($_POST['Youremail'], FILTER_VALIDATE_EMAIL)) {
$email = $_POST['Youremail'];
} else $validationOK = false;
// validation
$validationOK=true;
if (!$validationOK) {
print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">";
exit;
}
// prepare email body text
$Body = "";
$Body .= "Full Name: ";
$Body .= $Name;
$Body .= "\n";
$Body .= "Email Address: ";
$Body .= $Email;
$Body .= "\n";
// send email
$success = mail($EmailTo, $Subject, $Body, "From: <$EmailFrom>");
// redirect to success page
if ($success){
print "<meta http-equiv=\"refresh\" content=\"0;URL=subscribethanks.php#subscribe\">";
}
else{
print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">";
}
/* Prepare autoresponder subject */
$respond_subject = "Thank you for your joining our e-mail list!";
//Change from address
$headers = 'From: dtermine@iogproducts.com' . "\r\n" .
'Reply-To: ' . $email . "\r\n" .
'X-Mailer: PHP/' . phpversion();
/* Prepare autoresponder message */
$respond_message = "
We will e-mail you with all our latest news.
Regards,
Darryl L. Termine
VP Sales
www.impactograph.com
";
/* Send the message using mail() function */
mail($Email, $respond_subject, $respond_message, $headers);
?>
Only if you want to validate that the fullname contains an email address and then overwrite it with the value of youremail.
csosa
May 3, 2016, 6:48pm
12
oh no whoops, I want that for the email but not the name. What should put for the name?
something that validates that the name field contains only characters that are meaningful for a name
csosa
May 3, 2016, 6:52pm
14
Do you know what the code should be? for name?
system
Closed
August 3, 2016, 1:53am
15
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.