Form information

csosa · April 26, 2016, 4:45pm

Hi I have this subscibe to mail list form and when a user sends
it, ,the end user receives a number instead of a name. Not sure why.

PHP:

<?php
$EmailFrom = "Mailing List Recipient";
$EmailTo = "email@example.com";
$Subject = "Impact-O-Graph Devices, LLC Mailing List";
$Name = Trim(stripslashes($_POST['YourFullname'])); 
$Email = Trim(stripslashes($_POST['Youremail'])); 

// validation
$validationOK=true;
if (!$validationOK) {
  print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">";
  exit;
}

// prepare email body text
$Body = "";
$Body .= "Full Name: ";
$Body .= $Name;
$Body .= "\n";
$Body .= "Email Address: "; 
$Body .= $Email;
$Body .= "\n";


// send email 
$success = mail($EmailTo, $Subject, $Body, "From: <$EmailFrom>");

// redirect to success page 
if ($success){
  print "<meta http-equiv=\"refresh\" content=\"0;URL=subscribethanks.php#subscribe\">";
}
else{
  print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">";
}

/* Prepare autoresponder subject */
$respond_subject = "Thank you for your joining our e-mail list!";

//Change from address
$headers = 'From: email@example.com' . "\r\n" .
    'Reply-To: ' . $email . "\r\n" .
    'X-Mailer: PHP/' . phpversion();


/* Prepare autoresponder message */
$respond_message = "

We will e-mail you with all our latest news.

Regards,
Darryl L. Termine
VP Sales
www.impactograph.com

";
/* Send the message using mail() function */
mail($Email, $respond_subject, $respond_message, $headers);


?>

DaveMaxwell · April 26, 2016, 5:54pm

Either a) the form being submitted does not have an input entitled YourFullName or b) you’ve got some javascript which is replacing the value being submitted…

felgall · April 26, 2016, 7:08pm

or c) the $_POST['YourFullname'] is being set to a number and since there is no validation it is as allowable as any other garbage for the content of the field

csosa · April 26, 2016, 7:36pm

This is what the form looks like

<form id="subscribe" action="maillistengine.php" method="post" role="form">
          <label class="news-text">Fill in information: </label>
          <label>
            <input class="inside_search" type="text" name="YourFullname" placeholder=" Your Name" required="required" />
          </label>
          <label>
            <input class="inside_search" type="text" name="Youremail" placeholder="Your Email" required="required" />
          </label>
          <label>
            <input class="searchButton_mail" type="submit" name="submit" value="Subscribe" />
          </label>
        </form>

felgall · April 26, 2016, 8:50pm

So there is nothing to prevent ‘99999999’ being entered as the name or even ‘;drop table user’

csosa · April 26, 2016, 8:52pm

I see so do I need modify my PHP?

felgall · April 26, 2016, 8:54pm

Yes you need to validate the inputs properly and not just trim/stripslashes them.

csosa · April 26, 2016, 8:56pm

ok I am not too familiar with PHP what should I add to validate it?

felgall · April 26, 2016, 9:07pm

should be:

if (filter_var($_POST['Youremail'], FILTER_VALIDATE_EMAIL)) {
    $email  = $_POST['Youremail'];
} else $validationOK = false;

for name it depends on what characters you are prepared to accept as part of a valid name

csosa · May 3, 2016, 6:46pm

So it should be this now?

<?php
$EmailFrom = "Mailing List Recipient";
$EmailTo = "dtermine@iogproducts.com";
$Subject = "Impact-O-Graph Devices, LLC Mailing List";
if (filter_var($_POST['YourFullname'], FILTER_VALIDATE_EMAIL)) {
    $email  = $_POST['YourFullname'];
} else $validationOK = false;
if (filter_var($_POST['Youremail'], FILTER_VALIDATE_EMAIL)) {
    $email  = $_POST['Youremail'];
} else $validationOK = false;


// validation
$validationOK=true;
if (!$validationOK) {
  print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">";
  exit;
}

// prepare email body text
$Body = "";
$Body .= "Full Name: ";
$Body .= $Name;
$Body .= "\n";
$Body .= "Email Address: "; 
$Body .= $Email;
$Body .= "\n";


// send email 
$success = mail($EmailTo, $Subject, $Body, "From: <$EmailFrom>");

// redirect to success page 
if ($success){
  print "<meta http-equiv=\"refresh\" content=\"0;URL=subscribethanks.php#subscribe\">";
}
else{
  print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">";
}

/* Prepare autoresponder subject */
$respond_subject = "Thank you for your joining our e-mail list!";

//Change from address
$headers = 'From: dtermine@iogproducts.com' . "\r\n" .
    'Reply-To: ' . $email . "\r\n" .
    'X-Mailer: PHP/' . phpversion();


/* Prepare autoresponder message */
$respond_message = "

We will e-mail you with all our latest news.

Regards,
Darryl L. Termine
VP Sales
www.impactograph.com

";
/* Send the message using mail() function */
mail($Email, $respond_subject, $respond_message, $headers);


?>

felgall · May 3, 2016, 6:47pm

Only if you want to validate that the fullname contains an email address and then overwrite it with the value of youremail.

csosa · May 3, 2016, 6:48pm

oh no whoops, I want that for the email but not the name. What should put for the name?

felgall · May 3, 2016, 6:50pm

something that validates that the name field contains only characters that are meaningful for a name

csosa · May 3, 2016, 6:52pm

Do you know what the code should be? for name?

system · August 3, 2016, 1:53am

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.