<?php
/*
This first bit sets the email address that you want the form to be submitted to.
You will need to change this value to a valid email address that you can access.
*/
$webmaster_email = "MY_PRIVATE_EMAIL@hotmail.com";
/*
This bit sets the URLs of the supporting pages.
If you change the names of any of the pages, you will need to change the values here.
*/
$feedback_page = "antarctica.html";
$error_page = "messages/error_message.html";
$thankyou_page = "messages/thank_you.html";
/*
This next bit loads the form field data into variables.
If you add a form field, you will need to add it here.
*/
$comment = $_REQUEST['comment'] ;
$name = $_REQUEST['name'] ;
$msg =
"Name: " . $name . "\r\n" .
"Comment: " . $comment ;
/*
The following function checks for email injection.
Specifically, it checks for carriage returns - typically used by spammers to inject a CC list.
*/
function isInjected($str) {
$injections = array('(\n+)',
'(\r+)',
'(\t+)',
'(%0A+)',
'(%0D+)',
'(%08+)',
'(%09+)'
);
$inject = join('|', $injections);
$inject = "/$inject/i";
if(preg_match($inject,$str)) {
return true;
}
else {
return false;
}
}
// If the form fields are empty, redirect to the error page.
elseif empty($comment)) {
header( "Location: $error_page" );
}
/*
If email injection is detected, redirect to the error page.
If you add a form field, you should add it here.
*/
elseif isInjected($name) || isInjected($comment) ) {
header( "Location: $error_page" );
}
// If we passed all previous tests, send the email then redirect to the thank you page.
else {
mail( "$webmaster_email", "Feedback Form Results", $msg );
header( "Location: $thankyou_page" );
}
?>
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
okay so the PHP has a problem in it somewhere. Lets see.
Well, I can see a couple immediate problems.
elseif isInjected($name) || isInjected($comment) ) {
Count your parenthesis, and fill in the missing one. elseif empty($comment)) {
same, but should be easier to see in this line…
elseif empty($comment)) {
(Yes, the same line) What is this an elseif… to? There’s no if for this to elseif off of.
Thanks for the advice! I think I made those changes properly. I got the php code from somewhere, I don’t remember.
Can someone rewrite me something that would work, even if it doesn’t do the email injection. As long as it sends an email so I can add the comment myself, that would be awesome. At this point I doubt I will ever figure out how to store data and make my own comment system without adding each comment making it look like I just approve them like that haha
K well, thanks for your help!
<?php
/*
This first bit sets the email address that you want the form to be submitted to.
You will need to change this value to a valid email address that you can access.
*/
$webmaster_email = "chrisdugan5@hotmail.com";
/*
This bit sets the URLs of the supporting pages.
If you change the names of any of the pages, you will need to change the values here.
*/
$feedback_page = "antarctica.html";
$error_page = "messages/error_message.html";
$thankyou_page = "messages/thank_you.html";
/*
This next bit loads the form field data into variables.
If you add a form field, you will need to add it here.
*/
$comment = $_REQUEST['comment'] ;
$name = $_REQUEST['name'] ;
$msg =
"Name: " . $name . "\r\n" .
"Comment: " . $comment ;
/*
The following function checks for email injection.
Specifically, it checks for carriage returns - typically used by spammers to inject a CC list.
*/
function isInjected($str) {
$injections = array('(\n+)',
'(\r+)',
'(\t+)',
'(%0A+)',
'(%0D+)',
'(%08+)',
'(%09+)'
);
$inject = join('|', $injections);
$inject = "/$inject/i";
if(preg_match($inject,$str)) {
return true;
}
else {
return false;
}
}
// If the form fields are empty, redirect to the error page.
if empty($comment) {
header( "Location: $error_page" );
}
/*
If email injection is detected, redirect to the error page.
If you add a form field, you should add it here.
*/
elseif isInjected($name) || isInjected($comment) {
header( "Location: $error_page" );
}
// If we passed all previous tests, send the email then redirect to the thank you page.
else {
mail( "$webmaster_email", "Feedback Form Results", $msg );
header( "Location: $thankyou_page" );
}
?>
No, the forum isn’t really a custom code-writing service. Plenty of people are happy to help you figure out why the code you write isn’t working properly / doing what you want it to, but it’s unlikely someone will take time out and write your code for you.
You should enable error reporting for PHP. This will give you more specific pointer to errors within the code.
On the live site they should be logged. But ideally you should have a local development environment where the errors may be displayed.
This can be done using a database, but maybe take it one step at a time at this stage.
However the FROM email really should be a domain email address like info@dug.name so look into setting up a email with your host and use it for sending emails From your domain.
Thanks! I am currently moving my website to a different hosting company. I am going to wait until that is all set up. I will be back as soon as I can.
Thanks again everyone!!
Before I go ahead and try to make a database, would it even be possible to allow replies to comments and place them under the original comment? If so, do you think this would be a hard task?
Yes, it would be possible - how do you think forums and places like Facebook do it. No, it doesn’t need to be all that difficult.
Every comment will have a unique ID, and can optionally have a second ID to indicate which comment it is replying to. Use the presence of the second one to decide whether it’s an original comment, or a reply, though of course you can have replies to replies and you need to decide how far down you want that to go.
thanks for that!
anyway, did you try my contact form? I made it so you need 10 characters for the comment but someone managed to send a message with only 1 character, “1” and the name “1”
well, that is strange and I wonder how, when I can’t do it without 10 characters lol
And here is the answer and the important lesson.
Anything on the client side can be edited by anyone to whatever they like, the HTML, the CSS, the Javascript. It’s easily done in the Dev Tools of any common browser.
This causes some serious security concerns. So any validation you do on the client side, must be backed up by validation on the server side. Never trust anything coming form the client side!
For something simple like minimum length:-
if(strlen(trim($_POST['comment'])) < $minlen) { $errors[] = "The comment must be at least $minlen characters." ;}
Of course this idea of your code being tampered with on the client side poses more serious threats than a short comment, but you are learning.
Edit
Just adding this screen recording to show how eaily someone can tamper with your form data. You could literally change anything, the value of pre-set inputs, the input names, any validation attributes.
You can even write a whole new form that submits to your action URL.
