Using Javascript in php

It’s sent to an email instead which mean that there’s no decoding. The email message just appears as:

"Hi+Whoever

This+email+has+come+from+your+website"

A quick search suggests you should use rawurlencode() instead of urlencode(), as the latter will convert spaces to plus signs, and the former will not.

1 Like

thank you

side note: using mailto: is

  1. unreliable (it requires the user to have a mail client installed) and
  2. impolite (you’re forcing the user to use his/her own email address for sending)
1 Like

I appreciate that but didn’t know any other options as the script I was using has stopped working and the client doesn’t want to speak to her hosts about any updates they’ve done so asked me to do it like this.

I agree it’s not the best way though

Why don’t you just fix the script that stopped working?

for sending emails it’s recommended to use an email library (SwiftMailer, PHPMailer) or an email service (MailChimp, …)

I’ve checked through the script and there’s no problems with the actual script - everything is output properly and as it should do but nothing is ever received from it.

It’s a form for people to email the owner of the site - would those work for that?

I would think so, they’re just alternatives to using the PHP mail() function. If the old script is suddenly not working, you mentioned that the owner didn’t want to talk to the host about updates, do you have any idea of what the updates might be? Or you could post the script code here, anonymised of course, to see if anyone can spot what’s going wrong.

Thanks, here’s the code that was working before:

<?php 
$your_email ='email@address.com';

session_start();
$errors = '';
$name = '';
$email = '';
$message = '';

if(isset($_POST['submit']))
{
	
	$name = $_POST['name'];
	$email = $_POST['email'];
	$message = $_POST['message'];
	///------------Do Validations-------------
	if(empty($name)||empty($email)||empty($message))
	{
		$errors .= "\n All fields are required. ";	
	}
	if(IsInjected($email))
	{
		$errors .= "\n Please enter a valid email address";
	}
	if(empty($_SESSION['6_letters_code'] ) ||
	  strcasecmp($_SESSION['6_letters_code'], $_POST['6_letters_code']) != 0)
	{
	//Note: the captcha code is compared case insensitively.
	//if you want case sensitive match, update the check above to
	// strcmp()
		$errors .= "\n The security code does not match!";
	}
	
	if(empty($errors))
	{
		//send the email
		$to = $your_email;
		$subject="New message from website";
		$from = $email;
		$ip = isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '';
		
		$body = "$name ($email) has sent you a message:\n\n".
		"$message";
		$headers = "From: $from \r\n";
		$headers .= "Reply-To: $email \r\n";
		
		mail($to, $subject, $body,$headers);
		
		header("thanks.php");
	}
}

// Function to validate against any email injection attempts
function IsInjected($str)
{
  $injections = array('(\n+)',
              '(\r+)',
              '(\t+)',
              '(%0A+)',
              '(%0D+)',
              '(%08+)',
              '(%09+)'
              );
  $inject = join('|', $injections);
  $inject = "/$inject/i";
  if(preg_match($inject,$str))
    {
    return true;
  }
  else
    {
    return false;
  }
}
?>

I wonder if the problem is that you’re sending that message using whatever the person filling the form in entered as their email address, as the ‘from’ address. This may be a security problem, in that I’d expect a hosting company to check that you’re sending emails from an address that you’re paying them to host, and not spamming and so on.

Try changing it so that the $from value is another of your own (or the site owners own) email addresses, and include the form-fillers email address in the body of the message.

I tried that and it didn’t work unfortunately. The form does check if it’s a proper email address before allowing the user to submit it though so it should (in theory at least) always be a proper email address

might be a properly formatted email but not necessarily an email address that exists.

If you run <?php phpinfo(); ?> you should be able to get some more info about what is being run on the server. You can possibly amend the .ini contents on the page you are trying to build to send the email.

It might be a bit annoying as you’d have to check regularly but if you really can’t email out just submit the form to a database and have an admin log in area to pick up the ‘email’.

mail() isn’t particularly suited to getting info about email sending (mail() hands over the email to your sendmail executable and that’s it). therefore you should use one of the existing email libraries (e.g. SwiftMailer, PHPMailer) that can easily send email via SMTP.

PHP has an email filter that does a better job at that.

1 Like

What I was getting at is that the mail server might need the from-address to be one that it is configured to send emails from, not just that it’s a properly-formatted email address. If it allows your form to use any old email address as the from-address, that would mean you could also use it to send emails purporting to be from anyone.

But if you’ve changed it to use your address as the from-address for sending the mail and it didn’t help, it must be something else.

I think I need to look into something like SwiftMail as I know the solution I’ve got at the moment isn’t the best

i think the only problem is with double quotes.
header(“Location: mailto:email@address.com?Subject=New message from website&body=$body”);
should be,
header(“Location: mailto:email@address.com?Subject=New message from website&body=”.$body.“”);

That still won’t work without encoding the subject and body fields to deal with spaces.

You need to try least PHP code for email sending in PHP.