ansaurus

Question

Answer 1

+1 A:

You are passing too many parameters to the mail() function. Try something like this:

<?php 
ob_start();
$name = $_POST['name'] ;
$email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);
$message = $_POST['message'] ;
$subject = strtr($_POST['subject'],array(':' => ' ', "\r" => ' ', "\n" => ' '));

$message = "Name: {$name}\r\nmessage: {$message}";
mail("[email protected]", $subject, $message, "From: {$email}");
header("Location: contact.php", true, 302);
ob_end_clean();
die;
?>

Dereleased 2009-12-08 21:03:41

Awesome, not I can send emails from [email protected] ;). You should evaluate everything that comes from the outside (like GET/POST/REQUEST/COOKIE)..

halfdan 2009-12-08 21:07:13

While you are correct, this is beyond the scope of the question. Then again, I'm not against everything devolving into a discussion of BCP Security. Finally, I have updated my version to reflect this =)

Dereleased 2009-12-08 21:09:26

Thankyou this is exactly how I wanted it! But could you help me a little bit more?I agree with the above comments saying I should validate the email address, but I how i do that?

Keiron Lowe 2009-12-08 21:16:46

the call to `filter_input( ... )` sanitizes the from e-mail address for you. It would probably be a good idea to sanitize the subject as well, since it goes in the headers and is affected by user input.

Dereleased 2009-12-08 21:18:47

What do you mean by that?How will that stop spam?

Keiron Lowe 2009-12-08 21:21:58

Well, the second and fourth fields of this function are inserted directly into the message header; if they are not sanitized (for headers this means removing line-breaks (\r\n) and colons) then I could potentially inject my own custom headers (Extra "TO" fields, "CC", etc) and use your script to send out my e-mail to whoever I wanted. By using `filter_input` with the email address and `strtr` with the subject, you remove this capability by blocking characters that could be used during an attack. Which means the emails only go to you. Doesn't help you if they are only spamming you, though.

Dereleased 2009-12-08 21:24:54

Ahh that makes sense, thankyou :)Only problem now though is header("Location: contact.php" doesnt work. It sends the email and takes make too send_contact.php

Keiron Lowe 2009-12-08 21:34:53

Is there any output on the screen? I'll add output buffering to my script and we'll see if that does it.

Dereleased 2009-12-08 21:40:54

Whoops, I just mixed up the arguments I sent to `header()`; I've fixed it, but I'm leaving in Output Buffering since that could save you the same sort of trouble if, say, someone is posting from a 3rd party and one of those indices is not defined. My bad, that should work.

Dereleased 2009-12-08 21:44:08

Thankyou so much for your help! :)

Keiron Lowe 2009-12-08 21:52:47

Answer 2

+1 A:

Take a look at the manual for mail():

mail("[email protected]", "Name: $name", $message, "From: $email");

But anyways, I strongly suggest you don't rely on PHP's mail()-function as its return value does not indicate if a mail really has been sent. Use phpmailer for mailing instead.

Best wishes,
Fabian

halfdan 2009-12-08 21:04:08

Answer 3

+2 A:

You've got the arguments mixed up a little:

mail( "[email protected]", $subject, "Name: $name\nMessage: $message", "From: $email" );

Additionally you shouldn't do "From: $email" without validating the email address - this will leave your script open to sending out spam.

Greg 2009-12-08 21:04:52

+1, the header info is correct, because an unscrupulous user could send extra headers like CC, additional To fields, etc.

Dereleased 2009-12-08 21:06:25

ansaurus

tags:

views:

answers:

PHP Contact form editing

related questions