views:

111

answers:

3

Im not a pro at PHP, just starting actually and was wondering if you could help me.

Im trying to get this contact form to email me stating the Persons Name and the message like this.

Name: Fred Blogs Message: Message, Message.

But when I try all I get is the message, I cant seem to insert the name variable anywhere.

This is the code

<?php 
$name = $_REQUEST['name'] ;
$email = $_REQUEST['email'] ;
$message = $_REQUEST['message'] ;
$subject = $_REQUEST['subject'] ;

mail( "[email protected]", "Name: $name", "$subject", $message, "From: $email" );
header( "Location:contact.php" );
?>
+1  A: 

You are passing too many parameters to the mail() function. Try something like this:

<?php 
ob_start();
$name = $_POST['name'] ;
$email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);
$message = $_POST['message'] ;
$subject = strtr($_POST['subject'],array(':' => ' ', "\r" => ' ', "\n" => ' '));

$message = "Name: {$name}\r\nmessage: {$message}";
mail("[email protected]", $subject, $message, "From: {$email}");
header("Location: contact.php", true, 302);
ob_end_clean();
die;
?>
Dereleased
Awesome, not I can send emails from [email protected] ;). You should evaluate everything that comes from the outside (like GET/POST/REQUEST/COOKIE)..
halfdan
While you are correct, this is beyond the scope of the question. Then again, I'm not against everything devolving into a discussion of BCP Security. Finally, I have updated my version to reflect this =)
Dereleased
Thankyou this is exactly how I wanted it! But could you help me a little bit more?I agree with the above comments saying I should validate the email address, but I how i do that?
Keiron Lowe
the call to `filter_input( ... )` sanitizes the from e-mail address for you. It would probably be a good idea to sanitize the subject as well, since it goes in the headers and is affected by user input.
Dereleased
What do you mean by that?How will that stop spam?
Keiron Lowe
Well, the second and fourth fields of this function are inserted directly into the message header; if they are not sanitized (for headers this means removing line-breaks (\r\n) and colons) then I could potentially inject my own custom headers (Extra "TO" fields, "CC", etc) and use your script to send out my e-mail to whoever I wanted. By using `filter_input` with the email address and `strtr` with the subject, you remove this capability by blocking characters that could be used during an attack. Which means the emails only go to you. Doesn't help you if they are only spamming you, though.
Dereleased
Ahh that makes sense, thankyou :)Only problem now though is header("Location: contact.php" doesnt work. It sends the email and takes make too send_contact.php
Keiron Lowe
Is there any output on the screen? I'll add output buffering to my script and we'll see if that does it.
Dereleased
Whoops, I just mixed up the arguments I sent to `header()`; I've fixed it, but I'm leaving in Output Buffering since that could save you the same sort of trouble if, say, someone is posting from a 3rd party and one of those indices is not defined. My bad, that should work.
Dereleased
Thankyou so much for your help! :)
Keiron Lowe
+1  A: 

Take a look at the manual for mail():

mail("[email protected]", "Name: $name", $message, "From: $email");

But anyways, I strongly suggest you don't rely on PHP's mail()-function as its return value does not indicate if a mail really has been sent. Use phpmailer for mailing instead.

Best wishes,
Fabian

halfdan
+2  A: 

You've got the arguments mixed up a little:

mail( "[email protected]", $subject, "Name: $name\nMessage: $message", "From: $email" );

Additionally you shouldn't do "From: $email" without validating the email address - this will leave your script open to sending out spam.

Greg
+1, the header info is correct, because an unscrupulous user could send extra headers like CC, additional To fields, etc.
Dereleased