PHP Script and HTML Contact Form

[jamesadrian]

I have attempted to write a page at http://www.futurebeacon.com/test.php that has a form window for a name, a form window for an email address and a form window for comments.

 

The comment window never comes through with the email message sent to update@futurebeacon.com and I don't know what the script or the html form lack.

 

Here they are:

 

<?php
if (isset($_POST['Submit']))

{
// get posted data into local variables
$EmailFrom = "Contact Form at http://www.futurebeacon.com";
$EmailTo = "update@futurebeacon.com";
$Subject = "Update Request";
$Name = Trim(stripslashes($_POST['Name']));
$Email = Trim(stripslashes($_POST['Email']));


// validation
$validationOK=true;
if (Trim($Name)=="") $validationOK=false;

if (Trim($Email)=="") $validationOK=false;
//if (Trim($Website)=="") $validationOK=false;

if (!$validationOK) {
print "<meta http-equiv=\"refresh\" content=\"0;URL=http://www.futurebeacon.com/error.htm\">";
exit;
}

// prepare email body text
$Body ="";
$Body .= "\n";
$Body .= "Name: ";
$Body .= $Name;
$Body .= "\n";
$Body .= "Email: ";
$Body .= $Email;
$Body .= "\n";


// send email
$success = mail($EmailTo, $Subject, $Body, "From: <$EmailFrom>");

// Print style redirect to success page:
if ($success){
print "<meta http-equiv=\"refresh\" content=\"0;URL=http://www.futurebeacon.com/ok.htm\">";
}
else{
print "<meta http-equiv=\"refresh\" content=\"0;URL=http://www.futurebeacon.com/error.htm\">";
}



}

?>


<!DOCTYPE html>
<html>
<head>
<title>PHP Test</title>
<meta name="description" content="">
<meta name="keywords" content="">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
</head>

<body style="background-image: url(http://www.fibro1.org/Fibro1.png);">
<div style="width: 3000px; height: 3000px; font-size: 20px; line-height: 28px; color: #000000; font-family: times new roman;">
<div style="margin-left: 60px; margin-right: 0px;">


<br /><br />

<div style="font-size: 35px; line-height: 5px;">PHP Test
</div>


<br /><br />

<br /><br />

<br /><br />

<div style="width: 1000px;">

To receive email updates, please enter your name and email address bellow. This information will not be shared with others.
<br /><br />


<!-- Website Contact Form-->

<form method="POST" action="<?php echo $PHP_SELF;?>">

Name<br />
<input type="text" name="Name" value="" size="29" maxlength="75">
<br />
Email Address<br />
<input type="text" name="Email" value="" size="29" maxlength="75">
<br /><br />
<div style="position: absolute; top: 440px; left: 60px;">
<br /><br />
Questions and Comments:
<br /><br />
<textarea name="Comments" rows="12" cols="70">
</textarea>
<br /><br />
<br /><br />
<input type="submit" name="Submit" value="Submit Form">
<br /><br />
<input type="reset" value="Clear Form">
</div>

</form>



</div>
</div>
</div>


</body>
</html>

 

 

I think that the php file needs to somehow enable the part of the html form that contains the comment window, but I am not sure and I wouldn't know how. The name and email address come with the message correctly.

 

Any hints would be greatly appreciated.

 

Thank you for your help.

 

Jim Adrian

jim@futurebeacon.com

 

 

 

 

 

 

 

[jamesadrian]

88 people have looked at this so far.

 

Have I posted this in the wrong place?

 

Thank you for your help.

 

Jim Adrian

jim@futurebeacon.com

[davej]

I don't see $Website being defined. Also a form can be submitted without pressing the submit button. Also you should avoid using a raw $PHP_SELF

 

See...

http://www.w3schools.com/php/php_form_validation.asp

 

http://www.w3schools.com/php/func_mail_mail.asp

 

--edit 2/28 10am cdt

 

Oops. I see $Website was commented out.

[dsonesuk]

Its basically exactly the same way you accessed email and name content, but you are referencing 'Comments' and assigning to new variable instead (for instance $comments), then you include it in $Body variable as name and email were.

[jamesadrian]

I appreciate your help with this and I have made several changes.

 

I separated the form from the php file which is now called recent.php and operates from my hosing account and is not on the website page.

 

Located on a website page, the form is now this:

 

<!-- Website Contact Form-->
<form action="recent.php" method="post">
Name
<br />
<input type="text" name="Name" value="" size="29" maxlength="75">
<br /><br />
Email Address
<br />
<input type="text" name="Email" value="" size="29" maxlength="75">
<br /><br />
<br /><br />
Questions and Comments:
<br /><br />
<textarea name="Comments" rows="12" cols="70">
</textarea>
<br /><br />
<br /><br />
<input type="submit" name="Submit" value="Submit Form">
<br /><br />
<input type="reset" value="Clear Form">
</form>

Here is recent.php:

<?php
if (isset($_POST['Submit']))
{
// get posted data into local variables
$EmailFrom = "Contact Form at http://www.fibro1.org";
$EmailTo = "jim@futurebeacon.com";
$Subject = "Update Request";
$Name = Trim(stripslashes($_POST['Name']));
$Email = Trim(stripslashes($_POST['Email']));
$Comments = Trim(stripslashes($_POST['Comments']));
// validation
$validationOK=true;
if (Trim($Name)=="") $validationOK=false;
if (Trim($Email)=="") $validationOK=false;
if (!$validationOK) {
print "<meta http-equiv=\"refresh\" content=\"0;URL=http://www.fibro1.org/error.htm\">";
exit;
}
// prepare email body text
$Body ="";
$Body .= "\n";
$Body .= "Name: ";
$Body .= $Name;
$Body .= "\n";
$Body .= "Email: ";
$Body .= $Email;
$Body .= "\n";
$Body .= "Comments:";
$Body .= $Comments;
$Body .= "\n";
// send email
$success = mail($EmailTo, $Subject, $Comments, $Body, "From: <$EmailFrom>");
// Print style redirect to success page:
if ($success){
print "<meta http-equiv=\"refresh\" content=\"0;URL=http://www.fibro1.org/ok.htm\">";
}
else{
print "<meta http-equiv=\"refresh\" content=\"0;URL=http://www.fibro1.org/error.htm\">";
}
}
?>

I am stumped because there are no error messages and yet the email does not arive.

 

Thank you for your help.

 

Jim Adrian

jim@futurebeacon.com

[Ingolme]

The mail() function might turn true even if the mail wasn't sent. It returns true if the mail was accepted for delivery by the SMTP server. If your web host doesn't have an SMTP server set up for you the code won't work.

[jamesadrian]

What does this line mean?

 

<form method="POST" action="<?php echo $PHP_SELF;?>">

 

Its the action part I don't understand.

 

Thank you for your help.

 

Jim Adrian

[Don E]

Hello Jim,

 

That looks like that's suppose to be $_SERVER['PHP_SELF']; or $PHP_SELF was assigned the value of $_SERVER['PHP_SELF']. http://php.net/reserved.variables.server

[Ingolme]

Perhaps an old version of PHP actually used a variable called $PHP_SELF

[Don E]

Hmm possible, but according to a quick search: http://stackoverflow.com/questions/12710803/undefined-variable-php-self near the bottom a user wrote:

Looks like certain WordPress distributions declare $PHP_SELF = $_SERVER['PHP_SELF'] for reasons I can't say, must be some sorta legacy thing.

 

 

That may be it in this case as well.

[davej]

I think it may be better to use action="" but certainly there is known problem with using $_SERVER["PHP_SELF"]

 

http://www.w3schools.com/php/php_form_validation.asp

[dsonesuk]

If you go by that link and use action="" you are STILL vulnerable by hacking via url or input, unless you take necessary precautions and use htmlspecialchars() function for both action attribute and form inputs values.

[davej]

I don't actually understand how this confuses the system...

http://www.example.com/test_form.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E

...Why aren't the extra characters ignored or considered invalid? I could see that they might be confused as GET data but this code will be looking for a POST.

[dsonesuk]

Exactly! its sending as method 'get' using url, which will affect current form page its sent to when you hit return, if they can introduce code for alert, why can't they introduce js code to overwrite action value to redirect and change method value to get.

[davej]

But why does it matter if they send fake GET data if the Php code is going to look for POST data? The injected script can change the HTML but why would the Php care what the HTML says?

[dsonesuk]

If the url has inserted hidden js code, the forms action can be altered it then redirects to another domain server which lands on page that looks exactly as that of the original, it uses the same POST or changed to GET method info OR both, as action attribute value address can have GET querystring included while STILL sending as method POST, if the user does not notice change in url and see info he just submitted he is more likely to continue on to maybe give more personal info including payment details.

[davej]

But does this injection occur automatically or because of poorly written Php code?

 

I'm reading this...

 

http://www.html-form-guide.com/php-form/php-form-action-self.html

 

...but it doesn't explain why it happens.

[jamesadrian]

I have another question about the php script and html contact form that I have been working on.

 

The contact page at needsnotmet.com/contactnnm.php is working fine except that I hope to have the form automatically cleared when sending is successful.

 

Can anybody here tell me how that is done?

 

The page at futurebeacon.com does it, but only because of a hidden script offered by the godaddy.com hosting service. I can't find out from them.

 

For some reason, viewing codes does not get you the whole thing, so here is the page source:

 

<?php
if (isset($_POST['Submit']))

{
// get posted data into local variables
$From = "Contact Form at http://www.needsnotmet.com/contactnnm.php";
$EmailTo = "contact@needsnotmet.com";
$Subject = "Update Request";
$Name = Trim(stripslashes($_POST['Name']));
$Email = Trim(stripslashes($_POST['Email']));
$Comments = Trim(stripslashes($_POST['Comments']));

// validation
$validationOK=true;
if (Trim($Name)=="") $validationOK=false;

if (Trim($Email)=="") $validationOK=false;

if (!$validationOK) {
print "<meta http-equiv=\"refresh\" content=\"0;URL=http://www.needsnotmet.com/error.htm\">";
exit;
}

// prepare email body text
$Body ="";
$Body .= "\n";
$Body .= "\n";
$Body .= "Name: ";
$Body .= $Name;
$Body .= "\n";
$Body .= "\n";
$Body .= "Email Address: ";
$Body .= $Email;
$Body .= "\n";
$Body .= "\n";
$Body .= "Comments: ";
$Body .= $Comments;
$Body .= "\n";
$Body .= "\n";
$Body .= "From: ";
$Body .= $From;
$Body .= "\n";
$Body .= "\n";


// send email
$success = mail($EmailTo, $Subject, $Body, "From: <$From>");

// Print style redirect to success page:
if ($success){
print "<meta http-equiv=\"refresh\" content=\"0;URL=http://www.needsnotmet.com/ok.htm\">";
}
else{
print "<meta http-equiv=\"refresh\" content=\"0;URL=http://www.needsnotmet.com/error.htm\">";
}



}

?>


<!DOCTYPE html>
<html>
<head>
<title>Contact</title>
<meta name="description" content="">
<meta name="keywords" content="">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
</head>

<body style="background-image: url(http://www.needsnotmet.com/bluesky.png);">
<div style="width: 3000px; height: 3000px; font-size: 20px; line-height: 28px; color: #000000; font-family: times new roman;">
<div style="margin-left: 60px; margin-right: 0px;">


<br /><br />

<div style="font-size: 30px; line-height: 5px;">This is your contact with NeedsNotMet.com
</div>


<br /><br />

<br /><br />

<div style="width: 1000px;">

Your email address will not be shared with others.
<br /><br />

<br /><br />

<!-- Website Contact Form-->

<form method="POST" action="<?php echo $PHP_SELF;?>">

Name<br />
<input type="text" name="Name" value="" size="29" maxlength="75">
<br />
Email Address<br />
<input type="text" name="Email" value="" size="29" maxlength="75">
<br /><br />
<div style="position: absolute; top: 440px; left: 60px;">
<br /><br />
Questions and Comments:
<br /><br />
<textarea name="Comments" rows="12" cols="70">
</textarea>
<br /><br />
<br /><br />
<input type="submit" name="Submit" value="Submit Form">
<br /><br />
<input type="reset" value="Clear Form">
</div>

</form>



</div>
</div>
</div>


</body>
</html>

 

 

Thank you for your help.

 

Jim Adrian

 

jim@futurebeacon.com

[davej]

There is nothing here to restore those fields so it must be due to browser caching. You could add a script block...

<script>
window.onload = function(){
var i;
var list = document.getElementsByTagName('INPUT');
for (i=0,len=list.length ; i<len ; i++){
  if (list[i].type == 'text'){
    list[i].value = '';
  }
}
var list = document.getElementsByTagName('TEXTAREA');
for (i=0,len=list.length ; i<len ; i++){
  list[i].value = '';
}
}
</script>

[jamesadrian]

Thank you.

Edited March 17, 2016 by jamesadrian

[davej]

Simply take the code I provided above and place it in the head or body of the file.

[jamesadrian]

Thank you.

 

Jim Adrian

Edited March 17, 2016 by jamesadrian

[dsonesuk]

You are relying on javascript being enabled, use php to clear cache such as

 

header( "Cache-Control: no-cache, must-revalidate" );

header( "Pragma: no-cache" );

 

as described here

 

http://www.thesitewizard.com/archive/phptutorial2.shtml

 

When it comes to preventing what could be users private information showing on form, i would not recommended using javascript.

 

Example cached google snapshot of site, would not show javascript cleared form, but how form will show without javascript.

[jamesadrian]

You are relying on javascript being enabled, use php to clear cache such as

 

header( "Cache-Control: no-cache, must-revalidate" );

header( "Pragma: no-cache" );

 

as described here

 

http://www.thesitewizard.com/archive/phptutorial2.shtml

 

When it comes to preventing what could be users private information showing on form, i would not recommended using javascript.

 

Example cached google snapshot of site, would not show javascript cleared form, but how form will show without javascript.

 

Thank you for this information.

 

I think that you advise that I substitute the header commands for the java script and do without the java script. I don't yet see where the header commands should be placed in the code. At the beginning?

 

I am studying the link you provided including the links it leads to. Perhaps I should google header commends. I am new to this.

 

Thank you for your help.

 

 

Jim Adrian

[dsonesuk]

It should be done in such a way that it appears BEFORE ANY html code.