Webform data email via PHP

[kurt.santo]

Used a Perl-cgi script in past to foward info from web forms. I have been told that this is a security threat and I should use php. In general, this is great. Have no problem sending a simple mail. But in this case there are 20 fields to be sent, which exceeds the 5 parameter limit. How can I use php to achieve what I am after?Kurt

[jhecht]

Let's assume you're using POST as your data type. now, here is pretty much the code you use:

$S = '';foreach($_POST as $key=>$value){  $S.= $key ." : ". $value."\n";}mail('your.email@domain.com','From Web Form', $S,$yourAdditionalHeaders);

Word of Advice when using this case: don't give your submit button a name. otherwise you'll get something in your email at the very end that says "submitName : Send!" or whatever you submit button may happen to say

[Synook]

POST is the way to go, as there are no limits like with GET. Also, you can't send newlines with GET.

[kurt.santo]

Let's assume you're using POST as your data type. now, here is pretty much the code you use:

$S = '';foreach($_POST as $key=>$value){  $S.= $key ." : ". $value."\n";}mail('your.email@domain.com','From Web Form', $S,$yourAdditionalHeaders);

Word of Advice when using this case: don't give your submit button a name. otherwise you'll get something in your email at the very end that says "submitName : Send!" or whatever you submit button may happen to say

Could you just explain the script a bit more? Sorry to bother, but not sure what I need to modify |-) Kurt

[jhecht]

$S = '';//Just a string, i didn't feel like making up a name for it, so i just chose S for Stringforeach($_POST as $key=>$value){//Almost exactly like the for loop, but this one is instead looping through the $_POST data array, every key (I.E. $_POST['keyName']) will be put into the value $key. So echo-ing $key would list all the key names ("Name","Age","Address","email" etc). $value is the corresponding values to those keys. ("Bob","20","123 Fayke St", "bob.joe@email.com" etc)  $S.= $key ." : ". $value."\n";	 // the .= operator is the same thing as $S = $S.'new values'; its like the javascript += operator; this is just adding the new key name and the value, seperated by the colon so that you know when one ends, and when the other begins.}mail('your.email@domain.com','From Web Form', $S,$yourAdditionalHeaders);//Just calling the mail function. Don't put your email into a variable, makes it easier for hackers to get access to. This way they have to single out the call to the mail() function and somehow print it out to find it)

[justsomeguy]

POST is the way to go, as there are no limits like with GET. Also, you can't send newlines with GET.

They're the same thing, just one goes on the end of the URL and the other goes in the body of the request. Anything you can with one you can do with the other, with the exception of a file upload which needs to be a post request because it's a multi-part message.

[kurt.santo]

Thanks for your help! I will have a go and see what I come up with...Kurt

[kurt.santo]

Thanks for your help! I will have a go and see what I come up with...Kurt

I search now for a way to send data from a form with over 20 input fields to my email address. The mail function does not take more than 5 parameters. How do you do that?Kurt

[Synook]

You concatenate all the input fields into the message parameter, just as Jhecht's code does. It loops through the $_POST array (which contains all your fields) and adds them onto the string $S, which end up in the message parameter to be sent.

[kurt.santo]

You concatenate all the input fields into the message parameter, just as Jhecht's code does. It loops through the $_POST array (which contains all your fields) and adds them onto the string $S, which end up in the message parameter to be sent.

Cheers, will have a go...Kurt

[kurt.santo]

Tested with

  <?php$S = '';foreach($_POST as $key=>$value){  $S.= $key ." : ". $value."\n";}mail(kurt@domain.co.uk','From Web Form', $S);?>

underneath my form. Obviously, as soon as I opened the page it sent an empty message. I realise that I have to include a check to see if form is submitted. Still, for testing purposes: when I then entered data in all given fields the email got send to my given email address, but again empty. Why does it not send the data stored in $S? Do I need to use the additonal headers? Also when I include an if clause as

if (isset($_POST['submitted'])){$S = '';foreach($_POST as $key=>$value){  $S.= $key ." : ". $value."\n";}mail('testing@metastar.co.uk','From Web Form', $S);}

with <input type="submit" value="Submit" n name="submitted" /> no email gets send (or at least nothing arrives). What am I doing wrong here?Kurt

[jhecht]

check every part of the loop;

if (isset($_POST['submitted'])){echo "We have gotten inside the IF statement";$S = '';foreach($_POST as $key=>$value){$S.= $key ." : ". $value."\n";}echo "Loop finished, final value:". $S;//mail('testing@metastar.co.uk','From Web Form', $S); //Since mailing isn't the issue, lets comment it out momentarily to make sure you don't receieve any extra emails.}

One thing i noticed about your first example, however, is that you are missing a quote at the beginning of your email( its mail(kurt@domain.co.uk','From Web Form', $S); and notmail('kurt@domain.co.uk','From Web Form', $S).Tell me the value you get from that, or point me to the web address so i can figure it out from there

[kurt.santo]

Jhecht,Thanks for your input. I changed the single quotation mark and it works now. Emails arrive with relevant content. Cheers, mate!Another question in same context: I am working now on the form validatation. The code I use now is:

if (isset($_POST['submitted'])){if (!empty($_REQUEST['name'])) {$name = stripslashes($_REQUEST['name']);} else	{$name = NULL;echo '<p>Please enter your name!</p>';}$S = '';foreach($_POST as $key=>$value){  $S.= $key ." : ". $value."\n";}mail('kurt@domain.co.uk','From Web Form', $S);}

As I put the code now on top of form it shows "Please enter your name!" on top of form. I think it might be easier for user to see the error next to the field where the input should be. How can you do that? Would be great if that was possible...Kurt

[justsomeguy]

Of course it's possible. You just need a way to tell the script which field has an error. So in addition to keeping track of error messages, you also need to keep track of where the messages go. When you're printing your form then you check to see if there is an error for a particular field. There are several different ways to do that, I would probably use an array of error messages and field names.

[kurt.santo]

Of course it's possible. You just need a way to tell the script which field has an error. So in addition to keeping track of error messages, you also need to keep track of where the messages go. When you're printing your form then you check to see if there is an error for a particular field. There are several different ways to do that, I would probably use an array of error messages and field names.

Following your advice I created an error array with just two checks to start off with, will add more later on when it works. The code for error array and the form so far is:

    <?phpif (isset($_POST['submitted'])){// store errors in an array$errors = array();//check for name to be filled outif (!isset($_POST['name']) OR empty($_POST['name'])) {$errors[] = 'name';}//check for comments to be filled outif (!isset($_POST['comments']) OR empty($_POST['comments'])) {$errors[] = 'comments';}$S = '';foreach($_POST as $key=>$value){  $S.= $key ." : ". $value."\n";}mail('testing@domain.co.uk','From Web Form', $S);}?><form action="contact2.php" method="post">  <fieldset>  <table>  <tr> <td><label for="name">Name*</label></td><td class="right"><input type="text" id="name" name="name" maxlength="30" size="40"  /></td></tr> <tr> <td> <label for="email">Email  Address*</label></td><td  class="right"><input type="text" id="email" name="email" maxlength="30" size="40"  /></td></tr>  <tr> <td><label for="email2">Confirm Email Address*</label></td><td class="right"><input type="text" id="email2" name="email2" maxlength="30" size="40"  /></td></tr>  <tr> <td><label for="telephone">Telephone</label></td><td class="right"><input type="text" id="telephone" name="telephone" maxlength="30" size="40"  /></td></tr>  <tr> <td height="198"><label for="comments">Comments*</label></td><td class="right"><textarea rows="11" cols="30" id="comments" name="comments" /></textarea></td></tr></table></fieldset></form>

You how can I keep track of where the messages go? That is great that you can do that...Kurt

[justsomeguy]

If you're saving the field names in the array then when you get to each field in the HTML you would search through the array looking for an error message for that field. It would make the code a little cleaner if you put that into a function that you could just call once for each field.

[kurt.santo]

If you're saving the field names in the array then when you get to each field in the HTML you would search through the array looking for an error message for that field. It would make the code a little cleaner if you put that into a function that you could just call once for each field.

I would have thought to use sth like:

  <tr> <td><label for="name"><?php if (empty($errors)) {echo 'Name*';exit;} else {echo 'You forgot to enter your name!';}</label></td><td class="right"><input type="text" id="name" name="name" maxlength="30" size="40"  /></td></tr>

but it throws me an error in the next line (next normal HTML field there). Also, what did you mean by putting everything in a function? Do I not to say that I need for example the error code for name from the array?Kurt

[justsomeguy]

You forgot to close the PHP code. What I mean by a function is instead of putting all of this for every field:

if (empty($errors)) {echo 'Name*';exit;} else {echo 'You forgot to enter your name!';}

you put this:

<?php echo check_error("name", "Name*"); ?>

it keeps the code cleaner. Then you put whatever error-checking logic you want into the check_error function, you only have to write it once.

[kurt.santo]

You forgot to close the PHP code. What I mean by a function is instead of putting all of this for every field:

function check_error () {if (empty($errors['name'])) {echo 'Name*';exit;} else {echo 'You forgot to enter your name!';}if (empty($errors[comments])) {echo Comments*';exit;} else {echo 'You forgot to enter a comment!';}}

Kurt

[justsomeguy]

Not necessarily. You would need to send the function the name of the field you want to look up, and default text to print if it didn't find an error. It would loop through the array looking for the name that you gave it, and if it found it then it would return the error message (I assume you're saving error messages also, not just names). If it didn't find it then it would return the default text instead. Also, have the function return the output instead of directly printing it, it will be more useful that way.

[kurt.santo]

Not necessarily. You would need to send the function the name of the field you want to look up, and default text to print if it didn't find an error. It would loop through the array looking for the name that you gave it, and if it found it then it would return the error message (I assume you're saving error messages also, not just names). If it didn't find it then it would return the default text instead. Also, have the function return the output instead of directly printing it, it will be more useful that way.

Came up with:

  <?phpif (isset($_POST['submitted'])){// store errors in an array	$errors = array();	//check for name to be filled out	if (!isset($_POST['name']) OR empty($_POST['name'])) {		$errors['name'] = 'Please fill out the name field';	}	//check for email to be filled out	if (!isset($_POST['email']) OR empty($_POST['email'])) {		$errors['email'] = 'Please enter your email address';	}	//check pattern of email address	if (!eregi('^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})$', $_POST['email'])) {		$errors['email'] = 'Please enter a valid email address';	}	//check for confirm email to be filled out	if (!isset($_POST['email2']) OR empty($_POST['email2'])) {		$errors['email2'] = 'Please confirm your email address';	}	//check pattern of email address 2	if (!eregi('^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})$', $_POST['email2'])) {		$errors['email2'] = 'Please enter again the same valid email address';	}	//check that email address 1 matches email address 2	if ($_POST['email'] != $_POST['email2']) {		$errors['match'] = 'Please match Email Address and Confirm Email Address';	}	//check for comments to be filled out	if (!isset($_POST['comments']) OR empty($_POST['comments'])) {		$errors['comments'] = 'Please enter your comments';	}	if (empty($errors))	{		echo 'Thank you for your enquiry. We will get back to you as soon as possible.';		$S = '';		foreach($_POST as $key=>$value){  			$S.= $key ." : ". $value."\n";			}		mail('testing@domain.co.uk','From Web Form', $S);	} else {	echo '<strong>There are some amendments necessary before we can sent your data.</strong>';	}}function check_error ($field, $text) {if (empty($errors[$field])) {	echo $text;	} else {	echo $errors[$field];	}}?>  <form action="contact3.php" method="post">  <fieldset>  <table>  <tr> <td><label for="name"><?php echo check_error("name", "Name*"); ?></label></td><td class="right"><input type="text" id="name" name="name" maxlength="30" size="40"  /></td></tr>

Which displays nicely the default text, but not the error text. If I change "if (empty($errors[$field])) " to "if (!empty($errors[$field])) " there is nothing being displayed. I would think that the problem lies somewhere in my error array, but after hours on end cannot figure out what is wrong. Does anyone know what is going wrong?Kurt

[justsomeguy]

The function doesn't have access to the $errors array, you either need to pass it in as another argument or make it global.

function check_error ($field, $text) {  global $errors;  if (empty($errors[$field]))   {	echo $text;  }   else   {	echo $errors[$field];  }}

[kurt.santo]

The function doesn't have access to the $errors array, you either need to pass it in as another argument or make it global.

	//check for email to be filled out	if (!isset($_POST['email']) OR empty($_POST['email'])) {		$errors['email'] = 'Please enter your email address';	}	//check pattern of email address	if (!eregi('^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})$', $_POST['email'])) {		$errors['email'] = 'Please enter a valid email address';	}	//check for confirm email to be filled out	if (!isset($_POST['email2']) OR empty($_POST['email2'])) {		$errors['email2'] = 'Please confirm your email address';	}	//check pattern of email address 2	if (!eregi('^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})$', $_POST['email2'])) {		$errors['email2'] = 'Please enter again the same valid email address';	}	//check that email address 1 matches email address 2	if ($_POST['email'] != $_POST['email2']) {		$errors['match'] = 'Please match Email Address and Confirm Email Address';	}

I am sorry to be so inquisitive, but I really want to get my head around those things and start off with to do it the best possible way...Kurt

[justsomeguy]

Use else to only test the later cases if the first one fails.

[kurt.santo]

Use else to only test the later cases if the first one fails.

Thanks a lot! Does the trick. Almost happy with my form now...Kurt