Php Form Processor

[Dalvador]

Hi all, I'm looking for some advice on writing a PHP form processor for HTML forms.I'm fairly new to PHP but have been using javascript for a while so the language isn't too alien I've written the following, (which I adapted from a free script), this works OK but I'm wondering if it's very safe?

<?php// Variables@$form_ip= $_SERVER['REMOTE_ADDR'];@$name = addslashes($_POST['name']);@$email = addslashes($_POST['email']);@$enquiry = addslashes($_POST['enquiry']);@$recommended_by = addslashes($_POST['recommended_by']);@$security = addslashes($_POST['security']);@$ans = '186';// Validate email fieldif (! ereg('[A-Za-z0-9_-]+\@[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+', $email)){die("<p align='center'><font face='Arial' size='3' color='#FF0000'>Please enter a valid email address on the contact form<br /><br /><a href='java script:history.back();'>Click here to return to website</a></font></p>");}if (strlen($email) == 0 ){die("<p align='center'><font face='Arial' size='3' color='#FF0000'>Please enter a valid email address on the contact form<br /><br /><a href='java script:history.back();'>Click here to return to website</a></font></p>");}if (strlen($security) == 0 ){die("<p align='center'><font face='Arial' size='3' color='#FF0000'>Please enter a valid security code<br /><br /><a href='java script:history.back();'>Click here to return to website</a></font></p>");}if ($security != $ans){die("<p align='center'><font face='Arial' size='3' color='#FF0000'>Ooops, you did not enter the 3 digit security code correctly<br />Please try again<br /><br /><a href='java script:history.back();'>Click here to return to website</a></font></p>");}// Send the form data to the website owner$form_header = "From: $email\n"  . "Reply-To: $email\n";$form_subject = "Test Site Contact Form";$form_email_to = "someone@somewhere.com";$form_message = "Visitor's IP: $form_ip\n". " \n". "The customer sent the following information...\n". "===============================\n". "NAME: \n". "$name\n". " \n". "EMAIL: \n". "$email\n". " \n". "ENQUIRY: \n". "$enquiry\n". " \n". "RECOMMENDED_BY: \n". "$recommended_by\n". "  \n". "===============================\n". " \n";@mail($form_email_to, $form_subject ,$form_message ,$form_header ) ; echo("<p align='center'><font face='Arial' size='3' color='#FF0000'>Thank you for your enquiry<br /><br /><a href='java script:history.back();'>Click here to return to website</a></font></p>");?>

Here is the HTML code for the form it's going to process, (this is in a different document/directory from the script)...

<form name="input" action="scripts/send_it.php" method="post">    	Name:<br /><input type="text" name="name" size="39" maxlength="128" /><br /><br />        Email Address:<br /><input type="text" name="email" size="39" maxlength="128" /><br /><br />        Enquiry:<br /><textarea name="enquiry" cols="31" rows="6" ></textarea><br /><br />        Where did you hear about us?<br />        <select name="recommended_by">          <option selected="selected">Search Engine</option>          <option>Personal Recomendation</option>          <option>Business Card</option>          <option>Local Advertisment</option>        </select>        <br /><br />        Please enter the digits shown below:<br /><input type="text" name="security" size="3" maxlength="3" /><img src="images/captcha.jpg" /><br /><br />        <input type="submit" value="Send" />    </form>

...The HTML containing the form is in one document, (contact.html) and the PHP script to process it is in a SCRIPTS directory below it,(the small pseudo-captcha image, (captcha.jpg), is just an image that I knocked up in Photoshop with the digits 186 in it covered in 'noise')I just wondered if this was the best way to go about processing a contact form?, ideally I would like to have had the error messages & resulting 'thank you for your enquiry' message appearing on the same HTML page as the form but I haven't been able to make this work so I opted for an href link which uses a javacsript:history:back function.I'd appreciate any advice as I've read so many different ways of processing webforms it's hard to know which way is right/best.many thanksMark.

[boen_robot]

I'm not entirely sure about the safety of this script. I'd reccomend using a separate class for mailing, like Zend_Mail for example.Making the error appear on the same page as the form will require making the script that displays and processes the form be the same file. That way, you can store processing errors, display the HTML up to the point where you want the errors to appear, output the errors, and then keep outputting the rest of the form. Your form processor should be intelligent enough not to display any message if it is called with nothing (i.e. when the user first open up the form).

[justsomeguy]

The script doesn't validate the email properly, so that script can be exploited to spam to any address. The regular expression to validate the email will succeed if there is more than one address. It should be checking for one email address and nothing more. Also email headers are separated by \r\n, not just \n.Other than that, all of the error suppression operators just make the script feel like the author didn't really know much about programming. No script should need error suppression operators, if they're in there it makes it look like the programmer doesn't know what they're doing (i.e., hiding errors instead of handling or avoiding them). Things like this are just un-neccessary:@$ans = '186';That line would never generate an error anyway, so why suppress errors? Again, it makes it seem like the programmer doesn't know what they're doing.

[Dalvador]

gee thanks, if I was an expert I wouldn't have needed to ask the question in the first place.Something more constructive than "it looks like you don't know what you're doing" would have been more useful.thanks for your time anyway.BTW- the reason I wanted to try to write my own script instead of using the pre-configured CGIs is that they don't format the resulting email very well and a friend asked if I could help.

[Synook]

Well, he did tell you what to do: stop suppressing errors!

[Dalvador]

Well, he did tell you what to do: stop suppressing errors!

I'm not sure I understand what you mean by suppressing errors, I'm checking for an error in the email address then stopping execution of the script and passing the user back to the form to correct the error/enter a valid address.-do you mean I should be using a more elegant way of ending the script than "die"?Like I said, I don't know a lot about PHP and am just trying to help out a friend to make the free script that he was using safe.could you point me in the right direction please to achieve checking for more than one email address being entered assugested.thanks guys

[ShadowMage]

I'm not sure I understand what you mean by suppressing errors

He means the '@' symbols in front of all your statements. The '@' is the error suppression operator. Get rid of them so that PHP can output errors if there are any.

[boen_robot]

In various places in your PHP code, you're using the "@" symbol, such as

@mail($form_email_to, $form_subject ,$form_message ,$form_header );

The "@" symbol means that if anything that follows it on this statement produces errors, your script will not show these errors. In this case, if mail() fails to send the email, you won't see an error for that. Eliminating the "@" symbol in front of mail() will print out a message on the screen if mail() fails.The same goes for any place in the PHP code where you use "@".Also, as said already, the script doesn't validate the email address properly. You asked for opinion on security, and you got it - it isn't secure.Zend_Mail isn't a "pre-configured CGI", it's a PHP class that lets you create and send emails securely. It does all the validation and escaping you would otherwise have to do manually. As far as formatting goes, that may depend on the mail client. As far as Zend_Mail is concerned, all you need to do is to set the body text or HTML.If you have any doubght about how Zend_Mail may alter your message's format, print out the contents or save it to a file, and send that same thing. If you see a difference, let us try to see why it happens, and if we can debug it.

[Dalvador]

In various places in your PHP code, you're using the "@" symbol, such as

@mail($form_email_to, $form_subject ,$form_message ,$form_header );

The "@" symbol means that if anything that follows it on this statement produces errors, your script will not show these errors. In this case, if mail() fails to send the email, you won't see an error for that. Eliminating the "@" symbol in front of mail() will print out a message on the screen if mail() fails.The same goes for any place in the PHP code where you use "@".Also, as said already, the script doesn't validate the email address properly. You asked for opinion on security, and you got it - it isn't secure.Zend_Mail isn't a "pre-configured CGI", it's a PHP class that lets you create and send emails securely. It does all the validation and escaping you would otherwise have to do manually. As far as formatting goes, that may depend on the mail client. As far as Zend_Mail is concerned, all you need to do is to set the body text or HTML.If you have any doubght about how Zend_Mail may alter your message's format, print out the contents or save it to a file, and send that same thing. If you see a difference, let us try to see why it happens, and if we can debug it.

Oh, I see, now I understand what he was getting at!My background is in SQL, (on Sybase), and I haven't had much need for error trapping etc.Many appologies for the stroppy reply 'justsomeguy' - I didn't understand what you were saying - I thought the '@' symbol was part of the standard variable declaration as they were already in the script that I was trying to amend, my friend got the script from a piece of software called 'PHP form wizard'which said the script was 'ready' to be deployed on a website, the only additions that I cobbled onto it were the redirect back to the form page (java script:history:back) as the original was just a link back to '/' which was no use to my friend as it redirected back to the index page & not the page the form was on.Then as I started reading more about code injections and spammers using webforms I thought I'd check to make sure the script was OK.Obviously it isn't :-(Thanks for the link to Zend_mail guys, I'll check out how easy it is to set up, (and maybe give myself a PHP course too)many thanks for your help - I'll let you know how I get on with zend.mark.