Skip to main content
B
bmmotion
Known Participant
November 11, 2010
Answered

Powers book Lesson 8: Couple form processing issues

  • November 11, 2010
  • 1 reply
  • 464 views

The contact form is being delivered to email fine including any attachments, so that part is OK. However, the subject line in the email is never the subject entered into the contact form. It's always the one from this process_attachments.php line        $mail->setSubject('Comments from feedback form'); (bolded passage is what I see in the subject line when the email comes in). So first off I'm needing help understanding how the subject line gets translated from the subject entered into the contact form to the subject in the email that gets delivered.Secondly, if I send an attachment with the contact form, the confirmation message on the page repeats the names of the files that were successfully sent. Again that outcome is OK. However, if I don't add an attachment, the message on the page after sending is "Your attachments were successfully sent to us." The quandary is 2-fold. Why would I get a message at all like this if attachments aren't involved? And what is the purpose of this message from the lesson if the feedback on the page is the names of the files that were successfully attached and sent? I have missed a step and don't understand this and looking for help.

This topic has been closed for replies.
Correct answer David_Powers

conmolbry wrote:

The contact form is being delivered to email fine including any attachments, so that part is OK. However, the subject line in the email is never the subject entered into the contact form. It's always the one from this process_attachments.php line        $mail->setSubject('Comments from feedback form');

This question relates to Lesson 9, not Lesson 8. Small matter, but it makes it easier for me to answer questions if you provide the correct information.

The contact form in the book doesn't have an input field for the email subject. That's why you're getting the hard-coded "Comments from the feedback form". The setSubject() method uses whatever value is passed to it.

If you want the user to be able to set the subject, you need to adapt the code accordingly. However, if the value comes from user input, it's vitally important to validate it. Otherwise, it could be used to inject spurious headers into the email.

Assuming that your subject field is called subject, you would need to add the following to your processing script:

$val = new Zend_Validate_Regex('/^[a-z0-9()\/\'":\*+|,.; \- !?&#$@]{2,75}$/i');
if (!$val->isValid($_POST['subject'])) {
  $errors['subject'] = 'Subject should be a maximum of 75 characters';
}

The regular expression looks a bit of a nightmare, but it gives the user great freedom while preventing injection attacks. It comes from the valuable page on email header injection at http://www.nyphp.org/PHundamentals/8_Preventing-Email-Header-Injection. The regex permits most symbols and punctuation, but excludes the percentage sign, which is often used in attacks. It also limits the length to 75 characters (including spaces), which accounts for the neutral error message. Add a conditional statement to the form to display the error message if the subject line fails validation.

The script creates the $mail object only if there are no errors, so it's safe to pass $_POST['subject'] as the argument to the setSubject() method like this:

$mail->setSubject($_POST['subject']);

if I don't add an attachment, the message on the page after sending is "Your attachments were successfully sent to us." The quandary is 2-fold. Why would I get a message at all like this if attachments aren't involved? And what is the purpose of this message from the lesson if the feedback on the page is the names of the files that were successfully attached and sent?

As far as I can tell, that message doesn't appear in my original script. If it does, please tell me the name of the script and which line it appears on.

Since the addition of the subject field is something you have added yourself, I suspect you have also made other adjustments to the script that result in this message being displayed.

1 reply

David_Powers
David_PowersCorrect answer
Inspiring
November 11, 2010

conmolbry wrote:

The contact form is being delivered to email fine including any attachments, so that part is OK. However, the subject line in the email is never the subject entered into the contact form. It's always the one from this process_attachments.php line        $mail->setSubject('Comments from feedback form');

This question relates to Lesson 9, not Lesson 8. Small matter, but it makes it easier for me to answer questions if you provide the correct information.

The contact form in the book doesn't have an input field for the email subject. That's why you're getting the hard-coded "Comments from the feedback form". The setSubject() method uses whatever value is passed to it.

If you want the user to be able to set the subject, you need to adapt the code accordingly. However, if the value comes from user input, it's vitally important to validate it. Otherwise, it could be used to inject spurious headers into the email.

Assuming that your subject field is called subject, you would need to add the following to your processing script:

$val = new Zend_Validate_Regex('/^[a-z0-9()\/\'":\*+|,.; \- !?&#$@]{2,75}$/i');
if (!$val->isValid($_POST['subject'])) {
  $errors['subject'] = 'Subject should be a maximum of 75 characters';
}

The regular expression looks a bit of a nightmare, but it gives the user great freedom while preventing injection attacks. It comes from the valuable page on email header injection at http://www.nyphp.org/PHundamentals/8_Preventing-Email-Header-Injection. The regex permits most symbols and punctuation, but excludes the percentage sign, which is often used in attacks. It also limits the length to 75 characters (including spaces), which accounts for the neutral error message. Add a conditional statement to the form to display the error message if the subject line fails validation.

The script creates the $mail object only if there are no errors, so it's safe to pass $_POST['subject'] as the argument to the setSubject() method like this:

$mail->setSubject($_POST['subject']);

if I don't add an attachment, the message on the page after sending is "Your attachments were successfully sent to us." The quandary is 2-fold. Why would I get a message at all like this if attachments aren't involved? And what is the purpose of this message from the lesson if the feedback on the page is the names of the files that were successfully attached and sent?

As far as I can tell, that message doesn't appear in my original script. If it does, please tell me the name of the script and which line it appears on.

Since the addition of the subject field is something you have added yourself, I suspect you have also made other adjustments to the script that result in this message being displayed.

B
bmmotionAuthor
Known Participant
November 11, 2010

My apologies for the confusion and frustration I generated. I have been in and out of working on these lessons over the past few weeks and some things became obscured in my mind (a terrible thing to waste indeed). You're correct that I did add the subject line sometime ago and it was not part of the lesson. Same thing with the attachments message. I am grateful for your detailed response and particularly the valuable mini-lesson on adding a safe subject line.  Again sorry... and thanks.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices