after designing a form in dw how do you get the form to send an email from submit button?

David

Thank you for your comments, however if you read the entire page you will see that I address security and have a seperate page addressing that issue.  The last paragraph reads

**

A couple of other points, there is no validation on the form you see  here, so it opens the door to spam and other attacks. A submitter is not  required to input an email address and can input anything they like  with the form as written. There is no security on this form or script,  if you were to add a database to this script, it would be very  vulnerable to malicious attacks. It is strongly suggested you research  form security, in particular if you are adding a database

The link to the page is: http://www.paulgdesigns.com/secure.php

I would welcome your comments on it as well.

Your second comment, it would appear my proofreading skills are to blame, I typlcally don't use that when using mail();.

Thanks David.

Gary

David_Powers wrote: I wonder how many people get as far as that last paragraph? I think it would be much better if you pointed out at the start that you're teaching the basic principles of using mail() and that the script is insecure without further measures.

Interesting point, my analytics seems to agree with you.  I'll make some changes to reflect your comments.

I haven't tested your email header injection script, but at a quick glance, I don't think it would work. You're testing for the literal characters \r an \n. There are other ways of inserting carriage returns and new lines. Even if it does work, it will reject any text area that contains extra lines that have been inserted as paragraphs.

I have tested this script in every way that I could concieve, it does not reject text submitted if the submitter adds a hard return.  If you do find a flaw in the script, I would want to hear about it.

Last, I would be happy to add to my page  http://foundationphp.com/blog/2010/12/31/preventing-email-header-injec tion/. as "More Reading"  with your permission of course.

Gary

garywpaul wrote: David_Powers wrote: I wonder how many people get as far as that last paragraph? I think it would be much better if you pointed out at the start that you're teaching the basic principles of using mail() and that the script is insecure without further measures. Interesting point, my analytics seems to agree with you.  I'll make some changes to reflect your comments. I haven't tested your email header injection script, but at a quick glance, I don't think it would work. You're testing for the literal characters \r an \n. There are other ways of inserting carriage returns and new lines. Even if it does work, it will reject any text area that contains extra lines that have been inserted as paragraphs. I have tested this script in every way that I could concieve, it does not reject text submitted if the submitter adds a hard return.  If you do find a flaw in the script, I would want to hear about it. Gary

Just wanted to chime in and say how relieved I am that you are finally taking security into consideration after my countless attempts to inform you of your continuous bad practice regarding the subject. To avoid the blind leading blind perhaps it's best for you to refrain from giving advice for subjects that you're not completely educated on yourself. Or at least a disclaimer stating that you don't really know what you're talking about. At least until you find the time to learn what it is you're trying to teach others about. Just a suggestion...

best,

Shocker

Short memory among your other unattractive attributes I see, you read the secure page back in 2010 and you had no critisism of its content back then.

Sorry, gary. I don't know what you're talking about when you say "I read the secure page in 2010". Feel free to elaborate if you wish but do not expect a response. It's not my interest to explain to you how to do something but I do feel obligated to tell others that what you're telling them is not completely safe. Please understand that I have in fact informed you of the vulnerabilities of your insecure script for as long as we have corresponded, even after the "security" amendment to your page, which is nothing more than a copy of someone else's work of which you unfortunately did not completely understand. No surprise there though given your frequent ignorance of the subject in the messages we have exchanged. I do remember saying something about a year ago to you mentioning your discreet, sweep under the rug mentality of the importance of having a secure script. Unfortunately you have maintained your ignorance and minimal effort on completely understanding (and effectively educating others on) the subject this entire time.

If someone is asking how to build a submarine and you provide a blueprint of how to build a paper boat with a screen door don't expect someone else to tell you how to build a submarine so you can then go and tell everyone afterwards how YOU would build a submarine. However, you should expect someone to tell the OP that was asking how to build a submarine that your paper boat suggestion will not hold water.

Did you read this?

You're testing for the literal characters \r an \n. There are other ways of inserting carriage returns and new lines.

Yep, that's basically what I told you over a year ago. I know that some have been using your email script to inject mail through the headers for sometime now. No one is sending you emails through your contact form anyway since the spry validation is broken, so injection of your server script is the only way to send emails from your contact page for users who have javascript enabled anyway. Perhaps you will now realize that your suggestions may be hurting others rather than helping them, opposite of what my posts regularly achieve. I look forward to your cognitive posts from now on with eagerness and openness to actually learn the methods that others are continuously trying to educate you on so that you will not continue to misinform others as you have been doing for as long as I can remember, which is longer than a year mind you. If you want to cross your arms across your chest and shrug and grunt that nothing is wrong with your script because you tested it that's fine, but when you start telling others to use it and that it's fine that's when the_shocker says whoa dude... it's not fine. Sorry to blow your ego. Swallow your pride and learn about script vulnerabilities instead of attempting to defend your position by on the forum by saying "you never said anything when you looked at my page a year ago" because dude... that's ignorant and, for the record, I did say something to you time and time again.

best,

Shocker