form problem

Report · Jun 18, 2009

Hi there,

I have a form on my website and it's been working great. However, i've just noticed it doesn't like certain emails, which results in missing emails being sent to me. Most of the time it's fine and the form works, usually if the email is spelt funny then i usually never receive the reply.

It would be greatly appreciated if someone could check my code to see if it looks ok and if i need to add anything, thanks.

Here is the code i'm using:

.......................

/* Subject and Email Variables */

   $emailSubject = 'Bookings';
   $webMaster = '.                            ';

/* Gathering Data Variables */

$name = $_POST['name'];
 $email = $_POST['email'];
 $phone= $_POST['phone'];
 $location = $_POST['location'];
 $guests = $_POST['guests'];
 $date = $_POST['date'];
 $month = $_POST['month'];
 $year = $_POST['year'];
 $event = $_POST['event'];
 $message = $_POST['message'];

 $body = <<<EOD
 <hr> 
Name: $name 
Email: $email 
Phone: $phone 
Location: $location 
Number of guests: $guests 
Date: $date 
Month: $month 
Year: $year 
Type of event: $event 
Message: $message 
EOD;

   $headers = "From: $email\r\n";
   $headers .= "Content-type: text/html\r\n";
   $sucess = mail($webMaster, $emailSubject, $body, $headers);

/* Results rendered as html */

$theResults = <<<EOD

EOD;
echo "$theResults";

?>

Report · Jun 19, 2009

Please do check the email to assure that a valid email must be entered. Add this code:

$error = array();

if(!empty($_POST['email'])) {

$email = $_POST['email'];
$pattern = '/^[^@]+@[^\s\r\n\'";,@%]+$/';
     if (!preg_match($pattern, trim($email))) {
          $error[] = 'Please enter a valid email address';
     }

}

else $error[] = "Email address is required";

Then before insert record, put if(!$error) to check that no error occurs before record will be inserted.

Report · Jun 19, 2009

Putting the email address unfiltered into the headers lays your form wide open to email header injection attacks.

Report · Jun 19, 2009

Thanks for the replies.

I'm new when it comes to php, i got the script from a tutorial.

I'm not sure what you mean by headers, if you mean form validation then i already have it. I haven't put it in the php code since i'm using the validation from dreamweaver.

If the email is longer than usual or certain types, then the form reply never reaches my email.

Report · Jun 20, 2009

Thimble_Guy wrote:
I'm not sure what you mean by headers

I mean this:

$headers = "From: $email\r\n";

Unless you check that the value of $email contains only one email address and NOTHING else, an attacker can insert anything into the email headers, and turn your form into a spam relay. The validation that you're using is totally ineffective against such attacks, because the Dreamweaver validation relies on JavaScript. Malicious attackers can circumvent it easily by turning off JavaScript when submitting content to your form.

Client-side validation using JavaScript is useful in preventing user errors before the form is submitted, but it must always be accompanied by server-side validation, using PHP or another server-side language.

If you are using PHP 5.2 or higher, you can check the email easily like this:

if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
  $headers = "From: $email\r\n";
  $headers .= "Content-type:  text/html\r\n";
  $sucess = mail($webMaster, $emailSubject, $body, $headers);
}

This makes sure that $email is a genuine email address, and contains nothing else. If it isn't a genuine email address, the message is never sent.

Report · Jun 20, 2009

Thanks for the reply.

I thought it was something to do with $headers = "From: $email\r\n"; but i wasn't sure, thanks.

I used your code but i got this error after sending:

Parse error: syntax error, unexpected '{' in /homepages/12/d256910002/htdocs/finished.php on line 35

I'm not sure what PHP version i'm using, how can i check? I'm using dreamweaver CS3.

Thanks again for your help, much appreciated

Report · Jun 21, 2009

Without knowing what your code looks like up to line 35, there's no way I can tell you what the error means.

You can check the version of PHP by creating a script that contains the following line on its own (there should be nothing else in the file):

<?php phpinfo(); ?>

Load that page into a browser, and you will see a page full of your PHP configuration details. The PHP version number is right at the top.

Report · Jul 05, 2009

Hi again,

Sorry i haven't replied back.

I'm using PHP Version 4.4.9. Is there another code that i can add to make my form more secure?

Any help is much appreciated, thanks.