Copy link to clipboard
Copied
My pre-apologies for not being well-versed in php, but I am trying to put together a simple Comment box for users to "drop me a line". I know this might seem strange, but for this particular purpose I don't want to require a Name and Email Address form field. How do I remove it from the following simple php so that the feedback comes through to my email?
Must be an easy thing, right?
Thanks,
Dave
<?php
/*
This first bit sets the email address that you want the form to be submitted to.
You will need to change this value to a valid email address that you can access.
*/
$webmaster_email = "example@example.com";
/*
This bit sets the URLs of the supporting pages.
If you change the names of any of the pages, you will need to change the values here.
*/
$feedback_page = "feedback_form.html";
$error_page = "error_message.html";
$thankyou_page = "thank_you.html";
/*
This next bit loads the form field data into variables.
If you add a form field, you will need to add it here.
*/
$email_address = $_REQUEST['email_address'] ;
$comments = $_REQUEST['comments'] ;
$first_name = $_REQUEST['first_name'] ;
$msg =
"First Name: " . $first_name . "\r\n" .
"Email: " . $email_address . "\r\n" .
"Comments: " . $comments ;
/*
The following function checks for email injection.
Specifically, it checks for carriage returns - typically used by spammers to inject a CC list.
*/
function isInjected($str) {
$injections = array('(\n+)',
'(\r+)',
'(\t+)',
'(%0A+)',
'(%0D+)',
'(%08+)',
'(%09+)'
);
$inject = join('|', $injections);
$inject = "/$inject/i";
if(preg_match($inject,$str)) {
return true;
}
else {
return false;
}
}
// If the user tries to access this script directly, redirect them to the feedback form,
if (!isset($_REQUEST['email_address'])) {
header( "Location: $feedback_page" );
}
// If the form fields are empty, redirect to the error page.
elseif (empty($first_name) || empty($email_address)) {
header( "Location: $error_page" );
}
/*
If email injection is detected, redirect to the error page.
If you add a form field, you should add it here.
*/
elseif ( isInjected($email_address) || isInjected($first_name) || isInjected($comments) ) {
header( "Location: $error_page" );
}
// If we passed all previous tests, send the email then redirect to the thank you page.
else {
mail( "$webmaster_email", "Feedback Form Results", $msg );
header( "Location: $thankyou_page" );
}
?>
All you need is the below:
<?php
$webmaster_email = "example@example.com";
$feedback_page = "feedback_form.html";
$error_page = "error_message.html";
$thankyou_page = "thank_you.html";
// Sanitize data from comments form field using filter_var
$comments = filter_var($_POST['comments'], FILTER_SANITIZE_STRING);
$msg = "Comments: " . $comments ;
if (empty($comments)){
header( "Location: $error_page" );
}
else {
mail( "$webmaster_email", "Feedback Form Results", $msg );
header( "Location: $thankyo
...
elseif (empty($comments) {
header( "Location: $error_page" );
}
Your edited script is missing a bracket (empty($comments)) {
header( "Location: $error_page" );
}
You dont really need all that heavy checking as there is no email field any longer, just a simple 'comments' field, which can be sanitized by using the inbuilt php filter_var function.
Copy link to clipboard
Copied
All you need is the below:
<?php
$webmaster_email = "example@example.com";
$feedback_page = "feedback_form.html";
$error_page = "error_message.html";
$thankyou_page = "thank_you.html";
// Sanitize data from comments form field using filter_var
$comments = filter_var($_POST['comments'], FILTER_SANITIZE_STRING);
$msg = "Comments: " . $comments ;
if (empty($comments)){
header( "Location: $error_page" );
}
else {
mail( "$webmaster_email", "Feedback Form Results", $msg );
header( "Location: $thankyou_page" );
}
?>
Copy link to clipboard
Copied
You know the old saying... read the instructions? That's what code comments are for.
// This next bit loads the form field data into variables. If you add a form field, you will need to add it here.$email_address = $_REQUEST['email_address'] ;
$comments = $_REQUEST['comments'] ;$first_name = $_REQUEST['first_name'] ;
$msg ="First Name: " . $first_name . "\r\n" ."Email: " . $email_address . "\r\n" .
"Comments: " . $comments ;
// If the form fields are empty, redirect to the error page. If you add a form field, you should add it here.
elseif (empty($comments) {
header( "Location: $error_page" );
}
// If email injection is detected, redirect to the error page. If you add a form field, you should add it here.
elseif ( isInjected($comments) ) {
header( "Location: $error_page" );
}
Copy link to clipboard
Copied
elseif (empty($comments) {
header( "Location: $error_page" );
}
Your edited script is missing a bracket (empty($comments)) {
header( "Location: $error_page" );
}
You dont really need all that heavy checking as there is no email field any longer, just a simple 'comments' field, which can be sanitized by using the inbuilt php filter_var function.
Copy link to clipboard
Copied
Ha, I know. I read the instructions and tried a few ways to no avail. I really do want to get a better understanding of all this. I should probably start at the beginning, though.
Thanks, Nancy!
Dave
Copy link to clipboard
Copied
Part II of your question was about thwarting malicious bots.
I urge you to use Google's re-Captcha ver 3. You'll need an unique ID and secret key from Google Console. But the good news is it's free for up to 1 million assessments/month.
https://www.google.com/recaptcha/about/
Copy link to clipboard
Copied
Thanks so much! I will look into that, Nancy. As it turned out, my server (GoDaddy) was wrong in saying it had to be my php, that the reason my comment form wasn't working had to be my code. It wasn't. They had to add a note to my DNS comment so that Outlook didn't see my form submissions as spam. After that I found my old php page that I put together from your blog still worked perfectly well. So thanks for that, as well!
Copy link to clipboard
Copied
"They had to add a note to my DNS comment so that Outlook didn't see my form submissions as spam."
Yes, as previously mentioned in your other discussion, email authentication is essential now.
"Another factor could be bounced emails for lack of proper authentication -- Sender Policy Frameworks (SPF) or DomainKeys (DKIM) -- not to be confused with SMTP authentication which is completely different.
https://en.wikipedia.org/wiki/Email_authentication"
Glad you got it sorted.