Powers book Lesson 8: Couple form processing issues

conmolbry wrote: The contact form is being delivered to email fine including any attachments, so that part is OK. However, the subject line in the email is never the subject entered into the contact form. It's always the one from this process_attachments.php line        $mail->setSubject('Comments from feedback form');

This question relates to Lesson 9, not Lesson 8. Small matter, but it makes it easier for me to answer questions if you provide the correct information.

The contact form in the book doesn't have an input field for the email subject. That's why you're getting the hard-coded "Comments from the feedback form". The setSubject() method uses whatever value is passed to it.

If you want the user to be able to set the subject, you need to adapt the code accordingly. However, if the value comes from user input, it's vitally important to validate it. Otherwise, it could be used to inject spurious headers into the email.

Assuming that your subject field is called subject, you would need to add the following to your processing script:

$val = new Zend_Validate_Regex('/^[a-z0-9()\/\'":\*+|,.; \- !?&#$@]{2,75}$/i');
if (!$val->isValid($_POST['subject'])) {
  $errors['subject'] = 'Subject should be a maximum of 75 characters';
}

The regular expression looks a bit of a nightmare, but it gives the user great freedom while preventing injection attacks. It comes from the valuable page on email header injection at http://www.nyphp.org/PHundamentals/8_Preventing-Email-Header-Injection. The regex permits most symbols and punctuation, but excludes the percentage sign, which is often used in attacks. It also limits the length to 75 characters (including spaces), which accounts for the neutral error message. Add a conditional statement to the form to display the error message if the subject line fails validation.

The script creates the $mail object only if there are no errors, so it's safe to pass $_POST['subject'] as the argument to the setSubject() method like this:

$mail->setSubject($_POST['subject']);

if I don't add an attachment, the message on the page after sending is "Your attachments were successfully sent to us." The quandary is 2-fold. Why would I get a message at all like this if attachments aren't involved? And what is the purpose of this message from the lesson if the feedback on the page is the names of the files that were successfully attached and sent?

As far as I can tell, that message doesn't appear in my original script. If it does, please tell me the name of the script and which line it appears on.

Since the addition of the subject field is something you have added yourself, I suspect you have also made other adjustments to the script that result in this message being displayed.