|
Welcome
Guest
|
Register
| Login
|
|
|
| Index | Recent Threads | Unanswered Threads | Who's Online | User List | Help |
Killersites.com Forum
Programming
PHP Programming
Thread: PHP contact form
|
| No member browsing this thread |
|
Thread Status: Active Total posts in this thread: 14
|
|
| Author |
|
sparrow
Advanced Member Joined: Sep 21, 2005 Post Count: 221 Status: Offline |
I am getting frustrating for the last 3 days as to why there is an undefined error like this Undefined variable: err in \\nas39ent\domains\p\pcglow.co.uk\user\htdocs\contact.php on line 69 which displays before the contact form, see this http://www.pcglow.co.uk/contact.php I have checked all variables in PHP code which seems all correct.. <?php ini_set("sendmail_from", " support@pcglow.co.uk "); if(isset($_POST['Submit'])) { $name = $_POST['name']; $email = $_POST['email']; $telephone = $_POST['telephone']; $enquiry = $_POST['enquiry']; if($name == '' or $email == '' or $telephone == '' or $enquiry == '') {$err = true; $msg = 'Please complete your name, email address, telephone and enquiry to submit the form.';} else { $mailmsg = 'The following email has been sent from the contact form:' . "\n\n"; $mailmsg.= 'Name: ' . $name . "\n"; $mailmsg.= 'Email: ' . $email . "\n"; $mailmsg.= 'Telephone: ' . $telephone . "\n"; $mailmsg.= 'Enquiry: ' . $enquiry . "\n"; if($mailing == 'true') { $mailmsg.= 'I would like to be added to the mailing list';} if (eregi("\r",$email) || eregi("\n",$email)){die ("spam!"); } else {if(mail('support@pcglow.co.uk','Contact Form', $mailmsg, "From: support@pcglow.co.uk")) {header("Location: thank-you.html"); } } } } ?> and in HTML before the form id.. <?php if($err == true) { echo '<p class="error">'. $msg . '</p>'; } ?> Any help is much appreciated. Many thanks |
||
|
|
falkencreative
Advanced Member USA Joined: Aug 14, 2007 Post Count: 1129 Status: Offline |
Here's one slightly different way to implement this... In your if statement below: if($name == '' or $email == '' or $telephone == '' or $enquiry == '') {try this: if($name == '' or $email == '' or $telephone == '' or $enquiry == '') {This will set the $err variable to true. Then, in your error block: <?phptry this: <?phpThis will check the URL for the $err variable, and display the error if the URL includes it. ---------------------------------------- Benjamin Falk | student : designer : developer Twitter: falkencreative |
||
|
|
sparrow
Advanced Member Joined: Sep 21, 2005 Post Count: 221 Status: Offline |
Thanks falconcreative, you are a cracker, it works. As you said make sure that it is a basic Javascript validation but is this code I use have a basic validation ? As tpattison mentions on previous post saying I may need to put in a fake email address to stop the bots crawling it, how can I receive mail if I put fake email address ? Thanks |
||
|
|
sparrow
Advanced Member Joined: Sep 21, 2005 Post Count: 221 Status: Offline |
Contact form is working but request form is not working!! See contact form http://www.pcglow.co.uk/contact.php when you enter all the details, it works fine but when you enter all the details on request form, it fails. see this http://www.pcglow.co.uk/request-form.php I think there is coding problem somewhere espcially if else statement.... if($name == '' or $email == '' or $telephone == '' or $make == '' or $model == '' or $symtoms == '') { header("Location: request-form.php?err"); } else {...... Any idea ? |
||
|
|
falkencreative
Advanced Member USA Joined: Aug 14, 2007 Post Count: 1129 Status: Offline |
I'm not seeing anything specific in that snippet... perhaps post the full processing code? ---------------------------------------- Benjamin Falk | student : designer : developer Twitter: falkencreative |
||
|
|
billyboy
Advanced Member Joined: Sep 3, 2005 Post Count: 2206 Status: Offline |
As was pointed out in the other thread you started on this. That code is VERY UNSECURE. Merely checking to see that fields are not empty or that the email field doesn't contain new line or carriage return characters is not even close to being enough validation. You're leaving yourself wide open to all sorts of exploits. Take some time to read up on form security. exploits, attacks, that sort of thing. In the meantime protect yourself by taking that offline and using a third party script with decent security. Using the $GET variable and redirecting to a new page to check if a value is true seems like a ridiculously long way around to perform a simple step. ---------------------------------------- Quiquid latine dictum sit altum viditur |
||
|
|
falkencreative
Advanced Member USA Joined: Aug 14, 2007 Post Count: 1129 Status: Offline |
Using the $GET variable and redirecting to a new page to check if a value is true seems like a ridiculously long way around to perform a simple step. Just for my personal knowledge, as I am not an expert in PHP in any way, what would be a better way to approach this then? ---------------------------------------- Benjamin Falk | student : designer : developer Twitter: falkencreative |
||
|
|
sparrow
Advanced Member Joined: Sep 21, 2005 Post Count: 221 Status: Offline |
Hello here is the snippet on request form which doesnt work when enter all the fields and came up an error, see this http://www.pcglow.co.uk/request-form.php <?php ini_set("sendmail_from", " support@pcglow.co.uk "); if(isset($_POST['Submit'])) { $name = $_POST['name']; $email = $_POST['email']; $telephone = $_POST['telephone']; $make = $_POST['make']; $model = $_POST['model']; $symtoms = $_POST['symtoms']; if($name == '' or $email == '' or $telephone == '' or $make == '' or $model == '' or $symtoms == '') { header("Location: request-form.php?err"); } else { $mailmsg = 'The following email has been sent from the contact form:' . "\n\n"; $mailmsg.= 'Name: ' . $name . "\n"; $mailmsg.= 'Email: ' . $email . "\n"; $mailmsg.= 'Telephone: ' . $telephone . "\n"; $mailmsg.= 'Make: ' . $make . "\n"; $mailmsg.= 'Model: ' . $model . "\n"; $mailmsg.= 'Symtoms: ' . $symtoms . "\n"; if($mailing == 'true') { $mailmsg.= 'I would like to be added to the mailing list';} if (eregi("\r",$email) || eregi("\n",$email)){die ("spam!"); } else { if(mail('support@pcglow.co.uk','Request Form', $mailmsg, "From: support@pcglow.co.uk")) {header("Location: thank-you.html"); } } } } ?> and before the form id.. <?php if (isset($_GET['err']) == true) {echo '<p class="error">Please complete your name, email, telephone and enquiry to submit the form.</p>';} ?> If I remove $make == '' or $model == '' in if statement, it works ok, look like if statement is too long ? Contact form works fine, see this http://www.pcglow.co.uk/contact.php Billyboy, I have seen some websites using this similar method, can you show an example what the PHP code should be in order to make it secure ? |
||
|
|
falkencreative
Advanced Member USA Joined: Aug 14, 2007 Post Count: 1129 Status: Offline |
OK, I found your problem... your HTML form is using a textarea called "enquiry", while your PHP code refers to it as "symptoms". Fix that, and it should start working properly. As far as the security issue, yes, this is definitely something you should be looking at. At the moment, all you are doing is checking if the inputs hold any value... I'd suggest doing some web searches for "sanitizing inputs php" just so you have a general idea of the issues involved. As far as this: Using the $GET variable and redirecting to a new page to check if a value is true seems like a ridiculously long way around to perform a simple step. There are different ways to do form validation, and the way I suggested is in no way the "best" or "right" way. Hopefully BillyBoy will offer some alternative ways of approaching this. I'm still getting into PHP myself, and while the method I suggested works, like BillyBoy said, it may be needlessly complicated. ---------------------------------------- Benjamin Falk | student : designer : developer Twitter: falkencreative |
||
|
|
billyboy
Advanced Member Joined: Sep 3, 2005 Post Count: 2206 Status: Offline |
If that is the only validation other sites are using then they're just as open to attacks as you are. Here's three form scripts that have decent security features, you'll see they all do far, far more than just check for empty fields or /n and /r in the email field. http://www.tectite.com/ http://green-beast.com/gbcf-v3/ http://www.dbmasters.net/index.php?id=4 Ben, I am no expert myself but all that is needed is something like: if (condition) {if ($err !='') {---------------------------------------- Quiquid latine dictum sit altum viditur |
||
|
|
|
|
Current timezone is GMT May 21, 2013 7:19:28 PM |
