Making template contact form work with PHP


#1

I have a template form that has a contact form in it. I need to find out how to generate the PHP to add to the html form, so that the SUBMIT button sends me the contact information. I am hosted on DH.

Here are the text fields:
Name
Email
Message

The html code I have is:

Submit reset

I am sorry to be so dumb, but could use some help. I can see that DH supports PHP 5.2 in the Web panel, but beyond that I am not sure what to do? ANY HELP APPRECIATED


#2

I’ve generated the contact.php script, followed a tutorial carefully, and host company appears to support PHP 5.x

I don’t seem to be getting any email though. Do I need to put this script in a special directory or something on the server? I just named it contact.php and uploaded to main directory…

HELP PLEASE if possible…



#3

This is what works for my website.

Here is the php:

<?php /* Subject and Email Variables*/ $emailSubject = 'Contact Form Submission'; $webMaster = 'email@website.com'; /* Gathering Data Variables */ $nameField = $_POST['name']; $emailField = $_POST['email']; $phoneField = $_POST['phone']; $commentsField = $_POST['comments']; $body = <<<EOD


Name: $nameField
Email: $emailField
Phone Number: $phoneField
Comments: $commentsField
EOD; $headers = "From: $emailField\r\n"; $headers .= "Content-type: text/html\r\n"; $success = mail($webMaster, $emailSubject, $body, $headers); /* Results rendered as HTML */ $theResults = <<<EOD **RESULT PAGE** EOD; echo "$theResults"; ?>

Here is the HTML code:

Untitled Document
  <td width="15" rowspan="5" scope="col">&nbsp;</td>
</tr>
<tr>
  <td width="144" height="53" scope="col"><strong><span class="style4"><span class="style5">Full Name:</span> &nbsp;</span></strong></td>
  <td width="267" height="269" rowspan="4" scope="col"><form id="form" name="form" method="post" action="contactformprocess.php">
    <p>
  	  <input name="name" type="text" id="name" value="" size="35" />

    </p>

  	<p>
      <input name="email" type="text" id="email" size="35" maxlength="55" />
    </p>
    <p>
      <input name="phone" type="text" id="phone" />
    </p>
    <p>

      <textarea name="comments" cols="30" rows="7" wrap="virtual" id="comments"></textarea>

    </p>
	<input name="Submit" type="submit" tabindex="1" onclick="MM_validateForm('email','','RisEmail','phone','','NisNum','comments','','R');return document.MM_returnValue" value="Submit" />
  </form>
  </td>
</tr>
<tr>
  <td height="21" scope="col"><strong><span class="style6">Email:  &nbsp;</span></strong></td>

</tr>

<tr>
  <td height="51" scope="col"><strong><span class="style6">Phone #: &nbsp;</span></strong></td>
</tr>
<tr>
  <td scope="col"><span class="style6"><strong>Comments: </strong></span><strong><span class="style4">&nbsp;</span></strong></td>
</tr>
<td height="35" align="right">&nbsp;</td>
<td height="35" align="left">&nbsp;</td>
Contact Us
 

There is a linking to the php file in the above html. You would name the php document whatever then link that in the above html. This is the bare bones of the code, so you end up with a blank page. There is also a validation in the javascript found in the html to make sure that for instance numbers in a phone number box, the email slot has at least a @, etc.


#4

$nameField = $_POST['name']; $emailField = $_POST['email']; $phoneField = $_POST['phone']; $commentsField = $_POST['comments']; .... $headers = "From: $emailField\r\n"; $headers .= "Content-type: text/html\r\n"; $success = mail($webMaster, $emailSubject, $body, $headers);

This code is vulnerable to a header injection exploit. All one has to do is include “\r\nBcc: victims\r\n\r\nSPAM” in the ‘email’ value to send spam from your DreamHost account. You should either avoid placing user input in the message headers or thoroughly check the values.


#5

Also, equally importantly, forging the “From” field to represent an email address that didn’t actually send the message will, in many cases, cause your messages to be marked as spam and/or not delivered at all. Don’t do that.


#6

Thank you for pointing this out. I was just posting code because it was looking for one. If you have a fix for this php code, please post it, I only posted what I had found and don’t have master knowledge of php, in order, to correct, my previous post.

How would you prevent this then? Please help supply an example for fixing this so we can form a template for the writer of this question.


#7

Pick a static address on your own domain to send the mail from (e.g, "noreply@yourdomain.com") and always use that as the From header.

In fact, unless you’re absolutely sure it’s safe to do otherwise, don’t let the user input anything that ends up in email headers at all. Save that for the body.