PHP 4 works but not 5

software development

#1

I have a simple input form and handler. It works fine in PHP 4 but on the newer sites the exact same form and handler has no input data. Can you suggest how I might tweak this to work with PHP 5? It took me several hours to figure out the problem. I’d appreciate help with the answer. Thanks.

Here is the handler:

<?php $to .= "me@mydomain.com"; $subject = "Whatever"; $message = "Contact Info: \n Name: $name \n Email: $email \n Phone: $phone \n Title: $title \n Organization: $organization \n Street: $street \n City: $city \n State: $state \n Zip: $zip \n Comments: $comments \n"; mail ($to, $subject, $message); ?>

#2

Don’t use that code in production. It very insecure and makes you vulnerable to sending spam from your DreamHost account, even if you do figure out that you need to use the superglobals.

:cool: [color=#6600CC]Atropos[/color] | openvein.org


#3

My guess is it has to do with the $to string. Whenever you need to use a period like for a web address you should use single quotes.
Other than that its hard to tell with out seeing your forms page. Well kind of. I did not see anything that gets your results from the form. It should be $_GET or $_POST depending on what you set in the form. I recommend post over get for a form though, keeps the data off the url.
Silk

My website


#4

actually that’s not making a difference here. the difference between ‘string1’ and “string2” is that php will handle things like \n specially in string2 but not in string1. also string1 can contain double quotes without escaping them with a backslash and string2 can do the same with single quotes.

the reason cpwr49’s script works in php4 is that register_globals is on there (which i hear is a security risk, even though i don’t understand why). so everything like $name and $email are empty. as silkrooster started to explain, $name should probably be $_POST[‘name’] instead, assuming your form uses method=“post” like an e-mail form should. if you’re not expecting $to to come from the form, just use = instead of .= since you don’t need to append onto an already empty string.

as Atropos7 mentioned, this script is very insecure as someone can pass in data with line breaks in the subject field and add more e-mail addresses in the to/cc/bcc fields of the e-mail that gets sent. my understanding is you can prevent that by stripping line breaks from the subject field or just aborting the script if there are line breaks in the subject field.

get and post actually have meaning besides that one sends the data as part of the url and the other sends it a way that doesn’t show up in the url. get means you’re asking the web server to get certain information for you, while post means you are giving information to the webserver. so get is appropriate for a search form (asking the webserver to get information that matches your search criteria), while post is appropriate for an e-mail form (giving the webserver your message, which you then expect it to do something with).

track7 - my dream-hosted site