TalkPHP - View Single Post

sketchMedia · 10-08-2008, 12:28 PM

I think this is what the code should be like (minus the html):

PHP Code:


			
include 'emailtemplate.php';

if(isset($_POST['submit']))
{
    if(!$_POST['txt_name'])
    {
        die('You must enter your name, the field is required <br> <a href="javascript:history.back(-1)">go back</a>');
    }
    elseif(!$_POST['txt_address'])
    {
        die('You must enter your address, the field is required<br> <a href="javascript:history.back(-1)">go back</a>');
    }

    $name  = addslashes($_POST['txt_name']);
    $email = addslashes($_POST['txt_email']);

    if(!preg_match('/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})$/', $email))
    {
        die('you did not enter a valid email address, please check your spelling and try again<br><a href="javascript:history.back(-1)">go back</a>');
    }

    $txt_msg         = addslashes($_POST['txt_msg']);
    $txt_address     = addslashes($_POST['txt_address']);
    $chk_purchase    = $_POST['chk_purchase'];
    $chk_fixpurchase = $_POST['chk_fixrepair'];

    $drop_mod1 = $_POST['drop_mod1'];
    $drop_mod2 = $_POST['drop_mod2'];
    $drop_mod3 = $_POST['drop_mod3'];
    $drop_mod4 = $_POST['drop_mod4'];
    $drop_mod5 = $_POST['drop_mod5'];

    $drop_payment  = $_POST['drop_payment'];
    $drop_delivery = $_POST['drop_delivery'];
    $drop_choice   = $_POST['drop_choice'];

    if($_POST['drop_payment'] == "d1")
    {
        $paypal_name  = $_POST['paypal_name'];
        $paypal_email = $_POST['paypal_email'];
        $paypal_msg   = "Paypal Account Information: <br> Name: $paypal_name <br> Email: $paypal_email<br>";
    }
    // To send HTML mail, the Content-type must be set
    $headers  = 'MIME-Version: 1.0' . "\r\n";
    $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";

    // Additional headers
    $headers .= 'To: Tinkas <formreciever@live.com>' . "\r\n";
    $headers .= 'From: formreciever@live.com <formreciever@live.com>' . "\r\n";

    $subject = 'An order has been placed!';

    $sentmail = mail($to, $subject, $message, $headers);
}

That will now run, however the script doesnt seem to do anything apart from send an email saying 'an order was placed'

If you are going to use POST variables inside an email, you will have to be careful of mail injection, much like sql injection extra code can be injected into the script. This is usually a favourate exploit of spammers, who can use your form to spam. Usually the way to combat this is to check for any new lines and carrage returns from user input (\n\r).

PHP Code:


			
if(preg_match("/(\r|\n)$/i", $input)) { 
    die('Dont try and inject stuff into the email, it really is rather exasperating.'); 
}

Should work (im not the best at regex so there are probably ways around it).

10-08-2008, 12:28 PM	#7 (permalink)
sketchMedia The Prestige Join Date: Oct 2007 Location: Manchester, UK Posts: 854 Thanks: 32	I think this is what the code should be like (minus the html): PHP Code: include 'emailtemplate.php'; if(isset($_POST['submit'])) { if(!$_POST['txt_name']) { die('You must enter your name, the field is required <br> <a href="javascript:history.back(-1)">go back</a>'); } elseif(!$_POST['txt_address']) { die('You must enter your address, the field is required<br> <a href="javascript:history.back(-1)">go back</a>'); } $name = addslashes($_POST['txt_name']); $email = addslashes($_POST['txt_email']); if(!preg_match('/^[_a-z0-9-]+(\.[_a-z0-9-]+)@[a-z0-9-]+(\.[a-z0-9-]+)(\.[a-z]{2,4})$/', $email)) { die('you did not enter a valid email address, please check your spelling and try again<br><a href="javascript:history.back(-1)">go back</a>'); } $txt_msg = addslashes($_POST['txt_msg']); $txt_address = addslashes($_POST['txt_address']); $chk_purchase = $_POST['chk_purchase']; $chk_fixpurchase = $_POST['chk_fixrepair']; $drop_mod1 = $_POST['drop_mod1']; $drop_mod2 = $_POST['drop_mod2']; $drop_mod3 = $_POST['drop_mod3']; $drop_mod4 = $_POST['drop_mod4']; $drop_mod5 = $_POST['drop_mod5']; $drop_payment = $_POST['drop_payment']; $drop_delivery = $_POST['drop_delivery']; $drop_choice = $_POST['drop_choice']; if($_POST['drop_payment'] == "d1") { $paypal_name = $_POST['paypal_name']; $paypal_email = $_POST['paypal_email']; $paypal_msg = "Paypal Account Information: <br> Name: $paypal_name <br> Email: $paypal_email<br>"; } // To send HTML mail, the Content-type must be set $headers = 'MIME-Version: 1.0' . "\r\n"; $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n"; // Additional headers $headers .= 'To: Tinkas <formreciever@live.com>' . "\r\n"; $headers .= 'From: formreciever@live.com <formreciever@live.com>' . "\r\n"; $subject = 'An order has been placed!'; $sentmail = mail($to, $subject, $message, $headers); } That will now run, however the script doesnt seem to do anything apart from send an email saying 'an order was placed' If you are going to use POST variables inside an email, you will have to be careful of mail injection, much like sql injection extra code can be injected into the script. This is usually a favourate exploit of spammers, who can use your form to spam. Usually the way to combat this is to check for any new lines and carrage returns from user input (\n\r). PHP Code: `if(preg_match("/(\r\|\n)$/i", $input)) { die('Dont try and inject stuff into the email, it really is rather exasperating.'); }` Should work (im not the best at regex so there are probably ways around it). __________________ mysql> SELECT * FROM `users` WHERE `users`.`clue` > 0; Empty set (0.00 sec)