ok, this is my first attempt at php and this all seemed simple enough
when I started. Well everything's working except one thing.

This page is being passed emailaddress in a query string:
http://www.chaparralmedia.net/brochureRequests/contact.htm?e mailaddress=r_coan%40hotmail.com

How do I get that from contact.htm to a varible in my contact.php
page? I'm trying to make the php script send an email with the form
data to the email address (emailaddress) but I can't seem to get it to
work.

I'm lost... and frustrated.... I spent all day yesterday working on
this. An hour getting the form and my varibles ready, then the rest
of the day trying different things to get this to work. Any help will
be greatly appreciated as I was supposed to have this live
yesterday :~(

Here's my php.

?php


// get posted data into local variables
$EmailFrom = "rcoan [at] chaparralboats.com";
$EmailTo = $_GET['emailaddress'];
$Subject = "Chaparral Boats Lead";
$Name = Trim(stripslashes($_POST['Name']));
$Address1 = Trim(stripslashes($_POST['Address1']));
$City = Trim(stripslashes($_POST['City']));
$State = Trim(stripslashes($_POST['State']));
$Zip = Trim(stripslashes($_POST['Zip']));
$Phone = Trim(stripslashes($_POST['Phone']));
$Email = Trim(stripslashes($_POST['Email']));
$ssi = Trim(stripslashes($_POST['ssi']));
$ssx = Trim(stripslashes($_POST['ssx']));
$sig = Trim(stripslashes($_POST['sig']));
$sun = Trim(stripslashes($_POST['sun']));
$dvd = Trim(stripslashes($_POST['dvd']));


// validation
$validationOK=true;
if (Trim($Name)=="") $validationOK=false;
if (Trim($Address1)=="") $validationOK=false;
if (Trim($City)=="") $validationOK=false;
if (Trim($State)=="") $validationOK=false;
if (Trim($Zip)=="") $validationOK=false;
if (Trim($Phone)=="") $validationOK=false;
if (Trim($Email)=="") $validationOK=false;
if (!$validationOK) {
print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">";
exit;
}

// prepare email body text
$Body = "";
$Body .= "The following person has requested more information on
Chaparral Boats. Please send Brochures and/or DVD's in a timely
manner. If you should require extra materials please contact
Chaparral.";
$Body .= "\n";
$Body .= "Name: ";
$Body .= $Name;
$Body .= "\n";
$Body .= "Address: ";
$Body .= $Address1;
$Body .= "\n";
$Body .= "City: ";
$Body .= $City;
$Body .= "\n";
$Body .= "State/Providence/Territory: ";
$Body .= $State;
$Body .= "\n";
$Body .= "Zip Code: ";
$Body .= $Zip;
$Body .= "\n";
$Body .= "Phone: ";
$Body .= $Phone;
$Body .= "\n";
$Body .= "EmailAddress: ";
$Body .= $EmailAddress;
$Body .= "\n";
$Body .= "SSiBrochure? ";
$Body .= $ssi;
$Body .= $ssx;
$Body .= $sun;
$Body .= "\n";
$Body .= "SignatureBrochure? ";
$Body .= $sig;
$Body .= "\n";
$Body .= "DVD? ";
$Body .= $dvd;
$Body .= "\n";



// send email
$success = mail($EmailTo, $Subject, $Body, "From: <$EmailFrom>");

// redirect to success page
if ($success){
print "<meta http-equiv=\"refresh\" content=\"0;URL=ok.htm\">";
}
else{
print "<meta http-equiv=\"refresh\" content=\"0;URL=er.htm\">";
}
?>

============================================================ ==============
Here's my html:
============================================================ ==============

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://
www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<style type="text/css">
<!--
..style4 {
color: #CC0000;
font-weight: normal;
}
..style6 {
color: #003366;
font-size: large;
}
..style7 {color: #CC0000}
-->
</style>

</head>
<body>


<form method="POST" action="contact.php">
<div align="left">
<p><img src="images/Chap_Logo_Chrome_Wet.jpg" alt="Chaparral Boats
Request Information | Brochures | DVD's " width="360" height="139" /></
p>
<p class="style6"> Information Request Form</p>
<p class="style7">Fields marked (*) are required </p>
</div>

<input name="emailaddress" id="emailaddress" value="<%=emailaddress
%>">

<p align="left">Name:*
<input type="text" name="Name">
<p align="left">Address:*
<textarea name="Address1"></textarea>
<p align="left">City:*
<input type="text" name= "City">
<p align="left">State or Province:*
<input type="text" name="State">
<p align="left">Zip Code:*
<input type="text" name="Zip">
<p align="left">Phone:*
<input type="text" name="Phone">
<p align="left">Email Address:*
<input type="text" name="Email">
<p align="left">==============================================
<p align="left"><b>Brochure Request</b>




<input type="checkbox" name="ssi">SSi Sportboats

<input type="checkbox" name="ssx">SSX Sportdecks

<input type="checkbox" name="sig">Signature Cruisers

<input type="checkbox" name="sun">Sunesta Deckboats

<p align="left">==============================================
<p align="left"><b>DVD Request</b>


<input type="radio" name="dvd" value="SendDVD" />
Yes

<input type="radio" name="dvd" value="NoDVD" checked/>
No
<p align="left">

<input type="checkbox" name="emailUpdates" vlaue="checked" checked/>
I would like to receive email discounts and pre-release product
information from Chaparral Boats.


<p align="left"><span class="style4">All information submitted is held
confidential and not distributed to third parties.

</span>


<input type="submit" name="submit" value="Submit">
</form>

</body>
</html>

============================================================ ==================
============================================================ ==================

What can I do to make this happen? I'm at my wits end.... I've
mulled over this simple code for waaayyyy too many hours and I'm in
the same place this morning as I was yesterday morning at this time.

rcoan [at] chaparralboats.com wrote:
> ok, this is my first attempt at php and this all seemed simple enough
> when I started. Well everything's working except one thing.
>
> This page is being passed emailaddress in a query string:
> http://www.chaparralmedia.net/brochureRequests/contact.htm?e mailaddress=r_coan%40hotmail.com
>
> How do I get that from contact.htm to a varible in my contact.php
> page?

Quick look at the contact.htm source, the form seems ok.

In your contact.php you need to "fetch" the values sent, as since of PHP 4.1
the global values are by default turned off (older PHP examples assumes it's on).

$emailaddress=$_POST['emailaddress'];

Now the value sent with the form is stored in the variable $emailaddress.

If you try to access the page with

http://www.chaparralmedia.net/brochureRequests/contact.php?e mailaddress=r_coan%40hotmail.com

the $emailaddress will be empty, as the method is now get and not post as
default for a form.

$emailaddress=$_GET['emailaddress'];

this would store the value in $emailaddress, if you use the get-method, but
that won't normally work on forms (you can change the method if you want,
check w3c for options).

If you want to be able to use both results via the get and post method, then
use $_REQUEST:

$emailaddress=$_REQUEST['emailaddress'];

If you are unsure how the data is sent, use $_REQUEST.


> I'm trying to make the php script send an email with the form
> data to the email address (emailaddress) but I can't seem to get it to
> work.

There are risks of using data from a form, specially if the user can select to
whom to send the e-mail.

mail("mail [at] to.address.example.net","The Subject","The message you want to send
to the person with mail [at] to.address.example.net address.");

See this page for further information, do read all the user comments before
you use mail(): http://www.php.net/manual/en/function.mail.php

--

//Aho

On 28 Feb, 14:53, "r... [at] chaparralboats.com" <r... [at] chaparralboats.com>
wrote:
> ok, this is my first attempt at php and this all seemed simple enough
> when I started. Well everything's working except one thing.
>
> This page is being passed emailaddress in a query string:http://www.chaparralmedia.net/brochureRequests/contac t.htm?emailaddre...
>
> How do I get that from contact.htm to a varible in my contact.php
> page? I'm trying to make the php script send an email with the form
> data to the email address (emailaddress) but I can't seem to get it to
> work.
>
> I'm lost... and frustrated.... I spent all day yesterday working on
> this. An hour getting the form and my varibles ready, then the rest
> of the day trying different things to get this to work. Any help will
> be greatly appreciated as I was supposed to have this live
> yesterday :~(
>
> Here's my php.
>
> ?php
>
> // get posted data into local variables
> $EmailFrom = "r... [at] chaparralboats.com";
> $EmailTo = $_GET['emailaddress'];
> $Subject = "Chaparral Boats Lead";
> $Name = Trim(stripslashes($_POST['Name']));
> $Address1 = Trim(stripslashes($_POST['Address1']));
> $City = Trim(stripslashes($_POST['City']));
> $State = Trim(stripslashes($_POST['State']));
> $Zip = Trim(stripslashes($_POST['Zip']));
> $Phone = Trim(stripslashes($_POST['Phone']));
> $Email = Trim(stripslashes($_POST['Email']));
> $ssi = Trim(stripslashes($_POST['ssi']));
> $ssx = Trim(stripslashes($_POST['ssx']));
> $sig = Trim(stripslashes($_POST['sig']));
> $sun = Trim(stripslashes($_POST['sun']));
> $dvd = Trim(stripslashes($_POST['dvd']));
>
> // validation
> $validationOK=true;
> if (Trim($Name)=="") $validationOK=false;
> if (Trim($Address1)=="") $validationOK=false;
> if (Trim($City)=="") $validationOK=false;
> if (Trim($State)=="") $validationOK=false;
> if (Trim($Zip)=="") $validationOK=false;
> if (Trim($Phone)=="") $validationOK=false;
> if (Trim($Email)=="") $validationOK=false;
> if (!$validationOK) {
> print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">";
> exit;
>
> }
>
> // prepare email body text
> $Body = "";
> $Body .= "The following person has requested more information on
> Chaparral Boats. Please send Brochures and/or DVD's in a timely
> manner. If you should require extra materials please contact
> Chaparral.";
> $Body .= "\n";
> $Body .= "Name: ";
> $Body .= $Name;
> $Body .= "\n";
> $Body .= "Address: ";
> $Body .= $Address1;
> $Body .= "\n";
> $Body .= "City: ";
> $Body .= $City;
> $Body .= "\n";
> $Body .= "State/Providence/Territory: ";
> $Body .= $State;
> $Body .= "\n";
> $Body .= "Zip Code: ";
> $Body .= $Zip;
> $Body .= "\n";
> $Body .= "Phone: ";
> $Body .= $Phone;
> $Body .= "\n";
> $Body .= "EmailAddress: ";
> $Body .= $EmailAddress;
> $Body .= "\n";
> $Body .= "SSiBrochure? ";
> $Body .= $ssi;
> $Body .= $ssx;
> $Body .= $sun;
> $Body .= "\n";
> $Body .= "SignatureBrochure? ";
> $Body .= $sig;
> $Body .= "\n";
> $Body .= "DVD? ";
> $Body .= $dvd;
> $Body .= "\n";
>
> // send email
> $success = mail($EmailTo, $Subject, $Body, "From: <$EmailFrom>");
>
> // redirect to success page
> if ($success){
> print "<meta http-equiv=\"refresh\" content=\"0;URL=ok.htm\">";}
>
> else{
> print "<meta http-equiv=\"refresh\" content=\"0;URL=er.htm\">";}
>
> ?>
>
> ============================================================ ==============
> Here's my html:
> ============================================================ ==============
>
> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
> <html xmlns="http://www.w3.org/1999/xhtml">
> <head>
>
> <style type="text/css">
> <!--
> .style4 {
> color: #CC0000;
> font-weight: normal;}
>
> .style6 {
> color: #003366;
> font-size: large;}
>
> .style7 {color: #CC0000}
> -->
> </style>
>
> </head>
> <body>
>
> <form method="POST" action="contact.php">
> <div align="left">
> <p><img src="images/Chap_Logo_Chrome_Wet.jpg" alt="Chaparral Boats
> Request Information | Brochures | DVD's " width="360" height="139" /></
> p>
> <p class="style6"> Information Request Form</p>
> <p class="style7">Fields marked (*) are required </p>
> </div>
>
> <input name="emailaddress" id="emailaddress" value="<%=emailaddress
> %>">
>
> <p align="left">Name:*
> <input type="text" name="Name">
> <p align="left">Address:*
> <textarea name="Address1"></textarea>
> <p align="left">City:*
> <input type="text" name= "City">
> <p align="left">State or Province:*
> <input type="text" name="State">
> <p align="left">Zip Code:*
> <input type="text" name="Zip">
> <p align="left">Phone:*
> <input type="text" name="Phone">
> <p align="left">Email Address:*
> <input type="text" name="Email">
> <p align="left">==============================================
> <p align="left"><b>Brochure Request</b>

>

>
> <input type="checkbox" name="ssi">SSi Sportboats

> <input type="checkbox" name="ssx">SSX Sportdecks

> <input type="checkbox" name="sig">Signature Cruisers

> <input type="checkbox" name="sun">Sunesta Deckboats

> <p align="left">==============================================
> <p align="left"><b>DVD Request</b>

>
> <input type="radio" name="dvd" value="SendDVD" />
> Yes

> <input type="radio" name="dvd" value="NoDVD" checked/>
> No
> <p align="left">
>
> <input type="checkbox" name="emailUpdates" vlaue="checked" checked/>
> I would like to receive email discounts and pre-release product
> information from Chaparral Boats.


> <p align="left"><span class="style4">All information submitted is held
> confidential and not distributed to third parties.

> </span>

>
> <input type="submit" name="submit" value="Submit">
> </form>
>
> </body>
> </html>
>
> ============================================================ ==================
> ============================================================ ==================
>
> What can I do to make this happen? I'm at my wits end.... I've
> mulled over this simple code for waaayyyy too many hours and I'm in
> the same place this morning as I was yesterday morning at this time.

If you're new to PH, get and use phpmailer, lovely easy class, does
authenticated smtp too, wtih attachments if needed. Has examples.
The biggest problem is that you can code this kind of thing
insecurely, which I am afriad you are doing. You form as it stands can
be used to spam anyone. Don't worry this kind of thing is a common
mistake, but if you don't look into the matter a bit more, and get
something that works and is secure, rather than reinventing the wheel
- probably from an old book you got second hand, you will annoy a lot
of people and perhaps get your server blacklisted.

Message-ID: <1172674402.500099.64940 [at] s48g2000cws.googlegroups.com> from
rcoan [at] chaparralboats.com contained the following:

>This page is being passed emailaddress in a query string:
>http://www.chaparralmedia.net/brochureRequests/contact.htm? emailaddress=r_coan%40hotmail.com
>
>How do I get that from contact.htm to a varible in my contact.php
>page? I'm trying to make the php script send an email with the form
>data to the email address (emailaddress) but I can't seem to get it to
>work.


As others have said, this really isn't a good idea. Hard code the
address to which the email will be sent, or, of you have a number of
addresses, code them into an array and pass a reference.

You might find this a bit easier to implement. www.ckdog.co.uk/phmail
It just takes an html form and chucks everything at the address you
specify.
--
Geoff Berrow 0110001001101100010000000110
001101101011011001000110111101100111001011
100110001101101111001011100111010101101011

On 28 Feb, 17:23, Geoff Berrow <blthe... [at] ckdog.co.uk> wrote:
> Message-ID: <1172674402.500099.64940 [at] s48g2000cws.googlegroups.com> from
> r... [at] chaparralboats.com contained the following:
>
> >This page is being passed emailaddress in a query string:
> >http://www.chaparralmedia.net/brochureRequests/contact.htm? emailaddre...
>
> >How do I get that from contact.htm to a varible in my contact.php
> >page? I'm trying to make the php script send an email with the form
> >data to the email address (emailaddress) but I can't seem to get it to
> >work.
>
> As others have said, this really isn't a good idea. Hard code the
> address to which the email will be sent, or, of you have a number of
> addresses, code them into an array and pass a reference.
>
> You might find this a bit easier to implement.www.ckdog.co.uk/phmail
> It just takes an html form and chucks everything at the address you
> specify.
> --
> Geoff Berrow 0110001001101100010000000110
> 001101101011011001000110111101100111001011
> 100110001101101111001011100111010101101011

Just to be clear, I know the point of your form is to allow an
untrusted 3rd party to send email to *themselves*, but it /could/ be
used by said person to send email to *anyone* from their spam
database.
>From the tenor of your post implementing a captcha would probably be
too much hassle for you, so I suggest you include in your emails,
"someone probably you, requested a copy of our broachure.." and add a
way for them to complain to you if it wasn't them. It is illegal in
some places to send unsolicited email to businesses, and you could
find yourself in hot water if your employer comes back to you about
this.
Don't take the - this should have been done yesterday approach -
unless you have at least told your employer about the issues and got
some kind of written assurance. (Extreme perhaps, but it cuts both
ways, they then take ownership of the shoddy job)
Oh and with PHP, unless asp style tags are enabled in the php.ini file
which they usually aren't, you should attempt to use
<?php to open and
?> to close
for portability if nothing else.

>>You form as it stands can
>>be used to spam anyone.

Actually I don't really see a way of it being used to send spam to
anyone really. Unless they actually key in the query string. The
email address that's being passed via the query string is from a
database of email addresses that are location specific. In other
words these people are expecting the emails and for there to be some
junk mail possibly. So I'm not too worried about the spam issue as of
right now but I will keep an eye out for it. Thanks.

rcoan [at] chaparralboats.com wrote:
>>> You form as it stands can
>>> be used to spam anyone.
>
> Actually I don't really see a way of it being used to send spam to
> anyone really. Unless they actually key in the query string. The
> email address that's being passed via the query string is from a
> database of email addresses that are location specific. In other
> words these people are expecting the emails and for there to be some
> junk mail possibly. So I'm not too worried about the spam issue as of
> right now but I will keep an eye out for it. Thanks.

The problem is if you allow people send a "From" address with the form,
as there isn't any real from argument in the mail function, you are
instead using the mail header directly and then you can add other things
like bcc/cc to the header and that way send out mail to more than one
person at the time.

It don't hurt to check all variables used in the mail function, if
detecting header injection, then abort the mailing (easy check is to
compare the size of the variable before and after removing all \r\n, if
the same no header injection was attempted, otherwise it's a try to spam).


--

//Aho

<rcoan [at] chaparralboats.com> wrote in message
news:1172686432.967755.6850 [at] h3g2000cwc.googlegroups.com...
| >>You form as it stands can
| >>be used to spam anyone.
|
| Actually I don't really see a way of it being used to send spam to
| anyone really. Unless they actually key in the query string. The
| email address that's being passed via the query string is from a
| database of email addresses that are location specific. In other
| words these people are expecting the emails and for there to be some
| junk mail possibly. So I'm not too worried about the spam issue as of
| right now but I will keep an eye out for it. Thanks.

you're kidding, right?

i could drop anyone's email address onto your query string in such rapid
successesion that your domain (and/or isp) could be liable for a class
action lawsuit...regardless of what email address your db intended to
send/receive it. further, i could add cc, bcc and other directives to your
email that your script is sending...again, your db addresses are of NO
concern. 'as of right now', give me your url and i'll spread your site's
ass-cheecks wide...THAT would be the 'eye' you're keeping out for it. ;^)

i'd also work on your validation. it needs to be FAR more graceful than it
is now. i'm sure most people would like to know why something went wrong
rather than the mere fact that something did go wrong.

On Feb 28, 1:37 pm, "Steve" <no.... [at] example.com> wrote:
> <r... [at] chaparralboats.com> wrote in message
>
> news:1172686432.967755.6850 [at] h3g2000cwc.googlegroups.com...
> | >>You form as it stands can
> | >>be used to spam anyone.
> |
> | Actually I don't really see a way of it being used to send spam to
> | anyone really. Unless they actually key in the query string. The
> | email address that's being passed via the query string is from a
> | database of email addresses that are location specific. In other
> | words these people are expecting the emails and for there to be some
> | junk mail possibly. So I'm not too worried about the spam issue as of
> | right now but I will keep an eye out for it. Thanks.
>
> you're kidding, right?
>
> i could drop anyone's email address onto your query string in such rapid
> successesion that your domain (and/or isp) could be liable for a class
> action lawsuit...regardless of what email address your db intended to
> send/receive it. further, i could add cc, bcc and other directives to your
> email that your script is sending...again, your db addresses are of NO
> concern. 'as of right now', give me your url and i'll spread your site's
> ass-cheecks wide...THAT would be the 'eye' you're keeping out for it. ;^)
>
> i'd also work on your validation. it needs to be FAR more graceful than it
> is now. i'm sure most people would like to know why something went wrong
> rather than the mere fact that something did go wrong.



project abandoned, I guess b/c of spammers and people with skills like
steve you just can't setup an easy email form anymore. And steve you
did open my eyes to what could happen, thanks, but you didn't really
offer any help other than saying that my validation could be FAR more
graceful. It validated fine for me. And about spreading my sites ass
wide open. I wouldn't want that to happen.

Well thanks to everyone who helped me out.

"J.O. Aho" <user [at] example.net> wrote in message
news:54lvp3F211sdiU1 [at] mid.individual.net...
| rcoan [at] chaparralboats.com wrote:
| >>> You form as it stands can
| >>> be used to spam anyone.
| >
| > Actually I don't really see a way of it being used to send spam to
| > anyone really. Unless they actually key in the query string. The
| > email address that's being passed via the query string is from a
| > database of email addresses that are location specific. In other
| > words these people are expecting the emails and for there to be some
| > junk mail possibly. So I'm not too worried about the spam issue as of
| > right now but I will keep an eye out for it. Thanks.
|
| The problem is if you allow people send a "From" address with the form,
| as there isn't any real from argument in the mail function, you are
| instead using the mail header directly and then you can add other things
| like bcc/cc to the header and that way send out mail to more than one
| person at the time.
|
| It don't hurt to check all variables used in the mail function, if
| detecting header injection, then abort the mailing (easy check is to
| compare the size of the variable before and after removing all \r\n, if
| the same no header injection was attempted, otherwise it's a try to spam).

easy yes, but secure no. it is best to not take half measures when
programming anything, especially security. something like this is a far more
appropriate step:

$emailInput = array($to, $from, $cc, $bcc, $subject, $message);
$injections = array('to', 'from', 'cc', 'bcc');
foreach ($emailInput as $input)
{
foreach ($injections as $injection)
{
$input = preg_replace("/n?" . $injection . "\s*?:.*?\n/i", '', $input);
}
}

now you have a configurable, manageable means of stripping out malicious
header content by the input(s) supplied...just by changing either/both
arrays. the emailInput array is normally just going to have a subject and a
message/comment that has to be analysed.

cheers

<rcoan [at] chaparralboats.com> wrote in message
news:1172689166.982574.260870 [at] p10g2000cwp.googlegroups.com.. .
| On Feb 28, 1:37 pm, "Steve" <no.... [at] example.com> wrote:
| > <r... [at] chaparralboats.com> wrote in message
| >
| > news:1172686432.967755.6850 [at] h3g2000cwc.googlegroups.com...
| > | >>You form as it stands can
| > | >>be used to spam anyone.
| > |
| > | Actually I don't really see a way of it being used to send spam to
| > | anyone really. Unless they actually key in the query string. The
| > | email address that's being passed via the query string is from a
| > | database of email addresses that are location specific. In other
| > | words these people are expecting the emails and for there to be some
| > | junk mail possibly. So I'm not too worried about the spam issue as of
| > | right now but I will keep an eye out for it. Thanks.
| >
| > you're kidding, right?
| >
| > i could drop anyone's email address onto your query string in such rapid
| > successesion that your domain (and/or isp) could be liable for a class
| > action lawsuit...regardless of what email address your db intended to
| > send/receive it. further, i could add cc, bcc and other directives to
your
| > email that your script is sending...again, your db addresses are of NO
| > concern. 'as of right now', give me your url and i'll spread your site's
| > ass-cheecks wide...THAT would be the 'eye' you're keeping out for it.
;^)
| >
| > i'd also work on your validation. it needs to be FAR more graceful than
it
| > is now. i'm sure most people would like to know why something went wrong
| > rather than the mere fact that something did go wrong.
|
|
|
| project abandoned, I guess b/c of spammers and people with skills like
| steve you just can't setup an easy email form anymore. And steve you
| did open my eyes to what could happen, thanks, but you didn't really
| offer any help other than saying that my validation could be FAR more
| graceful. It validated fine for me. And about spreading my sites ass
| wide open. I wouldn't want that to happen.

project abandoned?!!! do you always give up if something is too complicated
or may take some work to understand and then address?

yes, it is painfully easy to set up an email form. easy, though being a
wholly relative term, enough to be handled in a few lines of code...which i
DID provide, if you'd check the thread again!

as for your validation...you call this graceful and explicitly explaining
what went wrong?

if (!$validationOK) {
print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">";
exit;
}

does error.htm just show 'oops!' in the browser? it may as well you know.
and this:

if ($success){
print "<meta http-equiv=\"refresh\" content=\"0;URL=ok.htm\">";
}
else{
print "<meta http-equiv=\"refresh\" content=\"0;URL=er.htm\">";
}

does ok.htm confirm to whom the message was sent, when (as in they may want
to print it as confirmation), and what it said. HOLD ON...did you even give
them the opportunity to review the full message before sending it?

finally, does er.htm tell why the message couldn't be sent? oh yeah, it just
says 'oops!' too...so either it was invalid input or it was a transmission
error...lol.

one must learn to be a critical planner before one ever thinks about writing
a single line of code.

hth.

Steve wrote:
> <rcoan [at] chaparralboats.com> wrote in message

> | project abandoned, I guess b/c of spammers and people with skills like
> | steve you just can't setup an easy email form anymore. And steve you
> | did open my eyes to what could happen, thanks, but you didn't really
> | offer any help other than saying that my validation could be FAR more
> | graceful. It validated fine for me. And about spreading my sites ass
> | wide open. I wouldn't want that to happen.
>
> project abandoned?!!! do you always give up if something is too complicated
> or may take some work to understand and then address?
>
> yes, it is painfully easy to set up an email form. easy, though being a
> wholly relative term, enough to be handled in a few lines of code...which i
> DID provide, if you'd check the thread again!

He did expect a fully finished code, but we didn't provide one ;)

--

//Aho

"J.O. Aho" <user [at] example.net> wrote in message
news:54m4nlF20pf52U1 [at] mid.individual.net...
| Steve wrote:
| > <rcoan [at] chaparralboats.com> wrote in message
|
| > | project abandoned, I guess b/c of spammers and people with skills like
| > | steve you just can't setup an easy email form anymore. And steve you
| > | did open my eyes to what could happen, thanks, but you didn't really
| > | offer any help other than saying that my validation could be FAR more
| > | graceful. It validated fine for me. And about spreading my sites ass
| > | wide open. I wouldn't want that to happen.
| >
| > project abandoned?!!! do you always give up if something is too
complicated
| > or may take some work to understand and then address?
| >
| > yes, it is painfully easy to set up an email form. easy, though being a
| > wholly relative term, enough to be handled in a few lines of
code...which i
| > DID provide, if you'd check the thread again!
|
| He did expect a fully finished code, but we didn't provide one ;)

;-)

On Feb 28, 2:53 pm, "Steve" <no.... [at] example.com> wrote:
> "J.O. Aho" <u... [at] example.net> wrote in message
>
> news:54m4nlF20pf52U1 [at] mid.individual.net...| Steve wrote:
> | > <r... [at] chaparralboats.com> wrote in message
>
> |
> | > | project abandoned, I guess b/c of spammers and people with skills like
> | > | steve you just can't setup an easy email form anymore. And steve you
> | > | did open my eyes to what could happen, thanks, but you didn't really
> | > | offer any help other than saying that my validation could be FAR more
> | > | graceful. It validated fine for me. And about spreading my sites ass
> | > | wide open. I wouldn't want that to happen.
> | >
> | > project abandoned?!!! do you always give up if something is too
> complicated
> | > or may take some work to understand and then address?
> | >
> | > yes, it is painfully easy to set up an email form. easy, though being a
> | > wholly relative term, enough to be handled in a few lines of
> code...which i
> | > DID provide, if you'd check the thread again!
> |
> | He did expect a fully finished code, but we didn't provide one ;)
>
> ;-)



man you guys are killin me. I didn't expect a fully finished code but
don't get mad at me when you respond and I have no clue what it was
that you were trying to tell me.

Steve, the ok.htm, error.htm and er.htm pages are not even built yet.
I wanted to at least get the code working first before I built those
pages. No I won't give the user a chance to review their info. Right
now I'm just looking at the url to see if it went through or not.
the difference in the er.htm and the error.htm are just so I could see
where in the code it was getting kicked back.

Listen guys, I'm a total newbie at php. This is the first script of
php I've ever written (as I'm sure it shows) so you responding by:
$emailInput = array($to, $from, $cc, $bcc, $subject, $message);
$injections = array('to', 'from', 'cc', 'bcc');
foreach ($emailInput as $input)
{
foreach ($injections as $injection)
{
$input = preg_replace("/n?" . $injection . "\s*?:.*?\n/i", '',
$input);
}

}

just confuses the hell out of me. I have no idea what that does and
how it does it. You gave me no explanation other than... "something
like this is a far more appropriate step: "

Now I don't expect you to hold my hand and I don't expect you to give
me a copy of the finalized code. That wouldn't help b/c I would still
not have a clue as to what was going on. But please, I came on here
asking for help or suggestions and you bashing my ignorance of php
(which I've admitted) is not really helping me out any at all,
actually it's just making me feel more like shit b/c I've been sitting
here looking at this code for two days now and I've tried everything
that I know of to make this work. You guys have addressed security
concerns (that I wasn't totally aware of, so thank you) but we still
haven't even gotten my code to work..... So really I'm in the same
place I was yesterday morning except now I know I have to beef up the
security in my code AND still get it to work in the first place.

I appreciate your help I really do, but don't get pissed at me if I
don't fully understand what you are trying to tell me.

rcoan [at] chaparralboats.com wrote:

> Steve, the ok.htm, error.htm and er.htm pages are not even built yet.
> I wanted to at least get the code working first before I built those
> pages. No I won't give the user a chance to review their info. Right
> now I'm just looking at the url to see if it went through or not.
> the difference in the er.htm and the error.htm are just so I could see
> where in the code it was getting kicked back.
>
> Listen guys, I'm a total newbie at php. This is the first script of
> php I've ever written (as I'm sure it shows) so you responding by:
> $emailInput = array($to, $from, $cc, $bcc, $subject, $message);
> $injections = array('to', 'from', 'cc', 'bcc');
> foreach ($emailInput as $input)
> {
> foreach ($injections as $injection)
> {
> $input = preg_replace("/n?" . $injection . "\s*?:.*?\n/i", '',
> $input);
> }
>
> }
>
> just confuses the hell out of me. I have no idea what that does and
> how it does it. You gave me no explanation other than... "something
> like this is a far more appropriate step: "

Have you used the online manual?
http://www.php.net/manual-lookup.php?lang=en&function=&x=6&y =4
It's just click on the function name to get more information, or enter
the function name into the input field.
As I pointed out before read the user comments too, there are many times
good hints and more examples.

For predefined variables, take a look at
http://www.php.net/manual/en/reserved.variables.php

A hint, take a look at header() to see how to redirect to another page,
just stupid to use those meta tags for that. If you are testing, then
ir's really better to echo out a message than redirect to a new page and
for errors I wouldn't redirect to a new page, as I want to be able to
output exactly what went wrong (of course it's possible to log the
errors to the logfile, but easier to see it on the screen at once).


> I came on here
> asking for help or suggestions and you bashing my ignorance of php
> (which I've admitted) is not really helping me out any at all,
> actually it's just making me feel more like shit b/c I've been sitting
> here looking at this code for two days now and I've tried everything
> that I know of to make this work.

Not sure if you read my first post in this thread, but if you had read
it, you may have seen why it didn't work, POST != GET


> You guys have addressed security concerns

The mail() is many times used quite lightly and there been many whom has
got their mail-forms to be used by spammers, there even been people
visiting comp.mail.sendmail asking why spammers been able to send mail
from their mailserver even if they have denied all mail relays. It don't
take long for those spammers to find the mail-forms, can take less than
a week. Thats why we talk so much about it.


--

//Aho

If I use this in my html page will it pass the emailaddress to the php
page?

<?php
$passedemail = $_GET['emailaddress'];
?>

<form method="POST" action="contact.php">
<input type="text" name="passedemail" value="<?php echo $passedemail; ?
>" >

Then on the php page could I use this?

$EmailTo = $_POST['passedemail'];


Is this going around my ass to get to my elbow? Sure seems that way.
But it doesn't work... so guess it's more like going around my ass to
get to my ass ;~)

My problem is (i think) that the query string won't pass to the php
page so if I bring it in the html page and convert it to a variable
can't i then send it to the php page? Am I looking at this all
wrong? I guess I'm just having trouble grasping the big picture here.

rcoan [at] chaparralboats.com wrote:
> If I use this in my html page will it pass the emailaddress to the php
> page?

If you want to use php in the html file, you need to reconfigure your
server to parse all html files for php code, so not to increase system
load, keep php in php files.

I assume you rename the contact.html to contactform.php

> <?php
> $passedemail = $_GET['emailaddress'];
> ?>

this works only if you call the page with a link

contactform.php?emailaddress=theaddress [at] example.net

> <form method="POST" action="contact.php">
> <input type="text" name="passedemail" value="<?php echo $passedemail; ?
>> " >

The echo will work, if the file is a php file.


> Then on the php page could I use this?
>
> $EmailTo = $_POST['passedemail'];

Yes, that part will work.


> My problem is (i think) that the query string won't pass to the php
> page so if I bring it in the html page and convert it to a variable
> can't i then send it to the php page? Am I looking at this all
> wrong? I guess I'm just having trouble grasping the big picture here.

It's quite simple, files ending with .htm/.html will not be by default
get the php parsed, that will only happen in files ending with .php
(there can be others too like .php3/.php4./.php5/.phtml, depending on
the installation used).


--

//Aho

On 28 Feb, 20:11, "r... [at] chaparralboats.com" <r... [at] chaparralboats.com>
wrote:
> On Feb 28, 2:53 pm, "Steve" <no.... [at] example.com> wrote:
>
>
>
> > "J.O. Aho" <u... [at] example.net> wrote in message
>
> >news:54m4nlF20pf52U1 [at] mid.individual.net...|Steve wrote:
> > | > <r... [at] chaparralboats.com> wrote in message
>
> > |
> > | > | project abandoned, I guess b/c of spammers and people with skills like
> > | > | steve you just can't setup an easy email form anymore. And steve you
> > | > | did open my eyes to what could happen, thanks, but you didn't really
> > | > | offer any help other than saying that my validation could be FAR more
> > | > | graceful. It validated fine for me. And about spreading my sites ass
> > | > | wide open. I wouldn't want that to happen.
> > | >
> > | > project abandoned?!!! do you always give up if something is too
> > complicated
> > | > or may take some work to understand and then address?
> > | >
> > | > yes, it is painfully easy to set up an email form. easy, though being a
> > | > wholly relative term, enough to be handled in a few lines of
> > code...which i
> > | > DID provide, if you'd check the thread again!
> > |
> > | He did expect a fully finished code, but we didn't provide one ;)
>
> > ;-)
>
> man you guys are killin me. I didn't expect a fully finished code but
> don't get mad at me when you respond and I have no clue what it was
> that you were trying to tell me.
>
> Steve, the ok.htm, error.htm and er.htm pages are not even built yet.
> I wanted to at least get the code working first before I built those
> pages. No I won't give the user a chance to review their info. Right
> now I'm just looking at the url to see if it went through or not.
> the difference in the er.htm and the error.htm are just so I could see
> where in the code it was getting kicked back.
>
> Listen guys, I'm a total newbie at php. This is the first script of
> php I've ever written (as I'm sure it shows) so you responding by:
> $emailInput = array($to, $from, $cc, $bcc, $subject, $message);
> $injections = array('to', 'from', 'cc', 'bcc');
> foreach ($emailInput as $input)
> {
> foreach ($injections as $injection)
> {
> $input = preg_replace("/n?" . $injection . "\s*?:.*?\n/i", '',
> $input);
> }
>
> }
>
> just confuses the hell out of me. I have no idea what that does and
> how it does it. You gave me no explanation other than... "something
> like this is a far more appropriate step: "
>
> Now I don't expect you to hold my hand and I don't expect you to give
> me a copy of the finalized code. That wouldn't help b/c I would still
> not have a clue as to what was going on. But please, I came on here
> asking for help or suggestions and you bashing my ignorance of php
> (which I've admitted) is not really helping me out any at all,
> actually it's just making me feel more like shit b/c I've been sitting
> here looking at this code for two days now and I've tried everything
> that I know of to make this work. You guys have addressed security
> concerns (that I wasn't totally aware of, so thank you) but we still
> haven't even gotten my code to work..... So really I'm in the same
> place I was yesterday morning except now I know I have to beef up the
> security in my code AND still get it to work in the first place.
>
> I appreciate your help I really do, but don't get pissed at me if I
> don't fully understand what you are trying to tell me.

I still think phpmailer is your best bet. I tried to be kind by saying
that the mistake you made was a typical one, and so if you want to get
up and running from zero to hero with all the validation and
everything built in, go for phpmailer, which has examples, and a dead
easy implementation.
So much for building and sending the email.
Now just to check for weird stuff, many places in the "mail" part of
the manual have preg_replace functions you can use to validate email
addresses. So that you can just copy and paste.
Then Steve's idea about showing the user what will be sent is good.

The easiest way for you would be to make the html form called form.php
point to a .php script which just validates the email address, and if
everything's fine puts the various cleaned $_POST values into a
$_SESSION array using the same names.
session_start();
//validate the email and clean the input using strip_tags() or
whatever
//$email = validated( $_POST['email'] );
//$name = (strip_tags( $_POST['name'] )==$_POST['name'])?
strip_tags( $_POST['name'] ):'';
//strip_tags isnt really quite the right way there are better ways but
it does kill the html that some trickster might shove in there, so it
will stop them without looking pretty.
//etc...
$_SESSION['email'] = $email;
$_SESSION['name'] = $name;
//check all is present and correct.
//$arrRequired = array('email,'name');
//if stuff is not ok or not present then redirect to previous html
form
//for($i=0;$<count($arrRequired);$i++)
{
if ( ${$arrRequired[$i]} == '' )
{
//header('Location: http://server.com/form.php');
//exit;
}else{//goto the preview
//header('Location: http://server.com/preview.php');
//exit;

}
now in form.php at the top you have session_start() before anything
else
and your inputs say this
<input name="email" id="email" value="<?php echo
(isset($_SESSION['email'])&&$_SESSION['email']!='')?
$_SESSION['email']:''; ?>" />
etc...

this way whenever you redirect to your form, it will fill itself in,
if the user typed anything, but if they type crap with html or other
script in a particular field it will blank on redirect.

If everthing worked out then preview.php is just exactly like form but
theres no way to edit it. There can be displayed info paragraph by
paragraph
//right at top have the call to session_start();
<?php
session_start();
if( isset($_POST['send']) and $_POST['send']=='send')
{
//$msg = '';
//grab the session vars, include phpmailer class
//plugin the values from the session and send.
//get back the result of the send from phpmailer and //throw it into a
$msg string
//print out the result of sending the message (or not)
//echo '<html><p>'.$msg.'</p></html>';
exit;
}
?>
<html>
<p>Name: <?php echo $_SESSION['name']; ?></p>
<p>Email: <?php echo $_SESSION['email']; ?>

Now somewhere in that page you have a teeny form
<form action="preview.php" method="post">
<input type="send" value="send" />
<input type="submit" value="submit" />
</form>
oops i need to edit something

then if the person hits send great, if not then they can go back to
form.php to carry on



I mean it isnt as pretty as sunset on the seashore, but it gets the
job done, and its a beginning.

To prevent abuse, you could bolt on one of the many free captcha
routines out there, and place it within preview.php at the top, the
basic idea being that the server generates a unique string, say
"hEllo1" and saves it as an image and in the session say
$_SESSION['captcha'] = "hEllo1";. The server then outputs the form
with submit on it, which also contains another input of type text
alongside the server generated image.
<p>type in the text from the image here: <input type="text"
name="captcha_text" value="" />
The user has to type in the string they see in the image, and then hit
submit, the server then doesnt just check for the value $_POST['send']
== 'send' but checks to see whether the value for the string it has
in $_SESSION['captcha']==$_POST['captcha_text'] if it is, the user is
probably human, if not then generate new image store _that_ in the
$_SESSION['captcha_text'] and repeat the preview form, you can
implement a $_SESSION['i'] counter that strts off at 5 and works its
way to 0, when it is 0 then the session is destroyed and the IP
logged, the user getting warned along the way.

I once again apologise for the rugbbish quality of this code, but it
is a start, you or others are welcome to criticise it :) I would say
that I'm trying to hold a conversation as well, by way of explanation
+ coffee + blah but then you would just know that I am incapable of
doing those theings taken together, AND that I have too big an opinion
of my abilities or dont know where my limits are.
probably guilty as charged on both counts anyway

> I assume you rename the contact.html to contactform.php


When you assume you really make an ass out of me!! haha!!! Thank you
sooooooooo much, everything works now!!!! Now I just have to work on
the security aspect of it!!

I can't believe I fiddled with this for two days and all I had to do
was change .html to .php jeeezzzz!!!! I take back everything I said
before about feeling stupid.. NOW I reaalllyyy feeelll retarded!!!
dee-de-deeeee


Ok, now on to security measures.... Could someone explain to me what
this code does, how it secures the emails and where in my code I
should implement it?

$emailInput = array($to, $from, $cc, $bcc, $subject, $message);
$injections = array('to', 'from', 'cc', 'bcc');
foreach ($emailInput as $input)
{
foreach ($injections as $injection)
{
$input = preg_replace("/n?" . $injection . "\s*?:.*?\n/i", '',
$input);
}

}

rcoan [at] chaparralboats.com wrote:

> Ok, now on to security measures.... Could someone explain to me what
> this code does, how it secures the emails and where in my code I
> should implement it?

I'll make a try... I guess Steve will say something if I don't manage...


> $emailInput = array($to, $from, $cc, $bcc, $subject, $message);

The $emailInput is an array of all the data sent with the form, I think
the variables do explan themselves quite well.


> $injections = array('to', 'from', 'cc', 'bcc');

Here we create another array with mail headers that often is injected, I
think I would have included 'replay-to' to the array too.

> foreach ($emailInput as $input)

foreach works kind of like a for loop, it loops throe the $emailInput
array, each cell will have a temporary alias $input.

> {
> foreach ($injections as $injection)

This works the same way, but this is for the headers that could have
been injected. This is a loop inside another loop.

> {
> $input = preg_replace("/n?" . $injection . "\s*?:.*?\n/i", '',
> $input);

here we tell that we want to replace the header that is injected with an
empty string, the source is the $input (alias for a cell in
$emailInput), and store it back without the injected headers.

> }
>
> }

When you are here, the $emailInput has been cleared from To:, From:, Cc:
and Bcc: headers that someone may have injected with the use of the form.

list($to, $from, $cc, $bcc, $subject, $message) = $emailInput;

Here we store the values back into the variables you had in the
beginning, but now without the injected headers.

--

//Aho

On 28 Feb, 21:25, "r... [at] chaparralboats.com" <r... [at] chaparralboats.com>
wrote:
> > I assume you rename the contact.html to contactform.php
>
> When you assume you really make an ass out of me!! haha!!! Thank you
> sooooooooo much, everything works now!!!! Now I just have to work on
> the security aspect of it!!
>
> I can't believe I fiddled with this for two days and all I had to do
> was change .html to .php jeeezzzz!!!! I take back everything I said
> before about feeling stupid.. NOW I reaalllyyy feeelll retarded!!!
> dee-de-deeeee
>
> Ok, now on to security measures.... Could someone explain to me what
> this code does, how it secures the emails and where in my code I
> should implement it?
>
> $emailInput = array($to, $from, $cc, $bcc, $subject, $message);
> $injections = array('to', 'from', 'cc', 'bcc');
> foreach ($emailInput as $input)
> {
> foreach ($injections as $injection)
> {
> $input = preg_replace("/n?" . $injection . "\s*?:.*?\n/i", '',
> $input);
> }
>
> }

this code should be used just before the mail function, all it does,
is to enforce the format of each "header" - a header here just means
To: email [at] email.com
From: me [at] home.com
rather like the headers of an HTTP request
etc... the part before the : cprresponds to $to $from etc.. the part
afterwards to the value
of $to $from etc...
so that it won't allow the value of one header to actually be two
headers together - which would smuggle in more BCC address rather than
the single value you wanted to allw.
Its a neat method.
Phpmailer has this all built in so that the code you write is all
about the stuff you need rather than a whole lot of extra checking
etc...

see this example:
require_once('class.phpmailer.php');
$mail = new PHPMailer();
// set mailer to use SMTP
$mail->IsSMTP();
// specify main and backup server
$mail->Host = 'auth.smtp.server.com';
// turn on SMTP authentication
$mail->SMTPAuth = true;
// SMTP username
$mail->Username = $username;
// SMTP password
$mail->Password = $password;
//$mail->SetLanguage("br", "/optional/path/to/language/directory");
$mail->From = $from;
$mail->FromName = $fromname;
$mail->AddAddress($to, $toname);
$mail->AddReplyTo($reply, $replyname);
$mail->WordWrap = 50;
$mail->IsHTML(true);
$mail->Subject = $subject;
$mail->Body = $body;

easy huh

<rcoan [at] chaparralboats.com> wrote in message
news:1172693461.912511.197140 [at] j27g2000cwj.googlegroups.com.. .
| On Feb 28, 2:53 pm, "Steve" <no.... [at] example.com> wrote:
| > "J.O. Aho" <u... [at] example.net> wrote in message
| >
| > news:54m4nlF20pf52U1 [at] mid.individual.net...| Steve wrote:
| > | > <r... [at] chaparralboats.com> wrote in message
| >
| > |
| > | > | project abandoned, I guess b/c of spammers and people with skills
like
| > | > | steve you just can't setup an easy email form anymore. And steve
you
| > | > | did open my eyes to what could happen, thanks, but you didn't
really
| > | > | offer any help other than saying that my validation could be FAR
more
| > | > | graceful. It validated fine for me. And about spreading my sites
ass
| > | > | wide open. I wouldn't want that to happen.
| > | >
| > | > project abandoned?!!! do you always give up if something is too
| > complicated
| > | > or may take some work to understand and then address?
| > | >
| > | > yes, it is painfully easy to set up an email form. easy, though
being a
| > | > wholly relative term, enough to be handled in a few lines of
| > code...which i
| > | > DID provide, if you'd check the thread again!
| > |
| > | He did expect a fully finished code, but we didn't provide one ;)
| >
| > ;-)
|
|
|
| man you guys are killin me. I didn't expect a fully finished code but
| don't get mad at me when you respond and I have no clue what it was
| that you were trying to tell me.
|
| Steve, the ok.htm, error.htm and er.htm pages are not even built yet.
| I wanted to at least get the code working first before I built those
| pages.

so you lied when you said you were redirected just fine...bullshit!

<rcoan [at] chaparralboats.com> wrote in message
news:1172693461.912511.197140 [at] j27g2000cwj.googlegroups.com.. .
| On Feb 28, 2:53 pm, "Steve" <no.... [at] example.com> wrote:
| > "J.O. Aho" <u... [at] example.net> wrote in message
| >
| > news:54m4nlF20pf52U1 [at] mid.individual.net...| Steve wrote:
| > | > <r... [at] chaparralboats.com> wrote in message
| >
| > |
| > | > | project abandoned, I guess b/c of spammers and people with skills
like
| > | > | steve you just can't setup an easy email form anymore. And steve
you
| > | > | did open my eyes to what could happen, thanks, but you didn't
really
| > | > | offer any help other than saying that my validation could be FAR
more
| > | > | graceful. It validated fine for me. And about spreading my sites
ass
| > | > | wide open. I wouldn't want that to happen.
| > | >
| > | > project abandoned?!!! do you always give up if something is too
| > complicated
| > | > or may take some work to understand and then address?
| > | >
| > | > yes, it is painfully easy to set up an email form. easy, though
being a
| > | > wholly relative term, enough to be handled in a few lines of
| > code...which i
| > | > DID provide, if you'd check the thread again!
| > |
| > | He did expect a fully finished code, but we didn't provide one ;)
| >
| > ;-)
|
|
|
| man you guys are killin me. I didn't expect a fully finished code but
| don't get mad at me when you respond and I have no clue what it was
| that you were trying to tell me.
|
| Steve, the ok.htm, error.htm and er.htm pages are not even built yet.
| I wanted to at least get the code working first before I built those
| pages. No I won't give the user a chance to review their info. Right
| now I'm just looking at the url to see if it went through or not.
| the difference in the er.htm and the error.htm are just so I could see
| where in the code it was getting kicked back.
|
| Listen guys, I'm a total newbie at php. This is the first script of
| php I've ever written (as I'm sure it shows) so you responding by:
| $emailInput = array($to, $from, $cc, $bcc, $subject, $message);
| $injections = array('to', 'from', 'cc', 'bcc');
| foreach ($emailInput as $input)
| {
| foreach ($injections as $injection)
| {
| $input = preg_replace("/n?" . $injection . "\s*?:.*?\n/i", '',
| $input);
| }
|
| }
|
| just confuses the hell out of me.

RTFM !!!

<rcoan [at] chaparralboats.com> wrote in message
news:1172697912.534051.87520 [at] q2g2000cwa.googlegroups.com...
|
| > I assume you rename the contact.html to contactform.php
|
|
| When you assume you really make an ass out of me!!

you're only an ass if you buy that conventional wisdom line of SHIT !!!

people learn through INFERENCE...that's read ASSUMPTION to you. the more a
person can INFERENCE, the higher his IQ

"shimmyshack" <matt.farey [at] gmail.com> wrote in message
news:1172699418.819789.152550 [at] 8g2000cwh.googlegroups.com...
| On 28 Feb, 21:25, "r... [at] chaparralboats.com" <r... [at] chaparralboats.com>
| wrote:
| > > I assume you rename the contact.html to contactform.php
| >
| > When you assume you really make an ass out of me!! haha!!! Thank you
| > sooooooooo much, everything works now!!!! Now I just have to work on
| > the security aspect of it!!
| >
| > I can't believe I fiddled with this for two days and all I had to do
| > was change .html to .php jeeezzzz!!!! I take back everything I said
| > before about feeling stupid.. NOW I reaalllyyy feeelll retarded!!!
| > dee-de-deeeee
| >
| > Ok, now on to security measures.... Could someone explain to me what
| > this code does, how it secures the emails and where in my code I
| > should implement it?
| >
| > $emailInput = array($to, $from, $cc, $bcc, $subject, $message);
| > $injections = array('to', 'from', 'cc', 'bcc');
| > foreach ($emailInput as $input)
| > {
| > foreach ($injections as $injection)
| > {
| > $input = preg_replace("/n?" . $injection . "\s*?:.*?\n/i", '',
| > $input);
| > }
| >
| > }
|
| this code should be used just before the mail function, all it does,
| is to enforce the format of each "header" - a header here just means
| To: email [at] email.com
| From: me [at] home.com
| rather like the headers of an HTTP request
| etc... the part before the : cprresponds to $to $from etc.. the part
| afterwards to the value
| of $to $from etc...
| so that it won't allow the value of one header to actually be two
| headers together - which would smuggle in more BCC address rather than
| the single value you wanted to allw.
| Its a neat method.

why thank you...i threw it together in about as much time as it took me to
type it. ;^)

cheers

Message-ID: <1172697912.534051.87520 [at] q2g2000cwa.googlegroups.com> from
rcoan [at] chaparralboats.com contained the following:

>Ok, now on to security measures.... Could someone explain to me what
>this code does, how it secures the emails and where in my code I
>should implement it?
>
>$emailInput = array($to, $from, $cc, $bcc, $subject, $message);
>$injections = array('to', 'from', 'cc', 'bcc');
>foreach ($emailInput as $input)
>{
> foreach ($injections as $injection)
> {
> $input = preg_replace("/n?" . $injection . "\s*?:.*?\n/i", '',
>$input);
> }
>
>}

What it does is it fixes spamming attempts. Which is rather stupid
since you don't really need mail from people who are attempting to hack
your system.

Rather than fix them, better to simply drop them silently.

--
Geoff Berrow 0110001001101100010000000110
001101101011011001000110111101100111001011
100110001101101111001011100111010101101011

"Geoff Berrow" <blthecat [at] ckdog.co.uk> wrote in message
news:lo4cu21vul2r4dlk65vanvp1qhu35quvmg [at] 4ax.com...
| Message-ID: <1172697912.534051.87520 [at] q2g2000cwa.googlegroups.com> from
| rcoan [at] chaparralboats.com contained the following:
|
| >Ok, now on to security measures.... Could someone explain to me what
| >this code does, how it secures the emails and where in my code I
| >should implement it?
| >
| >$emailInput = array($to, $from, $cc, $bcc, $subject, $message);
| >$injections = array('to', 'from', 'cc', 'bcc');
| >foreach ($emailInput as $input)
| >{
| > foreach ($injections as $injection)
| > {
| > $input = preg_replace("/n?" . $injection . "\s*?:.*?\n/i", '',
| >$input);
| > }
| >
| >}
|
| What it does is it fixes spamming attempts. Which is rather stupid
| since you don't really need mail from people who are attempting to hack
| your system.
|
| Rather than fix them, better to simply drop them silently.

GEOFF !!! don't be stupid...it is easier to detect if he keeps trying to
hack...and easier for me to track and prosecute legally. don't be a ...
well, i'll leave you alone. usually you're more imaginative.

Steve wrote:
> "Geoff Berrow" <blthecat [at] ckdog.co.uk> wrote in message

> | What it does is it fixes spamming attempts. Which is rather stupid
> | since you don't really need mail from people who are attempting to hack
> | your system.
> |
> | Rather than fix them, better to simply drop them silently.
>
> GEOFF !!! don't be stupid...it is easier to detect if he keeps trying to
> hack...and easier for me to track and prosecute legally. don't be a ...
> well, i'll leave you alone. usually you're more imaginative.

You can always trow out a bogus error and log it to syslog or it's own logfile.

--

//Aho

Message-ID: <bVoFh.667$D15.2 [at] newsfe04.lga> from Steve contained the
following:

>| What it does is it fixes spamming attempts. Which is rather stupid
>| since you don't really need mail from people who are attempting to hack
>| your system.
>|
>| Rather than fix them, better to simply drop them silently.
>
>GEOFF !!! don't be stupid...it is easier to detect if he keeps trying to
>hack...and easier for me to track and prosecute legally.

I'm sorry, I just don't think it's worth the time and effort. I have a
mail script running on a site which is a directory of 200 businesses.
Those businesses just don't want the hassle of dealing with bogus email.

As J.O Aho has said, there is nothing to stop you logging the attempts.
Have you ever successfully prosecuted anyone?

--
Geoff Berrow 0110001001101100010000000110
001101101011011001000110111101100111001011
100110001101101111001011100111010101101011

>>so you lied when you said you were redirected just fine...bullshit!

What are you talking about??? You totally lost me on that one.

>>RTFM !!!

I did, sorry if it didn't make any sense. Did you learn php by solely
reading the manual?

>>| When you assume you really make an ass out of me!!
>>you're only an ass if you buy that conventional wisdom line of SHIT !!!

I was making fun of myself with that statement, mainly for letting a
simple stupid mistake like the name of the file cause me so much
trouble.

Steve, what is your deal? I'm really beginning to think you need to
get laid. Come down for a weekend and I'll hook you up with some
local lady friends. I didn't come on here to insult you, I came here
for help so please quit with the bashing.

"Geoff Berrow" <blthecat [at] ckdog.co.uk> wrote in message
news:933du2tuui1ln6rgjns939puir9g4tdfur [at] 4ax.com...
| Message-ID: <bVoFh.667$D15.2 [at] newsfe04.lga> from Steve contained the
| following:
|
| >| What it does is it fixes spamming attempts. Which is rather stupid
| >| since you don't really need mail from people who are attempting to hack
| >| your system.
| >|
| >| Rather than fix them, better to simply drop them silently.
| >
| >GEOFF !!! don't be stupid...it is easier to detect if he keeps trying to
| >hack...and easier for me to track and prosecute legally.
|
| I'm sorry, I just don't think it's worth the time and effort. I have a
| mail script running on a site which is a directory of 200 businesses.
| Those businesses just don't want the hassle of dealing with bogus email.
|
| As J.O Aho has said, there is nothing to stop you logging the attempts.
| Have you ever successfully prosecuted anyone?

i agree with aho. and, that's one means of gathering appropriate
information. i put other tracking measures in place as well. i also have my
sites notify an admin via email when unusual activity occurs...such as a
volume of hits on various pages or functions of a page (like scripts that
email).

i have not had to prosecute anyone yet. what i have done is provided a very
concise and profession listing of an ip's activities that outline the
context of their behavior - intent. i have had several hack attempts whose
outcome resulted in isps dropping their offending member. my out of pocket
is only a simple email to the isp with the records asking them to
investigate the owner of the ip address and report back to me with their
findings...they usually are very obliging and responsive. were i ever
dissatisfied with the result, i would be able to compel the isp to cough up
the offender whom i'd be able to indeed prosecute. that's all a decision of
money and risk...cost of prosecution vs. the value of what it is that they
are trying to compromise coupled with the load expenditures of my site
during their abuse.

i don't think a 'less is more' mentality here is a good, measured response.
as for the 'hassle', you say it is 'rather stupid' to try to fix spamming
attempts. i'm wondering how you detect it. consider the difference:

what i posted earlier to 'fix' spamming attempts:

$emailInput = array($to, $from, $cc, $bcc, $subject, $message);
$injections = array('to', 'from', 'cc', 'bcc');
foreach ($emailInput as $input)
{
foreach ($injections as $injection)
{
$input = preg_replace("/n?" . $injection . "\s*?:.*?\n/i", '', $input);
}
}

an this revision:

$emailInput = array($to, $from, $cc, $bcc, $subject, $message);
$injections = array('to', 'from', 'cc', 'bcc');
foreach ($emailInput as $input)
{
$filtered = '';
foreach ($injections as $injection)
{
$filtered = preg_replace("/n?" . $injection . "\s*?:.*?\n/i", '',
$input);
}
if ($filtered != $input)
{
// we have detection
// track/log it
// if this were a function, return false;
}
}

either way, you still have to detect that it is going on. i don't think that
is 'rather' anything other than appropriate. but that might just be me and
my 0.02usd.

| >>so you lied when you said you were redirected just fine...bullshit!
|
| What are you talking about??? You totally lost me on that one.

"... other than saying that my validation could be FAR more graceful. It
validated fine for me."

you meant that it 'validated' fine for you as long as everything went well.
you cannot say there is any truth to the quote since you obviously have not
prepared anything yet to handle when errors occur. you don't have your
er.htm or error.htm pages yet. 'it validated fine for me' is simply
bullshit. i should have made the context more clear.

| >>RTFM !!!
|
| I did, sorry if it didn't make any sense. Did you learn php by solely
| reading the manual?

i get a 'beginning <insert language/activity here>'. then i look at examples
(like the one i gave you). then i look at the functions used in the
examples. i look up the functions used either in my 'beginning <insert
language/activity here>'. if i cannot find them, i look them up in a manual.
the whole point being to learn what they do and to see how someone employed
them.

no, i did not learn php by solely reading the manual. i have however,
learned at least two other languages in precisely that manner...there are
not a whole lot of friendly books or examples for ladder logic for plc's,
nor is there inexpensive materials available for tlc/tk. if you work in
manufacturing, thermal transfer printers and other periferal devices on the
production line have their own languages and even protocols. in all of these
instances, the manual is all you have.

| >>| When you assume you really make an ass out of me!!
| >>you're only an ass if you buy that conventional wisdom line of SHIT !!!
|
| I was making fun of myself with that statement, mainly for letting a
| simple stupid mistake like the name of the file cause me so much
| trouble.

i don't care to whom it refers, i hate its use. to believe it true simply
because you can make the word into a witicism is the definition of
conventional wisdom - always convenient, never wise, hardly ever hinting at
a truth.

| Steve, what is your deal? I'm really beginning to think you need to
| get laid. Come down for a weekend and I'll hook you up with some
| local lady friends. I didn't come on here to insult you, I came here
| for help so please quit with the bashing.

i have different tones here. i can tell when someone has done as much as
they can to understand something, and when they haven't. couple your
'haven't' with complaints that no one showed you, in code, how to properly
validate in your script...well, you leave me with an impression of being
lazy. not only have you been told, in english, why your script is a security
risk, but you've also been told, in english, how to fix it. i even gave you
code (that you did NOT RTFM about) that removes most of the risk. impression
confirmed.

tell you what, you quit being lazy...i'll quit bashing.

Message-ID: <UABFh.1$iS7.0 [at] newsfe05.lga> from Steve contained the
following:

>either way, you still have to detect that it is going on. i don't think that
>is 'rather' anything other than appropriate. but that might just be me and
>my 0.02usd.


Indeed. I still don't think it's worth the bother.
--
Geoff Berrow 0110001001101100010000000110
001101101011011001000110111101100111001011
100110001101101111001011100111010101101011

Thanks for the explanation J.O. that definately made things clearer.
So would something like this work?

// checking for injection and clearing any present injections
$emailInput = array($to, $from, $cc, $bcc, $subject, $message);
$injections = array('to', 'from', 'cc', 'bcc');
foreach ($emailInput as $input)
{
foreach ($injections as $injection)
{
$input = preg_replace("/n?" . $injection . "\s*?:.*?\n/i", '',
$input);
}

// send email
$success = mail($EmailTo, $Subject, $Body, "From: <$EmailFrom>");

Ok, used this:

$emailInput = array($to, $from, $cc, $bcc, $subject, $message);
$injections = array('to', 'from', 'cc', 'bcc');
foreach ($emailInput as $input)
{
$filtered = '';
foreach ($injections as $injection)
{
$filtered = preg_replace("/n?" . $injection . "\s*?:.*?\n/i", '',
$input);
}
if ($filtered != $input)
{
// we have detection
// track/log it
// if this were a function, return false;
}

}


and it seems to work. Is there any method of testing it that I can do
to make sure it is handling everything properly?

Yeah, I'm lazy Steve, just say whatever makes you feel better about
yourself. That's real professional.

<rcoan [at] chaparralboats.com> wrote in message
news:1172764066.801388.35160 [at] h3g2000cwc.googlegroups.com...
| Ok, used this:
|
| $emailInput = array($to, $from, $cc, $bcc, $subject, $message);
| $injections = array('to', 'from', 'cc', 'bcc');
| foreach ($emailInput as $input)
| {
| $filtered = '';
| foreach ($injections as $injection)
| {
| $filtered = preg_replace("/n?" . $injection . "\s*?:.*?\n/i", '',
| $input);
| }
| if ($filtered != $input)
| {
| // we have detection
| // track/log it
| // if this were a function, return false;
| }
|
| }
|
|
| and it seems to work.

good.

| Is there any method of testing it that I can do
| to make sure it is handling everything properly?

set the values for $to, $from, $cc, etc. where you actual DO try to inject
header directive. that means you must first LEARN how hackers do this.
within your if ($filtered != $input) body, just echo to the brower (for
now), that injection was detected. that's your fail scenario. reset your
$to, $from, $cc, etc. variable values where there is no injection and where
the $to is YOUR email address. all is functioning as it should when you
actually receive this email. testing done. any other things you add will of
course need to be tested...such as tracking hackers by ip.

i'd put that code into a function to make it callable else where and reduce
the number of lines it takes to set up both testing scenarios.

| Yeah, I'm lazy Steve, just say whatever makes you feel better about
| yourself. That's real professional.

'just say whatever makes you feel better about yourself.' i don't expect you
to be anything other that what i've seen...which seems lazy. btw, i'm not
saying anything here for my own edification. but again, 'just say
whatever...'.