#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    9
    Rep Power
    0

    Need Help with Contact script


    Hey guys
    Im new to PHP, but im pretty familiar with DreamWeaver which makes it so easy. I have a contact form for my business website and I also have copied a contact script from another website for free.

    Everything works as it should, but im not getting the user inputted data. I get the email back to me but all fields are blank.
    Example:
    Name: <blank>
    Email: <blank>
    etc etc etc

    Here is the following code for the script.

    <?php

    /* Email Variables */
    $emailSubject = 'xxxxx';
    $webMaster = 'xxxx@xxxx.com';


    /* Data Variables */
    $email = $_POST['email'];
    $name = $_POST['name'];
    $subject = $_POST['subject'];
    $comments = $_POST['comments'];
    $date = $_date("m/d/Y H:i:s");

    $body = <<<EOD
    <br><hr><br>
    Email: $email <br>
    Name: $name <br>
    Subject: $subject <br>
    Comments: $comments <br>
    EOD;
    $headers = "From: $email\r\n";
    $headers .= "Content-type: text/html\r\n";
    $success = mail($webMaster, $emailSubject, $body,
    $headers);


    /* Results rendered as HTML */
    $theResults = <<<EOD
    <html>
    <head>
    <title>Your message has been sent!</title>
    <meta http-equiv="refresh" content="3;/contactusframe.html">
    <style type="text/css">
    <!--
    body {
    background-color: #cccccc;
    font-family: Arial, Helvetica, sans-serif;
    font-size: 12px;
    font-style: normal;
    line-height: normal;
    font-weight: normal;
    color: #000000;
    text-decoration: none;
    padding-top: 200px;
    margin-left: 150px;
    width: 600px;
    }
    -->
    </style>
    </head>
    <div align="center">Thank you for contacting Us!<br>We will get back to you shortly.</div>
    </div>
    </body>
    </html>
    EOD;
    echo "$theResults";
    ?>


    Any help would be greatly appreciated.
  2. #2
  3. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,113
    Rep Power
    9398
    It's not safe to go copying things from around the Internet when you can't tell if they're good or not. Like this script: not only does it have a fatal flaw but it builds the email insecurely.

    PHP Code:
    $headers "From: $email\r\n"
    That's the unsafe part. Remove this line (you probably don't need to specify a From: header) and fix the next one so it uses regular assignment (=) instead of concatenation (.=).

    The main problem is
    PHP Code:
    $date $_date("m/d/Y H:i:s"); 
    That will do something completely different than was intended, and actually fail trying to do so. It should be using the date function.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    9
    Rep Power
    0
    Thank you very much for your prompt reply and help.
    I'm trying this as we speak and I will let you know if this fixed the problem.

    You stated that it builds the email 'insecurely', how so?
    Does this mean that it is vulnerable to hackers/predators?
    I suppose the only personal information is the users email?

    How can I make it secure?

    If you could please go into detail as what is the fatal flaw?
    What are good websites I can go to for future references?

    **EDIT**
    Unfortunately the revisions you told me to make above, did not work. Im still getting blank data.
  6. #4
  7. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,113
    Rep Power
    9398
    Find your php.ini and set
    Code:
    error_reporting = -1
    display_errors = on
    and restart the server. You should also check your web server's error logs as they may already mention something about what's going on.

    1. You're running this on a server that can send email, right? Is it your local machine at home (if so what operating system do you have) or is this live somewhere?
    2. Are you getting the "thank you" page? Or is it entirely blank?
    3. Are you getting an email at all?

    It was insecure because it put user input (their email address) into a place where you shouldn't allow it (email headers). Someone could give you bad data and trick your server into doing something it shouldn't. For example, use your contact form to send spam to anybody they want.
    What I didn't think about was that they can also insert any HTML they want into the email. You shouldn't allow that. In fact unless you want a pretty email the safest thing is to not send it as HTML.
    PHP Code:
    $body = <<<EOD
    Email: $email
    Name: 
    $name
    Subject: 
    $subject
    Comments: 
    $comments
    EOD;
    $success mail($webMaster$emailSubject$body); 
    (The "fatal flaw" was the $_date thing.)
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    9
    Rep Power
    0
    Okay so it looks as though this whole script I have is garbage.

    Because this is a business page, I need it to be as secure as possible.

    Are there any links you can forward me to get the safest contact form and contact script?

    Any help is greatly appreciated.

    Thank you very much.
  10. #6
  11. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,113
    Rep Power
    9398
    No, the "whole script" is not "garbage". I suggested a couple changes to fix the couple issues but those were the only problems I saw.

    So how about answers to those questions?
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    9
    Rep Power
    0
    Originally Posted by requinix
    Find your php.ini and set
    Code:
    error_reporting = -1
    display_errors = on
    and restart the server. You should also check your web server's error logs as they may already mention something about what's going on.

    1. You're running this on a server that can send email, right? Is it your local machine at home (if so what operating system do you have) or is this live somewhere?
    2. Are you getting the "thank you" page? Or is it entirely blank?
    3. Are you getting an email at all?

    It was insecure because it put user input (their email address) into a place where you shouldn't allow it (email headers). Someone could give you bad data and trick your server into doing something it shouldn't. For example, use your contact form to send spam to anybody they want.
    What I didn't think about was that they can also insert any HTML they want into the email. You shouldn't allow that. In fact unless you want a pretty email the safest thing is to not send it as HTML.
    PHP Code:
    $body = <<<EOD
    Email: $email
    Name: 
    $name
    Subject: 
    $subject
    Comments: 
    $comments
    EOD;
    $success mail($webMaster$emailSubject$body); 
    (The "fatal flaw" was the $_date thing.)

    1. My website is hosted by Register.com, so its not on a personal server.

    2. I am getting the Thank You page thats in my script and it does reload to the contact page.

    3. I am getting the emails, but like I stated before, Im not getting the user inputted data. Just the required fields.

    It seems as though that the php.ini file is private and cannot be changed. I cannot find it anywhere in root or any other file for that matter.
  14. #8
  15. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,113
    Rep Power
    9398
    Originally Posted by dkim916
    3. I am getting the emails, but like I stated before, Im not getting the user inputted data. Just the required fields.
    There's the name, email, subject, and comments. Are you saying there's supposed to be more? Because there isn't any code written to support more than just those four fields.
  16. #9
  17. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    9
    Rep Power
    0
    I made some revisions you told me on your last post. It worked! I did get all the user inputted data! Thank you very much for helping me with this troubleshooting.

    Now I have another question..

    How can I disable the user from sending HTML code, like you stated it could be a security risk?

    I want this to be as secure as possible!
  18. #10
  19. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,113
    Rep Power
    9398
    You can't disable it. All you can do is make sure it doesn't get interpreted as HTML by escaping it if you output it to a page. For emails you can keep them as plain text, or if you want HTML emails escape the value just like you would for a webpage.
  20. #11
  21. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Location
    the Netherlands
    Posts
    41
    Rep Power
    2
    perhaps this is useful?
    http://php.net/manual/en/function.htmlspecialchars.php

    using this, will make any html code be interpreted as plain text.
  22. #12
  23. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    9
    Rep Power
    0
    Thanks for all the helps guys, I greatly appreciate it.

    Now although I have another problem.

    My website isnt compatible with other browsers.

    For instance, I use Firefox, and my website displays perfectly fine in that browser. But when I look at it in Internet Explorer, some things do not display correctly, and my contact form script doesnt refresh to the contact page as it does in Firefox, it stays loading.

    Any help would be awesome, as you guys are already awesome!


    **EDIT**

    I found this HTML Validator thing off google and it states;
    "Line 6, Column 83: document type does not allow element "link" here

    k href="includes/CSSLayouts/CSSLayouts.css" rel="stylesheet" type="text/css" />



    The element named above was found in a context where it is not allowed. This could mean that you have incorrectly nested elements -- such as a "style" element in the "body" section instead of inside "head" -- or two elements that overlap (which is not allowed).

    One common cause for this error is the use of XHTML syntax in HTML documents. Due to HTML's rules of implicitly closed elements, this error can create cascading effects. For instance, using XHTML's "self-closing" tags for "meta" and "link" in the "head" section of a HTML document may cause the parser to infer the end of the "head" section and the beginning of the "body" section (where "link" and "meta" are not allowed; hence the reported error)."

    Does this mean that I need to move this 'element' into the body instead of the head? Will this fix a lot of my problems of it not being displayed correctly in IE?
  24. #13
  25. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,113
    Rep Power
    9398
    It probably means either (a) you didn't put it in the <head> or (b) you did but there's an unclosed tag so it seems like the <link> is contained in that instead. Can't say exactly without seeing the source HTML.

    You should always validate your pages even if it seems fine in all the browsers. If there are problems then yes, that could explain why IE does it weird. But IE is horrible anyways... Welcome to the world of web design
  26. #14
  27. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    9
    Rep Power
    0
    Thanks for the help.

    This website needs to be displayed correctly on all standard browsers, which is IE and FF. Seems to be the most commonly used. Unless your on MAC.

    Comments on this post

    • DonR disagrees : IE and FF are not the only 2 "standard" browsers..there is also, Google Chrome, Opera, & Safari for Windows ...all considered "standard" browsers.
  28. #15
  29. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    9
    Rep Power
    0
    So now im having yet another problem..

    I'm down to my last 2, I believe.

    1. In Firefox, once the customer fills out the contact form, it loads a thank you page and refreshes to the contact page. On IE, it stays loading and never refreshes to the contact page.

    2. In Firefox, (please look at the picture) it shows up perfectly fine. But in IE the red gradient in the nav bar doesnt show up. I tried placing a picture with the gradient bar there and it messes up the flow and makes the box 2x as big.

    **EDIT**
    I just noticed I placed IE and Firefox on the wrong sides of the image below.



    Any suggestions?

IMN logo majestic logo threadwatch logo seochat tools logo