I made a request a quote form which is not working in related website server but if i am using it in another website server its working perfectly, please advice. RequestAQuote.html <table width="400" border="0" align="center" cellpadding="3" cellspacing="1"> <tr> </tr> </table> <table width="400" border="0" align="center" cellpadding="0" cellspacing="1"> <tr> <td><form name="form1" method="post" action="contact.php"> <table width="100%" border="0" cellspacing="1" cellpadding="3"> <tr> <td>Name</td> <td>:</td> <td><input name="name" type="text" id="name" size="50"></td> </tr> <tr> <td>Email</td> <td>:</td> <td><input name="customer_mail" type="text" id="customer_mail" size="50"></td> </tr> <tr> <td width="16%">Subject</td> <td width="2%">:</td> <td width="82%"><input name="subject" type="text" id="subject" size="50"></td> </tr> <tr> <td>Detail</td> <td>:</td> <td><textarea name="detail" cols="50" rows="4" id="detail"></textarea></td> </tr> <tr> <td> </td> <td> </td> <td><input type="submit" name="Submit" value="Submit"> <input type="reset" name="Submit2" value="Reset"></td> </tr> </table> </form> </td> </tr> </table> HTML: Here is contact.php <?php // Contact subject $subject ="$subject"; // Details $message="$detail"; // Mail of sender $mail_from="$customer_mail"; // From $header="from: $name <$mail_from>"; // Enter your email address $to ='mail@domain.com'; // send email $success = mail($to,$subject,$message,$header); // redirect to success page if ($success){ print "<meta http-equiv=\"refresh\" content=\"0;URL=thank-you.html\">"; } else{ print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">"; } ?> PHP:
Try this contact.php content <?php // Name $name = $_POST["name"]; // Contact subject $subject = $_POST["subject"]; // Details $message = $_POST["detail"]; // Mail of sender $mail_from = $_POST["customer_mail"]; // From $header="from: $name <$mail_from>"; // Enter your email address $to ='mail@domain.com'; // send email $success = mail($to,$subject,$message,$header); // redirect to success page if ($success){ print "<meta http-equiv=\"refresh\" content=\"0;URL=thank-you.html\">"; } else{ print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">"; } ?> Code (markup):
Revised contact.php: <?php if(isset($_REQUEST['Submit'])){ // Contact subject $subject = strip_tags($_REQUEST['subject']); // Details $message = strip_tags($_REQUEST['detail']); // Mail of sender $mail_from = strip_tags($_REQUEST['customer_mail']); // Name $name = strip_tags($_REQUEST["name"]); // From $header = "from: $name <$mail_from>"; // Enter your email address $to = "mail@domain.com"; // Send email if (mail($to,$subject,$message,$header)){ // Redirect to success page header("location: thank-you.html"); } else{ // Redirect to error page header("location: error.htm"); } } else { // Redirect to error page if directly viewed. header("location: error.htm"); } ?> PHP: You should really consider validating the input fields...
Without validation, I can use your form to send all the spam I want. I just put in this for subject: whatever\ncc: victim1@yahoo.com, victim2@yahoo.com, victim99@yahoo.com\n\nThis is my spam message. Buy some viagra from me! Whoo hoo! Code (markup): All those people I list as cc's (there can be thousands) will receive a copy of the message I supplied.
thanks it really worked, i need your one more help. Can you please let me know what code should i implement so one can't submit the form leaving blank fields.
Like I said, if you use an unsanitized value in a header field (Subject, To, From), your form will eventually be compromised by spammers to send millions of messages and you will lose your hosting account. Please, at a minimum, preg_replace('/[\n\r]/', '', $xyz) on $name, $subject, and $mail_from. You've been warned. Everyone else giving advice and sample code in this thread should remember this too.
It is javascript. Try this code in the RequestAQuote.html <script type="text/javascript"> function send_form(){ name = false; customer_mail = false; subject = false; detail = false; if(document.getElementById("name").value!=""){ name = true; } if(document.getElementById("customer_mail").value!=""){ customer_mail = true; } if(document.getElementById("subject").value!=""){ subject = true; } if(document.getElementById("detail").value!=""){ detail = true; } if(name && email && subject && message){ document.form1.submit(); } } </script> <table width="400" border="0" align="center" cellpadding="3" cellspacing="1"> <tr> </tr> </table> <table width="400" border="0" align="center" cellpadding="0" cellspacing="1"> <tr> <td><form name="form1" method="post" action="contact.php"> <table width="100%" border="0" cellspacing="1" cellpadding="3"> <tr> <td>Name</td> <td>:</td> <td><input name="name" type="text" id="name" size="50"></td> </tr> <tr> <td>Email</td> <td>:</td> <td><input name="customer_mail" type="text" id="customer_mail" size="50"></td> </tr> <tr> <td width="16%">Subject</td> <td width="2%">:</td> <td width="82%"><input name="subject" type="text" id="subject" size="50"></td> </tr> <tr> <td>Detail</td> <td>:</td> <td><textarea name="detail" cols="50" rows="4" id="detail"></textarea></td> </tr> <tr> <td> </td> <td> </td> <td><input type="button" name="Submit" value="Submit" onclick="send_form();"> <input type="reset" name="Submit2" value="Reset"></td> </tr> </table> </form> </td> </tr> </table> Code (markup):
"You should really consider validating the input fields... " @ s_ruben Javascript can be easily disabled/bypassed. @ Kimi Raikkonen Read: http://net.tutsplus.com/tutorials/php/sanitize-and-validate-data-with-php-filters/ Heres the code, so can't submit blank fields: <?php if(isset($_REQUEST['Submit']) && filter_var($_REQUEST['customer_mail'], FILTER_VALIDATE_EMAIL) && !empty($_REQUEST['subject']) && !empty($_REQUEST['detail']) && !empty($_REQUEST['customer_mail']) && !empty($_REQUEST['name'])){ // Contact subject $subject = strip_tags($_REQUEST['subject']); // Details $message = strip_tags($_REQUEST['detail']); // Mail of sender $mail_from = strip_tags($_REQUEST['customer_mail']); // Name $name = strip_tags($_REQUEST["name"]); // From $header = "from: $name <$mail_from>"; // Enter your email address $to = "mail@domain.com"; // Send email if (mail($to,$subject,$message,$header)){ // Redirect to success page header("location: thank-you.html"); } else{ // Redirect to error page header("location: error.htm"); } } else { // Redirect to error page if directly viewed. header("location: error.htm"); } ?> PHP:
danx10, Are you familiar with the JavaScript Statistics?? January 2008 - JavaScript On (95%) and JavaScript Off (5%) http://www.w3schools.com/browsers/browsers_stats.asp And I think now very little count of the modern websites are created without using JavaScript.
Unfortunately this code doesn't solve the problem. Blank fields aren't the issue. The problem in email headers comes when newlines get interspersed in the middle of a field. I think I described it above, but anyway, if someone gives this as the subject: Hello there\nCc: [email]a@b.com[/email], [email]c@d.com[/email], [email]e@f.com[/email]\n\nSpam spam spam spam Code (markup): then the message will go out like this: (some of the original headers)... Subject: Hello there Cc: a@b.com, c@d.com, e@f.com Spam spam spam ... (rest of original headers and message at bottom) Code (markup): The spammer gets to insert their own recipients (via that cc: line) and message body, and when people trace it back, all signs point to your web server as the culprit. They can even fake a MIME message and use it to deliver viruses, though the message will be malformed due to extra trailing text and some clients will not parse it. The strip_tags doesn't really do much since the spammer can encode the message in base64 by inserting the appropriate headers. Many MUAs will process a base64-encoded message with spurious trailing content.
You're missing danx10's point, I think. Sure, almost everyone has Javascript. However, it is worthless for security validation because any malicious person can disable it with a couple mouse clicks. Javascript validation is only useful for advisory/convenience purposes. It is not a substitute for server-side validation.
SmallPotatoes, I just answered to the Kimi Raikkonen's question which is: And it is not a question about security!!! About security we can talk more and more!! Thank you for your attention
@s_ruben thanks for help in my project @danx10 and @SmallPotatoes i really appreciate your points and posts regarding the security because its indeed needed whatever you do. i will surely implement your suggestions.