hey ive just got this new script which comes with a tell-a-friend option. However when the user receives an email from this script most of the message is in the subject field. Could someone just take a look at this for me and tell me what is going on? $siteurl=$website."view-".$title."-".$id.".html"; echo $siteurl; $comments = stripslashes($comments); $message="$yname is sending you a hilarious funpage \n\n\nCheck this Funpage\n".$siteurl."\n"; $message=$message."----------------------------------------------------\n"; $message=$message."Comments from $yname\n"; $message=$message."$comments\n"; $message=$message."----------------------------------------------------\n"; echo $message; I think that is the part of the code that contains the message, if it isnt I can show the rest of it! any ideas? thanks for listening AJ
ok...if you have $variable='value'; then $variable takes on the value of "value", if on the next line you put: $variable='new'; then $variable is now "new", however if instead of that last line you put: $variable.='new'; then $variable is now "valuenew" - the dot beofore the equals ( .= ) tells the code to ADD to the right of previous value. In your code above, each line has $message=$message.'content'; - whilst that is technically still correct, its a very longwinded way of typing something very basic..... Try changing the =$message. to .= its just much neater. Anyway, thats just housekeeping. Somewhere on the script you will have a sendmail (or the script may have a renamed mail sending function) which defines the subject as well as the message - my bet is that the subject IS the message, and only one variable is being passed - could you post more of the script (or all of it if possible) so we can see what is actually going on with it... Hope the above helps a bit - it wont change the outcome of your question, but it may make your script simpler, and will definitely be quicker for you to code in the future if you wish to expand on it
<?php /* Do not edit below this line unless you know what you're doing */ $yname = $_POST['yname']; $yemail = $_POST['yemail']; $femail = $_POST['femail']; $comments = $_POST['comments']; $pageurl = $_GET['loc']; function outputform() { ?> <form method="post"> <table width="100%" border="0" class="text"> <tr> <td colspan="2" class="headerrow"><h3>Send This Page to a Friend</h3></td> </tr> <tr> <td width="23%">Your Name: </td> <td width="77%"><input type="text" name="yname" id="yname" value="<?php echo "$_POST[yname]"; ?>" /></td> </tr> <tr> <td>Your Email:</td> <td> <input type="text" name="yemail" id="yemail" value="<?php echo "$_POST[yemail]"; ?>" /> </td> </tr> <tr> <td>Friend's Email: </td> <td><input type="text" name="femail" id="femail" value="<?php echo "$_POST[femail]"; ?>" /> </td> </tr> <tr> <td> Comments: </td> <td> <textarea name="comments" rows="3" id="comments"><?php echo "$_POST[comments]"; ?></textarea> </td> </tr> <tr> <td> </td> <td><input type="submit" id="submit" name="submit" value="Send"></td> </tr> </table> </form> <?php } if ($_POST['submit']) { if (($yname=="") || ($femail=="")|| ($yemail=="")) { print "<p><strong>Error:</strong> Please complete all of the required form fields.</p>"; outputform(); } else { if (!eregi("^[a-z0-9]+([-_\.]?[a-z0-9])+@[a-z0-9]+([-_\.]?[a-z0-9])+\.[a-z]{2,4}", $yemail)) { print("<p><strong>Error:</strong> your email address is not in a valid format.</p>"); outputform(); exit; } if (!eregi("^[a-z0-9]+([-_\.]?[a-z0-9])+@[a-z0-9]+([-_\.]?[a-z0-9])+\.[a-z]{2,4}", $femail)) { print("<p><strong>Error:</strong> your friend's email address is not in a valid format.</p>"); outputform(); exit; } $siteurl=$website."view-".$title."-".$id.".html"; echo $siteurl; $comments = stripslashes($comments); $message="$yname is sending you a hilarious funpage \n\n\nCheck this Funpage\n".$siteurl."\n"; $message=$message."----------------------------------------------------\n"; $message=$message."Comments from $yname\n"; $message=$message."$comments\n"; $message=$message."----------------------------------------------------\n"; echo $message; mail("$femail",$message, "From:$yemail"); echo "<p class=text><b>Your recommendation to <strong>$femail</strong> has been sent.</b></p>"; } } else { ?> <?php outputform(); } ?> Im normally pretty good with sorting out scripts but I haven't got a clue what the guy who made this is doing! Thanks for the help
If you have a web-accessible script that allows arbitrary text ($comments) to be sent to arbitrary email addresses ($femail), it WILL be found by spammers and WILL be used to pump hundreds of thousands of spams to unwitting victims until your hosting account is shut down. In the very least you need to set a length limit on $comments, and defang any URLs or email addresses it contains. Also the email address regular expressions are bogus: 1) They allow _ in domain names, which is illegal. 2) They don't allow longer TLDs, like '.museum'. 3) They don't allow one-character domain name components, e.g., 'bob@x.ca'. 4) They don't allow characters that are valid (and common) in email addresses, such as '+'.
lol i knew this script wasnt good but I didnt think it was that bad, anyone know a good script i can replace this with?