Posted by Markus Ernst on 07/27/06 14:09

joboils@spam_less_hotmail.com schrieb:
> I'm trying to get a site to send e-mail containing the values passed
> from a form.
>
> $Query="INSERT INTO $TableName (id, title, firstname, surname, dob,
> smoker, gender, tel_day, tel_eve, email, insurance, date_added,
> borrower_type, amount, term, credit_history) VALUES ('', '$title',
> '$firstname', '$surname', '$dob', '$smoker', '$gender', '$tel_day',
> '$tel_eve', '$email', '$insurance', curdate(), '$borrower_type',
> '$amount', '$term', '$credit_history')";
> $Result=mysql_db_query ($DBName, $Query, $Link);
>
> $date=date("jS F Y");
> mail("admin@domain", "Query from the web site", "$date\nTitle -
> $title\nFirstname - $firstname\nSurname - $surname\nDate of birth -
> $dob\nSmoker - $smoker\nGender - $gender\nDay telephone number -
> $tel_day\nEvening telephone number - $tel_eve\ne-mail -
> $email\nContact re - $insurance\nBorrower type -
> $borrower_type\nAmount - $amount\nTerm - $term\nCredit history -
> $credit_history");
>
> The e-mail messsages arrive but are missing the variables. (These get
> filed Ok in the datbase, tho')
>
> If a site is on a shared server and phpinfo says register_globals Off,
> how can I get it to do what I want?

If the values are stored to the database, they are here anyway - so you
don't seem to have a register_globals problem. Could be a quotes problem
for example. In order to get more info, I would first compose the body,
so you can check it with echo or var_dump until your code works:

$body = $date."\nTitle-[...]";
echo $body;
mail("admin@domain", "Query from the web site", $body);

Anyway it is a very bad idea to take over a form submission unchecked.
Always take the values from the $_POST resp. $_GET array, and check them
for security problems; for example strip all tags out, convert or escape
quotes, check for possible SQL statements or e-mail headers. Otherwise
you invite people to hack your database, or to abuse your mail form for
sending spam.

$inputs = array('title', 'firstname', ...);
foreach ($inputs as $key) {
$$key = '';
if (isset($_POST[$key])) {
$$key = strip_tags($_POST[$key]);
$$key = mysql_escape_string($$key);
[...]
}
}

If you do this, you will also find problems with quotes, and your code
will work regardless of the register_globals setting.

--
Markus

• Next in forum: Re: Using arrays to take records from a html table and update database
• Prev in forum: Re: Using arrays to take records from a html table and update database
• Thread view: Re: register_globals and senidng variables by e-mail

[Reply to this message]