|
|
Posted by joboils on 07/27/06 19:22
On Thu, 27 Jul 2006 16:09:15 +0200, Markus Ernst
<derernst@NO#SP#AMgmx.ch> wrote:
>joboils@spam_less_hotmail.com schrieb:
>> I'm trying to get a site to send e-mail containing the values passed
>> from a form.
>>
>> $Query="INSERT INTO $TableName (id, title, firstname, surname, dob,
>> smoker, gender, tel_day, tel_eve, email, insurance, date_added,
>> borrower_type, amount, term, credit_history) VALUES ('', '$title',
>> '$firstname', '$surname', '$dob', '$smoker', '$gender', '$tel_day',
>> '$tel_eve', '$email', '$insurance', curdate(), '$borrower_type',
>> '$amount', '$term', '$credit_history')";
>> $Result=mysql_db_query ($DBName, $Query, $Link);
>>
>> $date=date("jS F Y");
>> mail("admin@domain", "Query from the web site", "$date\nTitle -
>> $title\nFirstname - $firstname\nSurname - $surname\nDate of birth -
>> $dob\nSmoker - $smoker\nGender - $gender\nDay telephone number -
>> $tel_day\nEvening telephone number - $tel_eve\ne-mail -
>> $email\nContact re - $insurance\nBorrower type -
>> $borrower_type\nAmount - $amount\nTerm - $term\nCredit history -
>> $credit_history");
>>
>> The e-mail messsages arrive but are missing the variables. (These get
>> filed Ok in the datbase, tho')
>>
>> If a site is on a shared server and phpinfo says register_globals Off,
>> how can I get it to do what I want?
>
>If the values are stored to the database, they are here anyway - so you
>don't seem to have a register_globals problem. Could be a quotes problem
>for example. In order to get more info, I would first compose the body,
>so you can check it with echo or var_dump until your code works:
>
>$body = $date."\nTitle-[...]";
>echo $body;
>mail("admin@domain", "Query from the web site", $body);
>
>Anyway it is a very bad idea to take over a form submission unchecked.
>Always take the values from the $_POST resp. $_GET array, and check them
>for security problems; for example strip all tags out, convert or escape
>quotes, check for possible SQL statements or e-mail headers. Otherwise
>you invite people to hack your database, or to abuse your mail form for
>sending spam.
>
>$inputs = array('title', 'firstname', ...);
>foreach ($inputs as $key) {
> $$key = '';
> if (isset($_POST[$key])) {
> $$key = strip_tags($_POST[$key]);
> $$key = mysql_escape_string($$key);
> [...]
> }
>}
>
>If you do this, you will also find problems with quotes, and your code
>will work regardless of the register_globals setting.
Thanx for your help.
I do, indeed, use strip_tags() before putting scripts into final use.
Navigation:
[Reply to this message]
|