Posted by Gordon Burditt on 06/25/06 03:56

In article <s0vr92595u2t52tncv2h0f822cttrichhc@4ax.com>,
Hoopster <hoops_nospam444@aol.com> wrote:
>Here is my form.
>
>
><form action="http://www.johndoe.com/FormToEmail.php" method="post"
>enctype="multipart/form-data">
><input class="sidebar" value="name" name="user" >
><input class="sidebar" value="email" name="email" > <TEXTAREA
>class=sidebar name=content rows=40 cols=30></TEXTAREA>
><input class="button_sidebar" value="Send" type="submit" >
><input class="button_sidebar" value="Reset" type="reset" >
></form>
>
>
>
>I then have a PHP file called FormToEmail.php
>
>
>It looks like this:
>
>
>$my_email = "johndoe@aol.com";
>
>
>
>
>And some other garbage at the bottom. For some reason my form goes to
>the FormToEmail.php page, but I never get any emails with the data.

If you wish to send mail, you have to actually *WRITE CODE* to *SEND
THE MAIL*. Often this is a call to the PHP mail() function, or
invoking classes to send mail. All the above does is set an unused
variable.

Some security tips:

Never let the PHP use user-supplied or form-supplied values (stuff
from $_GET[], $_POST[], etc.) for mail headers (e.g. Subject:, To:,
From:, etc.) without first ensuring that the value does NOT contain
a carriage return or line feed. Never let the user or form specify
the destination of the email.

Gordon L. Burditt

[Back to original message]