Posted by ianbarton on 09/19/06 10:44

Thanks Erwin for your reply.

I know nothing about PHP but since I started this exercise I have
become a little, just a little more familiar with this particular
function. Unfortunately I wouldn't know enuff to know whether it is
good or bad code so I will have to take your word for that.

In your reply you state "No, you want to put there the from address.
Since this script automatically sends the email, you'll have to tell it
what the from-field is. Most probably you can put in there any valid
emailaddress you own, like: info@adam.com"

The email address that I want to put in there is that which is supplied
in the feedback form field I have titled "UserEmail" The trouble is I
don't know what the syntax is to do this. I have tried many variations
(eg)

$header .= "From: Web Form <UserEmail>\n";
$header .= "From: <UserEmail>\n";
$header .= "From: 'UserEmai'l>\n";
$header .= "From: <$UserEmail>\n";
$header .= "From: $UserEmail\n";

Am I trying to do something that just isn't possible in PHP. I have
done this in ASP on another webpage but I can't get it to work here.

Regards



Erwin Moller wrote:
> ianbarton@adam.com.au wrote:
>
> > Hello all
> >
> > I am trying to setup a feedback form on my webpage using some script
> > provided by my ISP. I really don't know a lot about PHP and it's syntax
> > etc.
> >
> > The feedback form only has 4 fields. These are UserName, UserEmail,
> > UserCountry & Comments. It works well with all of those fields
> > appearing in the body of an email that is sent to me. What I would now
> > like is for the UserEmail field to appear in the "From:" field in the
> > header rather than only in the body of the email.
> >
> > There is a line in the script that says:-
> > $header .= "From: Web Form <email@yourbusiness.com.au>\n";
> >
> > I suspect I need to somehow place the UserEmail string in here somehow
> > but I don't know how to do it. Is it possible to do what I want?
>
> No, you want to put there the from address.
> Since this script automatically sends the email, you'll have to tell it what
> the from-field is.
> Most probably you can put in there any valid emailaddress you own, like:
> info@adam.com
>
>
> >
> > Here is the script of the formmail.php file I am using. I have inserted
> > my email address at the point where it says to and I have created a
> > "confirm.htm" webpage.
> >
> > <?
> > # Adam Internet PHP Form Mailer v1.3
> > # By John Edwards, Copyright September 2005.
> > # Mail all variables to:
> >
> > $to='email@yourbusiness.com.au'; ###I have inserted my email address
> > here ####
> > $domain = 'yourbusiness.com.au'; ### I don't have a business domain
> > name ####
>
> Use the one of your ISP.
> For example, if you host your site at: www.xs4all.nl/~adam you are in domain
> x4all.nl, or maybe www.xs4all.nl
>
>
>
> >
> > while(list($key,$val) = each($HTTP_POST_VARS))
> > {
> >
> > $val = str_replace(chr(10),"",$val);
> > $val = str_replace(chr(13),"",$val);
> > $formmessage .= "$key = $val\n";
> > }
>
> This part cleans up some header-injection hackattack.
> It also removes any newlines from the content of the mail.
>
>
> >
> > if(
> >
> > $formmessage # If we have content
> > && 'POST' == $_SERVER['REQUEST_METHOD'] # If the message is being
> > posted
> > && strstr(strtolower($_SERVER['HTTP_USER_AGENT']),'mozilla') # If the
> > user agent contains mozilla
> > && strstr($_SERVER['HTTP_REFERER'], $domain) # If the referrer is us
> > && !strstr($formmessage,"Content-Type") # Don't send XSS attempt
> > )
>
>
> This is a really old and bad piece of code.
> It uses $formmessage and I expect that it is NOT filled before like:
> $formmessage = $_POST["formmessage"];
>
> If you are new to PHP, this is difficult to explain.
> I just say it is old and will not work on a modern PHP install.
>
>
> > {
> >
> > # Message is ok!
> > }
> > else
> > {
> >
> > die("This request looked like a XSS attempt. Stopped");
> > }
> >
> > # Reset the From: address for a neater look
> > $header .= "From: Web Form <email@yourbusiness.com.au>\n";
> > # If there's an email element, use it for reply-to
> > if ($email)
> > {
> >
> > $header .= "Reply-To: $email\n";
> > }
> >
> > # Log the IP Address of the sender.
> > if($HTTP_X_FORWARDED_FOR)
> > {
> >
> > $header .= "X-Originating-IP: $HTTP_X_FORWARDED_FOR via
> > $REMOTE_ADDR\n";
> > }
> > else
> > {
> >
> > $header .= "X-Originating-IP: $REMOTE_ADDR\n";
> > }
> >
> > mail($to,"Web Form Details",$formmessage,$header);
>
> That is the actual mailfunction.
> Go to www.php.net and look up mail for more information.
>
> > header("Location: confirm.htm"); ## I have inserted the full URL for my
> > confirm page here ##
> >
> > ?>
>
>
> I don't like the script at all. It is probably published years ago.
> Just go to www.php.net and look up the mail function.
>
> Regards,
> Erwin Moller

[Back to original message]