|
|
Posted by shimmyshack on 02/28/07 21:23
On 28 Feb, 20:11, "r...@chaparralboats.com" <r...@chaparralboats.com>
wrote:
> On Feb 28, 2:53 pm, "Steve" <no....@example.com> wrote:
>
>
>
> > "J.O. Aho" <u...@example.net> wrote in message
>
> >news:54m4nlF20pf52U1@mid.individual.net...|Steve wrote:
> > | > <r...@chaparralboats.com> wrote in message
>
> > |
> > | > | project abandoned, I guess b/c of spammers and people with skills like
> > | > | steve you just can't setup an easy email form anymore. And steve you
> > | > | did open my eyes to what could happen, thanks, but you didn't really
> > | > | offer any help other than saying that my validation could be FAR more
> > | > | graceful. It validated fine for me. And about spreading my sites ass
> > | > | wide open. I wouldn't want that to happen.
> > | >
> > | > project abandoned?!!! do you always give up if something is too
> > complicated
> > | > or may take some work to understand and then address?
> > | >
> > | > yes, it is painfully easy to set up an email form. easy, though being a
> > | > wholly relative term, enough to be handled in a few lines of
> > code...which i
> > | > DID provide, if you'd check the thread again!
> > |
> > | He did expect a fully finished code, but we didn't provide one ;)
>
> > ;-)
>
> man you guys are killin me. I didn't expect a fully finished code but
> don't get mad at me when you respond and I have no clue what it was
> that you were trying to tell me.
>
> Steve, the ok.htm, error.htm and er.htm pages are not even built yet.
> I wanted to at least get the code working first before I built those
> pages. No I won't give the user a chance to review their info. Right
> now I'm just looking at the url to see if it went through or not.
> the difference in the er.htm and the error.htm are just so I could see
> where in the code it was getting kicked back.
>
> Listen guys, I'm a total newbie at php. This is the first script of
> php I've ever written (as I'm sure it shows) so you responding by:
> $emailInput = array($to, $from, $cc, $bcc, $subject, $message);
> $injections = array('to', 'from', 'cc', 'bcc');
> foreach ($emailInput as $input)
> {
> foreach ($injections as $injection)
> {
> $input = preg_replace("/n?" . $injection . "\s*?:.*?\n/i", '',
> $input);
> }
>
> }
>
> just confuses the hell out of me. I have no idea what that does and
> how it does it. You gave me no explanation other than... "something
> like this is a far more appropriate step: "
>
> Now I don't expect you to hold my hand and I don't expect you to give
> me a copy of the finalized code. That wouldn't help b/c I would still
> not have a clue as to what was going on. But please, I came on here
> asking for help or suggestions and you bashing my ignorance of php
> (which I've admitted) is not really helping me out any at all,
> actually it's just making me feel more like shit b/c I've been sitting
> here looking at this code for two days now and I've tried everything
> that I know of to make this work. You guys have addressed security
> concerns (that I wasn't totally aware of, so thank you) but we still
> haven't even gotten my code to work..... So really I'm in the same
> place I was yesterday morning except now I know I have to beef up the
> security in my code AND still get it to work in the first place.
>
> I appreciate your help I really do, but don't get pissed at me if I
> don't fully understand what you are trying to tell me.
I still think phpmailer is your best bet. I tried to be kind by saying
that the mistake you made was a typical one, and so if you want to get
up and running from zero to hero with all the validation and
everything built in, go for phpmailer, which has examples, and a dead
easy implementation.
So much for building and sending the email.
Now just to check for weird stuff, many places in the "mail" part of
the manual have preg_replace functions you can use to validate email
addresses. So that you can just copy and paste.
Then Steve's idea about showing the user what will be sent is good.
The easiest way for you would be to make the html form called form.php
point to a .php script which just validates the email address, and if
everything's fine puts the various cleaned $_POST values into a
$_SESSION array using the same names.
session_start();
//validate the email and clean the input using strip_tags() or
whatever
//$email = validated( $_POST['email'] );
//$name = (strip_tags( $_POST['name'] )==$_POST['name'])?
strip_tags( $_POST['name'] ):'';
//strip_tags isnt really quite the right way there are better ways but
it does kill the html that some trickster might shove in there, so it
will stop them without looking pretty.
//etc...
$_SESSION['email'] = $email;
$_SESSION['name'] = $name;
//check all is present and correct.
//$arrRequired = array('email,'name');
//if stuff is not ok or not present then redirect to previous html
form
//for($i=0;$<count($arrRequired);$i++)
{
if ( ${$arrRequired[$i]} == '' )
{
//header('Location: http://server.com/form.php');
//exit;
}else{//goto the preview
//header('Location: http://server.com/preview.php');
//exit;
}
now in form.php at the top you have session_start() before anything
else
and your inputs say this
<input name="email" id="email" value="<?php echo
(isset($_SESSION['email'])&&$_SESSION['email']!='')?
$_SESSION['email']:''; ?>" />
etc...
this way whenever you redirect to your form, it will fill itself in,
if the user typed anything, but if they type crap with html or other
script in a particular field it will blank on redirect.
If everthing worked out then preview.php is just exactly like form but
theres no way to edit it. There can be displayed info paragraph by
paragraph
//right at top have the call to session_start();
<?php
session_start();
if( isset($_POST['send']) and $_POST['send']=='send')
{
//$msg = '';
//grab the session vars, include phpmailer class
//plugin the values from the session and send.
//get back the result of the send from phpmailer and //throw it into a
$msg string
//print out the result of sending the message (or not)
//echo '<html><p>'.$msg.'</p></html>';
exit;
}
?>
<html>
<p>Name: <?php echo $_SESSION['name']; ?></p>
<p>Email: <?php echo $_SESSION['email']; ?>
Now somewhere in that page you have a teeny form
<form action="preview.php" method="post">
<input type="send" value="send" />
<input type="submit" value="submit" />
</form>
<a href="form.php">oops i need to edit something</a>
then if the person hits send great, if not then they can go back to
form.php to carry on
I mean it isnt as pretty as sunset on the seashore, but it gets the
job done, and its a beginning.
To prevent abuse, you could bolt on one of the many free captcha
routines out there, and place it within preview.php at the top, the
basic idea being that the server generates a unique string, say
"hEllo1" and saves it as an image and in the session say
$_SESSION['captcha'] = "hEllo1";. The server then outputs the form
with submit on it, which also contains another input of type text
alongside the server generated image.
<p>type in the text from the image here: <input type="text"
name="captcha_text" value="" />
The user has to type in the string they see in the image, and then hit
submit, the server then doesnt just check for the value $_POST['send']
== 'send' but checks to see whether the value for the string it has
in $_SESSION['captcha']==$_POST['captcha_text'] if it is, the user is
probably human, if not then generate new image store _that_ in the
$_SESSION['captcha_text'] and repeat the preview form, you can
implement a $_SESSION['i'] counter that strts off at 5 and works its
way to 0, when it is 0 then the session is destroyed and the IP
logged, the user getting warned along the way.
I once again apologise for the rugbbish quality of this code, but it
is a start, you or others are welcome to criticise it :) I would say
that I'm trying to hold a conversation as well, by way of explanation
+ coffee + blah but then you would just know that I am incapable of
doing those theings taken together, AND that I have too big an opinion
of my abilities or dont know where my limits are.
probably guilty as charged on both counts anyway
[Back to original message]
|