Posted by Denis Gerina on 06/04/07 12:13

thanos wrote:
> Hello,
>
> I'm relatively new to PHP so I found this free contact us script on
> the net that i was going to use for my Contact Us php page. Its works
> pretty good except for error handling. I was wondering if any can
> hlep me understand what is missing. I've posted the php files below
> below. Contact.php calls the sendemail.php script. This appears to be
> the validation code in the sendemail.php file. But i would like it to
> validate and prefer a pop up box instead on the Contact.php page
> before contining to the confirmation page (sendemail.php). Any help
> would be appreciated.
>
> Al
>
> <?php
> if(!$visitormail == "" && (!strstr($visitormail,"@") || !
> strstr($visitormail,".")))
> {
> echo "<h2>Use Back - Enter valid e-mail</h2>\n";
> $badinput = "<h2>Feedback was NOT submitted</h2>\n";
> echo $badinput;
> }
> if(empty($visitor) || empty($visitormail) || empty($notes )) {
> echo "<h2>Use Back - fill in all fields</h2>\n";
> }
>
>
>
> ==========================CONTACT,PHP=============================
> <table width="100%" cellpadding="5" border="2">
> <tr><td><form method="post" action="sendemail.php">
> <?php
> $ipi = getenv("REMOTE_ADDR");
> $httprefi = getenv ("HTTP_REFERER");
> $httpagenti = getenv ("HTTP_USER_AGENT");
> ?>
>
> <input type="hidden" name="ip" value="<?php echo $ipi ?>" />
> <input type="hidden" name="httpref" value="<?php echo $httprefi ?>" />
> <input type="hidden" name="httpagent" value="<?php echo $httpagenti ?
>> " />
>
> Your Name:<br />
> <input type="text" name="visitor" size="35" />
> <br />
> Your Email Address:<br />
> <input type="text" name="visitormail" size="35" />
> <br />
> <br />
> Attention:<br />
> <select name="attn" size="1">
> <option value=" General Support ">General Inquiries </option>
> <option value=" Sales n Billing ">Sales & Billing </option>
> <option value=" Technical Support ">Technical Support </option>
> <option value=" Webmaster ">Webmaster </option>
> </select>
> <br /><br />
> Message:
> <br />
> <textarea name="notes" rows="25" cols="49"></textarea>
> <br />
> <input type="submit" value="Send Mail"/>
> <br />
> </form></tr></td>
> </table>
> ==============================END OF SCRIPT======================
>
> =====================SENDEMAIL.PHP script=========================
> <?php
> $ip = $_POST['ip'];
> $httpref = $_POST['httpref'];
> $httpagent = $_POST['httpagent'];
> $visitor = $_POST['visitor'];
> $visitormail = $_POST['visitormail'];
> $notes = $_POST['notes'];
> $attn = $_POST['attn'];
> ?>
>
> <?php
> if(!$visitormail == "" && (!strstr($visitormail,"@") || !
> strstr($visitormail,".")))
> {
> echo "<h2>Use Back - Enter valid e-mail</h2>\n";
> $badinput = "<h2>Feedback was NOT submitted</h2>\n";
> echo $badinput;
> }
> if(empty($visitor) || empty($visitormail) || empty($notes )) {
> echo "<h2>Use Back - fill in all fields</h2>\n";
> }
>
> $todayis = date("l, F j, Y, g:i a") ;
> $attn = $attn ;
> $subject = $attn;
> $notes = stripcslashes($notes);
> $message = " $todayis [EST] \n
> Attention: $attn \n
> Message: $notes \n
> From: $visitor ($visitormail)\n
> Additional Info : IP = $ip \n
> Browser Info: $httpagent \n
> Referral : $httpref \n";
>
> $from = "From: $visitormail\r\n";
> mail("info@yoursite.com", $subject, $message, $from);
> ?>
>
> <table width=100% cellpadding="10" border="2">
> <tr>
> <th align="center"><h3> Confirmation of Message Sent</h3></th>
> </tr>
> <tr>
> <td>
> <b>IP:</b> <?php echo $ip ?>
> <br />
> <b>Attention:</b> <?php echo $attn ?>
> <br />
> <b>From:</b> <?php echo $visitormail ?>
> <br />
> <b>Date:</b> <?php echo $todayis ?>
> <br />
> <br />
> Thank you <?php echo $visitor ?>, your message has been sent
> successfully. We generally respond to emails within 24-48 hours.
> Thanks for contacting us!
> <br />
> <br />
> </td>
> </tr>
> <tr>
> <td align="center">
> <a href="/index.php"> Home </a>
> </td>
> </tr>
> </table>
> =========================END OF SCRIPT==============================
>
I have briefly gone over the code you posted and there seem to be
several problems with it.

- email validation could still let an invalid mail go through. Better
use regexp for this
- there is nothing to stop the script from executing mail() if the
validation fails. Basically you just show the error message and merrily
go about trying to send the mail. A simple yet ugly solution would be to
insert a die() after an error was encountered.
- client-side validation, which you seem to be asking for, is usually
done using JavaScript. however never rely solely on client-side
validation as it can be tampered with (or not work at all if the client
browser has javascript turned off). that means while it may be nice of
you to implement it, you still have to have the server-side validation code

Something I might want to do with your code regarding the user interface
and error checking

- copy all the $_POST data into $_SESSION if error occurs, add a
$_SESSION["error"] = 1 as a flag. Also add a $_SESSION["messages"] with
all the error messages generated while validating
- do something along the lines of
header("Location: contact.php");
die()
after validation if any of the validation conditions have failed
The validation code might look like

$_SESSION["messages"] = "";
$errorflag = 0;

if () // email not valid
{
$_SESSION["messages"] .= "Email-invalid<br />";
$errorflag = 1;
}
if () // visitor name empty
{
$_SESSION["messages"] .= "Visitor name empty!<br />";
$errorflag = 1;

}
/*
other ifs
*/

if ($errorflag == 1)
{
$_SESSION["visitor"] = $visitor;
$_SESSION["visitormail"] = $visitormail;
// etc
$_SESSION["error"] = 1;
header("Location: contact.php");
die();
}

// the rest of sendemail.php script

- on contact.php check for existence of $_SESSION["error"], if it is
there print out the $_SESSION["messages"] error messages on an
appropriate location. Then use the saved $_POST members to fill the form
elements so that user does not have to retype everything, i.e. something
like

<input type="text" name="visitormail" value="<?php echo
$_SESSION["visitormail"]; ?>" size="35" />

and unset the session variables

The code is by no means perfect (not even tested) and it should by used
as a reference to what you may want to do. With something like this
implemented, you may decide to go on and implement client side
validation as well, but you're not dependant on your client actually
supporting it or someone deciding to circumvent it.

[Back to original message]