Posted by Alexander Schestag on 07/02/07 23:28

Hi,

Brendan Gillatt wrote:
> On Mon, 2 Jul 2007 14:47:42 +0100, "Geoff" <someone@home.uk> wrote:
>
>> I want to create an on-line form & into one of the text boxes the visitor
>> will enter his email address. So far so good. However, when that form is
>> emailed to me, I want that email address to appear in the "From" field of
>> the email. I know this cannot be done in HTML because the variable cannot
>> be transferred across pages, but can it be done in PHP? Or is there
>> another way of achieving it?
>>
>> Any advice much appreciated and if there are any sample scripts anywhere,
>> even more appreciated.

> $from = $_POST['emailaddress'];
>
> $to = 'someemail@aol.com';
>
> $subject = $_POST['subject'];
>
> mail($to, $subject, $msg, "From: $from\n");

Never, never, never ever do it this way without any proper input
validation! Using $_POST is not enough to validate the values coming
from a form. You should never trust them!

For example, $name should at least be validated this way:

$val = array(
'/^[0-9a-zA-Z]+$/',
);

$subject='default';

if (isset($_POST['subject'])) {
foreach ($val as $k => $v) {
if (preg_match($v, $_POST['subject'])) {
$subject = $_POST['subject']));
break;
}
}

Of course, you can define more allowed signs in the array $val. But
then, further input validation might be necessary.

Alex

[Back to original message]