PHP form Echo, ElseIf, Else... Options

[GuessWho]

I really don't know to much about PHP scripting...

I've got a contact form built up so that you enter your Name, your Email, and a Message.. it then sends it to a customer service email address.

I have had it working so that once you click send, it reloads with "Thank you, Your message has been sent." and the form again so that you can send another message if need-be.

What I would like, is for it to reload stating "Some information was missing, Please be sure to fill out your Name, Email, and Message." with the form below it when someone fails to fill out said Name, Email or Message box.


Original Contact page's code:

CODE

<form method="POST" action="index.php?content=mailer">
Name: <input type="text" name="name" size="19">
                  
E-mail: <input type="text" name="email" size="19"><br><br>
Your Message:<br><textarea rows="8" name="message" cols="50"></textarea><br><br>
<input type="submit" value="Send!" name="submit">
</form>

Code in the page "index.php?content=mailer" (aka, mailer.php)

CODE

<?php
if(isset($_POST['submit'])) {

$to = "customerservice@photosbycrosby.com";
$subject = "PhotosByCrosby.com Message";
$name_field = $_POST['name'];
$email_field = $_POST['email'];
$message = $_POST['message'];
$body = "From: $name_field\n E-Mail: $email_field\n Message:\n $message";


echo'<p>Thank you, Your message has been sent.<br>
<form method="POST" action="index.php?content=mailer">
Name: <input type="text" name="name" size="19">
                  
E-mail: <input type="text" name="email" size="19"><br><br>
Your Message:<br><textarea rows="8" name="message" cols="50"></textarea><br><br>
<input type="submit" value="Send Another!" name="submit">
</form>
            <br>
            <strong>E-mail : </strong><a href="mailto:CustomerService@Photosbycrosby.com">CustomerService@photosbycrosby.com</a>
               <br><strong>Mailing Address : </strong>PO Box 1271, Silverton, OR 97381
            <br><strong>Phone : </strong>(503) 559-9341
</p>';
mail($to, $subject, $body);
}  


elseif (empty($name_field) || empty($email_field) || empty($message))  {
echo'<p>Some information was missing, Please be sure to fill out your Name, Email, and Message.<br>
<form method="POST" action="index.php?content=mailer">
Name: <input type="text" name="name" size="19">
                  
E-mail: <input type="text" name="email" size="19"><br><br>
Your Message:<br><textarea rows="8" name="message" cols="50"></textarea><br><br>
<input type="submit" value="Try again!" name="submit">
</form>
            <br>
            <strong>E-mail : </strong><a href="mailto:CustomerService@Photosbycrosby.com">CustomerService@photosbycrosby.com</a>
               <br><strong>Mailing Address : </strong>PO Box 1271, Silverton, OR 97381
            <br><strong>Phone : </strong>(503) 559-9341
</p>';
}


?>

The mailer itself works...
but when I test the "elseif" by leaving the email address blank, it still loads the first echo statment. (Thank you, Your message has been sent.)









Edit:
Played around with it for another hour or so, I think Ive got it now...

(Changed elseif to simply if, and put the If statement above the normal echo (and made that an else statement))

CODE

<?php
if(isset($_POST['submit'])) {

$to = "customerservice@photosbycrosby.com";
$subject = "PhotosByCrosby.com Message";
$name_field = $_POST['name'];
$email_field = $_POST['email'];
$message = $_POST['message'];
$body = "From: $name_field\n E-Mail: $email_field\n Message:\n $message";

if (empty($name_field) || empty($email_field) || empty($message))  {
echo'<p>Some information was missing, Please be sure to fill out your Name, Email, and Message.<br>
<form method="POST" action="index.php?content=mailer">
Name: <input type="text" name="name" size="19">
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
E-mail: <input type="text" name="email" size="19"><br><br>
Your Message:<br><textarea rows="8" name="message" cols="50"></textarea><br><br>
<input type="submit" value="Try again!" name="submit">
</form>
            <br>
            <strong>E-mail : </strong><a href="mailto:CustomerService@Photosbycrosby.com">CustomerService@photosbycrosby.com</a>
               <br><strong>Mailing Address : </strong>PO Box 1271, Silverton, OR 97381
            <br><strong>Phone : </strong>(503) 559-9341
</p>';
}



else
echo'<p>Thank you, Your message has been sent.<br>
<form method="POST" action="index.php?content=mailer">
Name: <input type="text" name="name" size="19">
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
E-mail: <input type="text" name="email" size="19"><br><br>
Your Message:<br><textarea rows="8" name="message" cols="50"></textarea><br><br>
<input type="submit" value="Send Another!" name="submit">
</form>
            <br>
            <strong>E-mail : </strong><a href="mailto:CustomerService@Photosbycrosby.com">CustomerService@photosbycrosby.com</a>
               <br><strong>Mailing Address : </strong>PO Box 1271, Silverton, OR 97381
            <br><strong>Phone : </strong>(503) 559-9341
</p>';
mail($to, $subject, $body);
}  
?>

I didn't know you could stack If statements like that...

if(isset($_POST['submit'])) {
then'
if (empty($name_field) || empty($email_field) || empty($message)) {
inside it...

This post has been edited by GuessWho: Jan 13 2010, 03:14 PM

[Brian Chandler]

Yes, you can "stack" statements like anything. That's the whole point. (One of the major social problems of our time is that this is totally beyond most of the people who study things like law...)

Anyway, your first "if" is meaningless, since it just asks if the submit argument is set; the submit argument _must_ be set, or the form would never have been submitted.

But you should test for missing things first, and in that case send back the form without firing off an email. (It's also a smart thing to check them in javascript too, to give immediate feedback.)

Also notice that this form is totally open as a spam relay. All I need to do is send my spam in the 'message' argument, and send "My real name<newline>cc: Spamvictim" in the 'name' argument, and your form will send a copy of the spam to Spamvictim.

Did you write the script yourself?

[GuessWho]

Alright, I see what your saying about the first If statement being redundant, got rid of that...

It should be checking for missing items first at this point, Then the "Else" is the one that sends the email.
What do you mean by checking them in javascript as well? a javascript statement that checks for missing items at the same time the Php does?
Edit: Just added that in, Thanks for the suggestion, I like it.

how do I go about preventing it from being "totally open as a spam relay"?

yeah I wrote most of it out, Googling how to do things and making those elements work for me.
I'm really a novice when it comes to this stuff.

This post has been edited by GuessWho: Jan 14 2010, 09:19 AM

[GuessWho]

alright, So I found all of this :


Checks for a valid email address (or at least something with an @something.com...)
Then checks for various items such as the bcc and cc...
Assures that POST was used to get to that page (isn't that what you said was redundant?)


(I think I understand the Function of most of this... but It was mostly a copy/paste)

CODE

function is_valid_email($email) {
  return preg_match('#^[a-z0-9.!\#$%&\'*+-/=?^_`{|}~]+@([0-9.]+|([^\s]+\.+[a-z]{2,6}))$#si', $email);
  }

function contains_bad_str($str_to_test) {
  $bad_strings = array(
                   "content-type:"
                ,"mime-version:"
                ,"multipart/mixed"
        ,"Content-Transfer-Encoding:"
                ,"bcc:"
        ,"cc:"
        ,"to:"
  );
  
  foreach($bad_strings as $bad_string) {
    if(eregi($bad_string, strtolower($str_to_test))) {
      echo "$bad_string found. Suspected injection attempt - mail not sent.";
      exit;
    }
  }
}

function contains_newlines($str_to_test) {
   if(preg_match("/(%0A|%0D|\\n+|\\r+)/i", $str_to_test) != 0) {
     echo "newline found in $str_to_test. Suspected injection attempt - mail not sent.";
     exit;
   }
}

if($_SERVER['REQUEST_METHOD'] != "POST"){
   echo("Unauthorized attempt to access page.");
   exit;
}


if (!is_valid_email($email)) {
  echo 'Invalid email submitted - mail not sent.';
  exit;
}

contains_bad_str($email);
contains_bad_str($subject);
contains_bad_str(body);

contains_newlines($email);
contains_newlines($subject);

Also, i added this as the Javascript to check for empty (required...) fields.

CODE

<script language="JavaScript" type="text/javascript">
function checkform ( form )
{
  if (form.name.value == "") {
    alert( "Please enter your name." );
    form.name.focus();
    return false;
  }
   if (form.email.value == "") {
    alert( "Please enter your email address." );
    form.email.focus();
    return false;
  }
   if (form.subject.value == "") {
    alert( "Please enter a subject." );
    form.subject.focus();
    return false;
  }
  return true;
}
</script>

How can I check to see if the Spam prevention codes are working?
Also, at the moment if the email is not valid, it 'echo's... is it possible to change that to an alert like the empty fields do? I couldn't figure that one out.

This post has been edited by GuessWho: Jan 14 2010, 10:57 AM

[Brian Chandler]

How can I check to see if the Spam prevention codes are working?

Make a test page with a form that submits either prepared strings as 'hidden' parameters, or use a textarea to submit newlines. The biggest step forward is just to check for no newlines (\n.\r. etc... check the docs) in the submitted bits, other than the body.

Also be untrusting of functions claimed to check for a valid email. The rules are so convoluted it's almost impossible to avoid false positives, but checking for no whitespace is a good start.

Also, at the moment if the email is not valid, it 'echo's... is it possible to change that to an alert like the empty fields do? I couldn't figure that one out.

The test for a "valid" email is happening on your server, so it can't do a javascript 'alert', can it?

[GuessWho]

I guess I'm not hacker material... I'm not understanding how to test it.

Ive got my Name, Email, Subject fields which I am understanding are venerable. but I send one
Name: Jon $to: "mypersonalemail@yahoo.com"
Email: example@example.com
Subject: Test
message:Testing Spam
1copy PBC
1copy personal



company email received:

From: Jon $to =\"mypersonalemail@yahoo.com\"
E-Mail: example@example.com
Shipping Address:
Phone #:
Message: Testing Spam
1copy PBC
1copy personal


Personal email did not get anything.

From: Jon $to =\"mypersonalemail@yahoo.com\"

To me, looks like it is auto blocking the $to function... yes?


(Code right now is)

CODE

<?php {
$to = "customerservice@photosbycrosby.com";
$subject = $_POST['subject'];
$name = $_POST['name'];
$email = $_POST['email'];
$phone = $_POST['phone'];
$address = $_POST['address'];
$message = $_POST['message'];



function is_valid_email($email) {
  return preg_match('#^[a-z0-9.!\#$%&\'*+-/=?^_`{|}~]+@([0-9.]+|([^\s]+\.+[a-z]{2,6}))$#si', $email);
  }





$body = "From: $name\n E-Mail: $email\n Shipping Address: $address\n Phone #: $phone \n Message: $message";

if (empty($name) || empty($email) || empty($message) || empty($subject))  {
echo' . . .
. . .
. . .

which should simply be verifying a valid email and doing nothing else correct?

[Brian Chandler]

Above I said

...my spam in the 'message' argument, and send "My real name<newline>cc: Spamvictim" in the 'name' argument, ...

So call it with a form that includes

<form ...>
<input type=hidden name=name value="Brian Chandler\rcc: victim@spam.address">
...
</form>

and see what this does.

(Sorry, I really can't understand your bit at the top with text strings including '$to'; we need to be able to see the php program, not just its output. And it took me ages to guess that "venerable" (aged, or respected) means "vulnerable"...?)

[GuessWho]

Above I said

...my spam in the 'message' argument, and send "My real name<newline>cc: Spamvictim" in the 'name' argument, ...

This should now be blocked by:

CODE

$spamerror = "<p>Something within your message was not permitted </p><p><a href='java script: history.go(-1)'>Click here to go back and Try again</a>.</p>";
if (preg_match("/http/i", "$name, $email, $subject, $phone, $address, $message")) {echo "$spamerror"; exit();}
if (preg_match("/cc:/i", "$name, $email, $subject, $phone, $address, $message")) {echo "$spamerror"; exit();}
if (preg_match("/bcc:/i", "$name, $email, $subject, $phone, $address, $message")) {echo "$spamerror"; exit();}
if (preg_match("/to:/i", "$name, $email, $subject, $phone, $address, $message")) {echo "$spamerror"; exit();}

yes?

So call it with a form that includes

<form ...>
<input type=hidden name=name value="Brian Chandler\rcc: victim@spam.address">
...
</form>

and see what this does.

I guess I don't understand what this is doing.
Are you saying create a new form in my page coding with that?
If Ive created a form that has that value, then sure it will send to victim@spam.address. but how would some one that isn't editing the page create that form?
They would have to place all of that into one of the open textfields, yes? (in which case, the above code Ive added should block the "cc:" part of your line..?)

(Sorry, I really can't understand your bit at the top with text strings including '$to'; we need to be able to see the php program, not just its output. And it took me ages to guess that "venerable" (aged, or respected) means "vulnerable"...?)

My bad... I can't spell worth a hoot and Google's "Did you mean" only does so much! hah.

[Darin McGrew]

In general, it's safer to test that the data matches what you expect, than to test that the data doesn't match the things you know will cause problems.

Are you saying create a new form in my page coding with that?

That would be one way to test the security of your form-handling script, yes.

If Ive created a form that has that value, then sure it will send to victim@spam.address. but how would some one that isn't editing the page create that form?

Nothing prevents crackers from creating a new form and submitting its data to your form-handling script.