|
This basic PHP script consists of two parts:
the Contact Form and the Thank You page.
First of all, you need to construct your contact form. The
html code should start with the following...
<form method="POST"
action="thanks.php">
The
method parameter indicates that all data collected are
to be hidden and not placed in the URL. The most important
part is the action parameter as this indicates where the
processing of the form should be done. The form may also be
given a name but as this is optional, we've left it out in
this case to keep everything simple.
If you already have a form, you can probably use most of the
code you already have created in it. Our example form will
collect a name and an email address. The following lines
will do this...
Name: <input
type="TEXT" name="name">
Email:
<input
type="TEXT" name="email">
Then we need a submit button and a tag to indicate the end
of the form...
<input
type="SUBMIT" name="Submit" value="ok">
</form>
Once someone has clicked the ok button to submit the
details on this form, we should let them know that their
form has been submitted. For this we need a thank you page.
This should be a normal thanks.html page which you will have
constructed. You should then rename this page to 'thanks.php'.
The php extension enables the web server to run the php code
on that page before it is sent to the browser.
Under the <BODY> tag on your thanks page, enter the
following code...
<script>
$email = $HTTP_POST_VARS[email];
$mailto = "email@address";
$mailsubj = "Form submission";
$mailhead = "From: $email\n";
reset ($HTTP_POST_VARS);
$mailbody = "Values submitted from web site form:\n";
while (list ($key, $val) = each ($HTTP_POST_VARS)) { $mailbody
.= "$key : $val\n"; }
if (!eregi("\n",$HTTP_POST_VARS[email])) { mail($mailto, $mailsubj,
$mailbody, $mailhead); }
</script>
- Make sure that you replace 'email@address' in the code
with your own email address.
- It's important the php script check for extra line feeds.
The 'eregi' function in the above scripts does this and
prevents spammers from injecting their own headers into the
email. (To do this, they enter a random email address
followed by a line feed. This is then followed by a blind
carbon copy Bcc containing many email addresses. Using this
technique, it's also possible for the spammer to insert
their own email message and send it to many other addresses
via your script.)
- This code recognizes the data posted from the form and
sends it to the email address specified. It's possible to
make the code a little more elaborate in order to detect if
an email address hasn't been entered. It's also possible to
add javascript to the form itself to detect this.
- Recent update: If you're collecting an
email address on your form (as we are
above), it's important that this is checked
within the php script for extra line feeds.
One of the latest techniques used by
spammers is to inject their own headers into
the email. To do this, they enter a random
email address followed by a line feed. This
is then followed by a blind carbon copy
(Bcc) containing many email addresses. Using
this technique, it's also possible for the
spammer to insert their own email message
and send it to many other addresses via your
script. In the above script, we're using the
'eregi' function to check the email address
just before sending the email. Ideally, all
data which may be used within the email
headers should be checked.
- Disclaimer: The above script is provided as is and
without any warranty or fitness for a particular purpose.
moonSlice explicitly disclaims responsibility for this
script including any damages that might result from the use
or misuse of the script.
Many form to email scripts are insecure because they pass
the destination email address from the form itself. This
makes it very easy for a determined spammer to forge a
request to your thanks page with any destination email
address they want. Some scripts try to check that the
request has come from the same site but unfortunately that
too is easy to forge. You should never pass any destination
email address to the script as a variable. As a by-product
of placing your email address within the script (as above),
your email address will not be harvested by spammers which
should help reduce the amount of junk email received.
It's also a good idea not to output any of the variables you
have collected to the screen unless you can filter out any
extra html code. Otherwise, it may well be possible that
someone could enter some malicious code into the form that
would run when the thanks page is loaded.
This script shows you how to gather user input, perform form
validation with PHP, and send an email.
First, make the form page mail.html (you may call it
whatever you like)...
<html>
<head><title>Mail sender</title></head>
<body>
<form>
Email<br>
<input>
<p>Subject<br>
<input>
<p>Message<br>
<textarea></textarea>
<p><input>
</form>
</body>
</html>
The form contains the necessary text fields Email, Subject,
Message, and the Send button. The line
<form>
tells the browser which PHP file will process the form and
what method to use for sending data.
When the user fills in the form and hits the Send button,
the mail.php file is called...
<html>
<head><title>PHP Mail Sender</title></head>
<body>
</h4>
</body>
</html>
As you see, the script is simply one if ... elseif ... else
statement. At first, it validates the required form fields.
Note that PHP form validation is performed on the server,
after sending all the data. Therefore, it would be a good
idea to combine server-side form validation with PHP and
client-side form validation with JavaScript in order to
avoid unnecessary data sending.
If the email address is valid and subject isn't empty, the
script sends the mail and displays the corresponding
message. Note how the variable $email is included into the
output string.
You can also use this script to implement the safe "Contact
Us" function on your website. Your visitors will be able to
send you a message, but your email address won't be
displayed on the page and spam bots, that parse pages
looking for potential email addresses, won't get it.
Just remove the Email text field from the form and replace
the first line of the script with something like...
$email = 'YourAddr@YourMail.com';
And, of course, you don't need to validate the email address
in this case. |
