|
|
||||||
|
||||||
| Index Link To US Private Messages Archive FAQ RSS | ||||||
| Web Programming Discussion Forum Working with an API? Developing a plugin? Writing a Mod or script for your favorite blog, Web 2.0 site or Forum? Welcome. |
Share Thread: & Tags
|
||||
|
![]() |
|
|
LinkBack | Thread Tools | Display Modes |
|
|||
|
Last edited by imsickofwebpro; 01-04-2008 at 12:15 PM. |
|
|||
|
Sure. Give me an example of your parameters.
__________________
I use Country IP Blocks as added security for my networks and servers. |
|
|||
|
It is data taken from a form. The fields are:
<label for="Nachname">Surname*:</label><input type=text name="Nachname" id="Nachname" size=30 maxlength="60" /><br/><br/> <label for="Name">Name:<input type=text name="Name" id="Name" size=30 maxlength="60" /> <br/><br/> <label for="Firma">Company:<input type=text name="Firma" id="Firma" size=30 maxlength="60" /> <br/><br/> <label for="Strasse">Street/No:<input type=text name="Strasse" id="Strasse" size=30 maxlength="60" /> <br/><br/> <label for="Postleitzahl">Postcode:<input type=text name="Postleitzahl" id="Postleitzahl" size=30 maxlength="20" /> <br/><br/> <label for="Wohnort">City:<input type=text name="Wohnort" id="Wohnort" size=30 maxlength="60" /> <br/><br/> <label for="Telefon">Telephone*:<input type=text name="Telefon" id="Telefon" size=30 maxlength="30" /> <br/><br/> <label for="Fax">Fax:<input type=text name="Fax" id="Fax" size=30 maxlength="30" /><br/><br/> <label for="Email">E-mail*:</label> </td><td class="bottomPadding"><input type=text name="Email" id="Email" size=30 maxlength="60" /> <br/><br/> Please inform me about:<br/><br/> <input class="tickbox" type="checkbox" name="Instandhaltungsleistungen" id="Instandhaltungsleistungen"/> <label for="Instandhaltungsleistungen">Maintenance services</label<br/><br/> <input class="tickbox" type="checkbox" name="Inhalte" id="Inhalte"/> <label for="Inhalte">Contents</label> <br/><br/> <input class="tickbox" type="checkbox" name="Preise" id="Preise"/> <label for="Preise">Pricing</label> <br/><br/> <input class="tickbox" type="checkbox" name="Vertragsbedingungen" id="Vertragsbedingungen"/> <label for="Vertragsbedingungen">Terms and conditions</label> <br/><br/> Rent a Car:<br/><br/> <input class="tickbox" type="checkbox" name="CarMietpreis" id="CarMietpreis"/> <label for="CarMietpreis">Price</label> <br/><br/> <input class="tickbox" type="checkbox" name="CarLeistungen" id="CarLeistungen"/> <label for="CarLeistungen">Services</label<br/><br/> <input class="tickbox" type="checkbox" name="CarVertragsbedingungen" id="CarVertragsbedingungen"/> <label for="CarVertragsbedingungen">Terms and conditions</label> <label for="Anfrage">Your enquiry:</label> <br/><br/> <textarea name="Anfrage" id="Anfrage" cols="50" rows="5"></textarea><br/><br/> The id and name data is in German as it is a German site. Cheers, Kurt How could I put the data in an array? I am still very new to PHP... Last edited by kurt.santo; 01-07-2008 at 06:19 AM. Reason: Forgot to mention |
|
|||
|
Kurt:
The process is fairly simple. When using PHP to process data using the $_GET or $_POST method (POST is generally better when sending lots of data as there are some size limitations using the $_GET method), PHP stores the data in a special array for processing. The number of parameters you are dealing with is usually irrelevant unless the sheer size and number of variables and the time required validating your data causes PHP to exceed the threshold time limit in the php.ini file. As to the question of sending the data from your form, your question is a little vague. Are you referring to processing the data and then sending it in an email or are you referring to the sequence of sending the data from the form to the script that handles the data? If you are referring to sending mail with the form then you would create a script to validate and process the form variables. Remember, never trust any user input. If the validation is acceptable you will come to a place in your processing script where you will format the data and use the PHP mail function to send it out. That portion of the script will look something like this: $sent_from_email = 'sentfrom@myemailaccount.com'; $toaddress = 'my_email_address@myemailaccount.com'; $subject = 'Question from Contact Us Page ' .$email; $mailcontent = 'Name: '.$first . $space . $last."\n" ."\n" .'IP Address of Requestor: '.$ip."\n" ."\n" .'Email Address: '.$email."\n" ."\n" .'Comments: '.$comment."\n"; $fromaddress = 'From: .$sent_from_email; mail($toaddress, $subject, $mailcontent, $fromaddress); Just modify the above and replace the variables and formatting with the variables from your form and the formatting of your choice. Please make note of a few things. The script above will be sending a text email. The $mailcontent variable is combining the basic formatting and data variables using concatentation. You should also take additional steps prior to sending the email to make sure your mail form has not been hijacked to send spam. Finally, after dealing with all the security issues, and sending the email, you need to decide what to do. I usually choose to redirect to a new page, though the option to display a thank you message on the same page is of course your decision. If you decided to do a page redirect you could add some code beneath the mail function as follows: $URL="thank_you.php"; header ("Location: $URL"); exit; The above redirect should work perfectly unless you have already sent data to the page (if so, you will get a PHP error telling you headers have already been sent). If the page doesn't redirect, it will likely be the result of outputting headers somewhere earlier in your script. This could be as simple as sending a blank space to the browser before processing the form. There are special functions in PHP that can deal with this but it is just a easy to remove the offending data. I hope this helps.
__________________
I use Country IP Blocks as added security for my networks and servers. Last edited by Tech Manager; 01-07-2008 at 11:53 AM. |
|
|||
|
Thanks for the great input!
Yes, I meant I want to send an email from the form with all the user's inputs to my email address. Redirect to a thankYou page is great too! Just two things: How could some spammer use this to send spam (I do not know how he/she would do this) and how could I prevent this? Then this "headers already sent" thing give me a headache Kurt |
|
||||
|
The professional solution is no interactive forms where you combine client (DOM) scripting with server side scripting like PHP.
Exellent book (with code), Build*Your*Own AJAX Web*Applications - SitePoint Books that also gives you a soft introduction to OOP. Note that AJAX (also called extended JavaScript) has taken JavaScript to a new serious level with OO features. You need to know DOM building to do any serious web application building using the AJAX engine. |
|
||||
|
I forgot to mention that that book also has examples of AJAX form code that can be downloaded from the book's page.
The problem with traditional Form data with complete page reload is that you have to retype everything if you submit wrong data to the form. Because of partial page reload you need not do that using an AJAX form. That incereases user experience on your site, and indirectly increases traffic. In addtion it describes how to write AJAX applications for disabled people that is of value in itself. The idea is to write own CSS rules for disabled people that are hidden for able surfers. Highly reccomended. If you are new to the concept of AJAX, here is an PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more. introduction.
__________________
Mini Network:: Financial information at your fingertips Learn object oriented programming where it started Last edited by kgun; 01-08-2008 at 11:53 AM. |
|
|||
|
Quote:
I think wige provided an excellent explanation regarding "headers already sent," but I'll expand on it briefly. The header() function is used to send a raw HTTP header. To gain a greater understanding of HTTP headers take a look at RFC 2616 - Hypertext Transfer Procol - HTTP/1.1. When using header() redirects, such as the one I gave in my example above: $URL="thank_you.php"; header ("Location: $URL"); exit; The header() function, in this case header ("Location: $URL"); must be called before any output is sent to the page. If your script sends any output to the page, whether HTML tags, blank lines, etc, your will receive an error Message warning you that headers cannot be modifed because headers have already been sent (paraphrase). This error message is fairly common with new PHP programmers and can even happen to us old timers if we aren't paying attention. The problem is fairly simple to detect and prevent, A PHP programmer could also use output buffering to get prevent the problem as well. Now, getting on to your more important question: "How could some spammer use this to send spam (I do not know how he/she would do this) and how could I prevent this?" Hackers and agents of spam target web forms on sites and attempt to exploit certain vulnerabilities. For example, some site owners use insecure javascript in login forms to process usernames and passwords (never rely on javascript to process security related data). An easy exploit is to simply turn off javascript. On SSI forms hackers will attempt to inject additional headers directly into your form fields. One of the most common exploits is the injection of additional email headers. For example, your form will usually include the send To: parameter included in the mail() function to send you a copy of the data sent through the form. Form spammers taking advantage of certain script vulnerabilities will inject additional mail headers or even a completely new set of headers to send mail through your form. There are several ways to accomplish this exploit: the spammer will attempt to add cc: and bcc: into the header. They may even attempt to change mime-types. All the form fields are potentially at risk. I could write an entire thread discussing the many techniques used to hijack forms, but I'd rather concentrate on prevention. Preventing these types of exploits, whether in PHP, ASP, AJAX or other languages comes down to a few simple rules: 1.) Never trust user input 2.) Always assume user input is malicious until proven otherwise, 3.) Validate and verify user input using a variety of scripting techniques such as regular expressions to validate data, functions to prevent the injection of tags where tags shouldn't be...don't rely on size & maxlength settings in your html forms. Use functions to prevent excess data...etc., 4.) Examine the input for data you will accept and reject everything else. 5.) Be aware of input designed to get around certain security techniques such as the includion of ASCII characters. 6.) Log, log, log, log and log. In other words don't just rely on reviewing your server logs. Log additional data directly from your pages, get the IP address & the referrer (the referrer variable is unreliable but collect it if its available anyway). Log all the data input and review it for potential exploits. I hope this gives you some assistance with your forms. If I get time I'll write some detailed articles about SQL injection and email injection. Best of luck!
__________________
I use Country IP Blocks as added security for my networks and servers. |
|
||||
|
Var regex = new RegExp("string");
Source: Kevin Yank & Cameron Adams (September 2007): Simply JavaScript Page 243. does most of that job on the client. In addition you have to test it on the server if you are paranoid like me. 1.) Never trust user input 2.) Always assume user input is malicious until proven otherwise. That is Opera's principle in a nutshell. Related WPW threads: phpBB and security Is MS SQL server the most secure SQL server?
__________________
Mini Network:: Financial information at your fingertips Learn object oriented programming where it started Last edited by kgun; 01-08-2008 at 02:47 PM. |
|
|||
|
Great stuff!!! You have been more than helpful. Had a read through the given websites (although I have to admit after 5 minutes reading the RFCs got a headache and had to stop
Kurt |
|
||||
|
There is a third book "Learning jQuery" jQuery: The Write Less, Do More, JavaScript Library implementing the jQuery library that you should also think of buying.
The most advanced library I know of is NCZOnline - Downloads zXml 1.0.2 A JavaScript library for cross-browser XML, XPath, and XSLT support. (24 KB) Book on home page NCZOnline - The Official Web Site of Nicholas C. Zakas "Professional AJAX". Quote:
__________________
Mini Network:: Financial information at your fingertips Learn object oriented programming where it started Last edited by kgun; 01-10-2008 at 06:30 AM. |
![]() |
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Passing form data to remote form on another site | webace | Graphics & Design Discussion Forum | 8 | 08-31-2007 04:21 AM |
| Form data to PDF | Tim | Web Programming Discussion Forum | 15 | 04-28-2007 02:51 AM |
| Send attachment in php form | powerdomein | Web Programming Discussion Forum | 1 | 02-19-2006 04:09 AM |
| Pre-populating an HTML Form with Data from Another HTML Form | ambassador | Web Programming Discussion Forum | 3 | 06-19-2005 10:12 PM |
| How to send me a picture through form? | justinw | Graphics & Design Discussion Forum | 2 | 09-01-2004 06:19 PM |
|
WebProWorld |
Advertise |
Contact Us |
About |
Forum Rules |
MVP's |
Archive |
Newsletter Archive |
Top |
WebProNews
WebProWorld is an iEntry, Inc. ® site - © 2009 All Rights Reserved Privacy Policy and Legal iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509 |