Send form data with PHP

[kurt.santo]

Does anyone know how to send form data with PHP when sending more than 5 parameters? Have a little script, but works not for my new form, which has ca 20 parameters to send...

Kurt

[imsickofwebpro]

PHP Help: mail - PHP Manual


What extra parameters do you have that can't be put into an array?

[Tech Manager]

Quote:

Originally Posted by kurt.santo

Does anyone know how to send form data with PHP when sending more than 5 parameters? Have a little script, but works not for my new form, which has ca 20 parameters to send...

Kurt

Sure. Give me an example of your parameters.

[kurt.santo]

It is data taken from a form. The fields are:

<label for="Nachname">Surname*:</label><input type=text name="Nachname" id="Nachname" size=30 maxlength="60" /><br/><br/>
<label for="Name">Name:<input type=text name="Name" id="Name" size=30 maxlength="60" /> <br/><br/>
<label for="Firma">Company:<input type=text name="Firma" id="Firma" size=30 maxlength="60" /> <br/><br/>
<label for="Strasse">Street/No:<input type=text name="Strasse" id="Strasse" size=30 maxlength="60" /> <br/><br/>
<label for="Postleitzahl">Postcode:<input type=text name="Postleitzahl" id="Postleitzahl" size=30 maxlength="20" /> <br/><br/>
<label for="Wohnort">City:<input type=text name="Wohnort" id="Wohnort" size=30 maxlength="60" /> <br/><br/>
<label for="Telefon">Telephone*:<input type=text name="Telefon" id="Telefon" size=30 maxlength="30" /> <br/><br/>
<label for="Fax">Fax:<input type=text name="Fax" id="Fax" size=30 maxlength="30" /><br/><br/>
<label for="Email">E-mail*:</label> </td><td class="bottomPadding"><input type=text name="Email" id="Email" size=30 maxlength="60" /> <br/><br/>
Please inform me about:<br/><br/>
<input class="tickbox" type="checkbox" name="Instandhaltungsleistungen" id="Instandhaltungsleistungen"/> <label for="Instandhaltungsleistungen">Maintenance services</label<br/><br/>
<input class="tickbox" type="checkbox" name="Inhalte" id="Inhalte"/> <label for="Inhalte">Contents</label> <br/><br/>
<input class="tickbox" type="checkbox" name="Preise" id="Preise"/> <label for="Preise">Pricing</label> <br/><br/>
<input class="tickbox" type="checkbox" name="Vertragsbedingungen" id="Vertragsbedingungen"/> <label for="Vertragsbedingungen">Terms and conditions</label> <br/><br/>
Rent a Car:<br/><br/>
<input class="tickbox" type="checkbox" name="CarMietpreis" id="CarMietpreis"/> <label for="CarMietpreis">Price</label> <br/><br/>
<input class="tickbox" type="checkbox" name="CarLeistungen" id="CarLeistungen"/> <label for="CarLeistungen">Services</label<br/><br/>
<input class="tickbox" type="checkbox" name="CarVertragsbedingungen" id="CarVertragsbedingungen"/> <label for="CarVertragsbedingungen">Terms and conditions</label>
<label for="Anfrage">Your enquiry:</label> <br/><br/>
<textarea name="Anfrage" id="Anfrage" cols="50" rows="5"></textarea><br/><br/>

The id and name data is in German as it is a German site.

Cheers,
Kurt

How could I put the data in an array? I am still very new to PHP...

[Tech Manager]

Kurt:


The process is fairly simple. When using PHP to process data using the $_GET or $_POST method (POST is generally better when sending lots of data as there are some size limitations using the $_GET method), PHP stores the data in a special array for processing. The number of parameters you are dealing with is usually irrelevant unless the sheer size and number of variables and the time required validating your data causes PHP to exceed the threshold time limit in the php.ini file.

As to the question of sending the data from your form, your question is a little vague. Are you referring to processing the data and then sending it in an email or are you referring to the sequence of sending the data from the form to the script that handles the data?

If you are referring to sending mail with the form then you would create a script to validate and process the form variables. Remember, never trust any user input.

If the validation is acceptable you will come to a place in your processing script where you will format the data and use the PHP mail function to send it out. That portion of the script will look something like this:

$sent_from_email = 'sentfrom@myemailaccount.com';
$toaddress = 'my_email_address@myemailaccount.com';
$subject = 'Question from Contact Us Page ' .$email;
$mailcontent = 'Name: '.$first . $space . $last."\n"
."\n"
.'IP Address of Requestor: '.$ip."\n"
."\n"
.'Email Address: '.$email."\n"
."\n"
.'Comments: '.$comment."\n";
$fromaddress = 'From: .$sent_from_email;
mail($toaddress, $subject, $mailcontent, $fromaddress);


Just modify the above and replace the variables and formatting with the variables from your form and the formatting of your choice. Please make note of a few things. The script above will be sending a text email. The $mailcontent variable is combining the basic formatting and data variables using concatentation. You should also take additional steps prior to sending the email to make sure your mail form has not been hijacked to send spam.


Finally, after dealing with all the security issues, and sending the email, you need to decide what to do. I usually choose to redirect to a new page, though the option to display a thank you message on the same page is of course your decision.

If you decided to do a page redirect you could add some code beneath the mail function as follows:


$URL="thank_you.php";
header ("Location: $URL");
exit;


The above redirect should work perfectly unless you have already sent data to the page (if so, you will get a PHP error telling you headers have already been sent). If the page doesn't redirect, it will likely be the result of outputting headers somewhere earlier in your script. This could be as simple as sending a blank space to the browser before processing the form. There are special functions in PHP that can deal with this but it is just a easy to remove the offending data.

I hope this helps.

[kurt.santo]

Thanks for the great input!

Yes, I meant I want to send an email from the form with all the user's inputs to my email address. Redirect to a thankYou page is great too!

Just two things:
How could some spammer use this to send spam (I do not know how he/she would do this) and how could I prevent this?
Then this "headers already sent" thing give me a headache I kind of do not get my head around what it actually means. I have some php that would need to come before the script. The contact form for example is inserted as an include and there is a test for the language query string as the website has more than one language...

Kurt

[kgun]

The professional solution is no interactive forms where you combine client (DOM) scripting with server side scripting like PHP.

Exellent book (with code),

Build*Your*Own AJAX Web*Applications - SitePoint Books

that also gives you a soft introduction to OOP.

Note that AJAX (also called extended JavaScript) has taken JavaScript to a new serious level with OO features. You need to know DOM building to do any serious web application building using the AJAX engine.

[wige]

"Headers already sent" errors are caused by sending any output to the browser before the header() function is called. header() has to be the absolute first thing that is sent to the browser, before any print() or echo.

[kgun]

I forgot to mention that that book also has examples of AJAX form code that can be downloaded from the book's page.

The problem with traditional Form data with complete page reload is that you have to retype everything if you submit wrong data to the form.

Because of partial page reload you need not do that using an AJAX form. That incereases user experience on your site, and indirectly increases traffic.

In addtion it describes how to write AJAX applications for disabled people that is of value in itself.

The idea is to write own CSS rules for disabled people that are hidden for able surfers.

Highly reccomended.

If you are new to the concept of AJAX, here is an

PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more.

introduction.

[Tech Manager]

Quote:

Originally Posted by kurt.santo

Thanks for the great input!

Yes, I meant I want to send an email from the form with all the user's inputs to my email address. Redirect to a thankYou page is great too!

Just two things:
How could some spammer use this to send spam (I do not know how he/she would do this) and how could I prevent this?
Then this "headers already sent" thing give me a headache I kind of do not get my head around what it actually means. I have some php that would need to come before the script. The contact form for example is inserted as an include and there is a test for the language query string as the website has more than one language...

Kurt

Kurt:

I think wige provided an excellent explanation regarding "headers already sent," but I'll expand on it briefly.

The header() function is used to send a raw HTTP header. To gain a greater understanding of HTTP headers take a look at RFC 2616 - Hypertext Transfer Procol - HTTP/1.1.

When using header() redirects, such as the one I gave in my example above:

$URL="thank_you.php";
header ("Location: $URL");
exit;

The header() function, in this case header ("Location: $URL"); must be called before any output is sent to the page. If your script sends any output to the page, whether HTML tags, blank lines, etc, your will receive an error Message warning you that headers cannot be modifed because headers have already been sent (paraphrase).

This error message is fairly common with new PHP programmers and can even happen to us old timers if we aren't paying attention. The problem is fairly simple to detect and prevent, A PHP programmer could also use output buffering to get prevent the problem as well.

Now, getting on to your more important question: "How could some spammer use this to send spam (I do not know how he/she would do this) and how could I prevent this?"

Hackers and agents of spam target web forms on sites and attempt to exploit certain vulnerabilities. For example, some site owners use insecure javascript in login forms to process usernames and passwords (never rely on javascript to process security related data). An easy exploit is to simply turn off javascript.

On SSI forms hackers will attempt to inject additional headers directly into your form fields. One of the most common exploits is the injection of additional email headers. For example, your form will usually include the send To: parameter included in the mail() function to send you a copy of the data sent through the form. Form spammers taking advantage of certain script vulnerabilities will inject additional mail headers or even a completely new set of headers to send mail through your form.

There are several ways to accomplish this exploit: the spammer will attempt to add cc: and bcc: into the header. They may even attempt to change mime-types. All the form fields are potentially at risk. I could write an entire thread discussing the many techniques used to hijack forms, but I'd rather concentrate on prevention.

Preventing these types of exploits, whether in PHP, ASP, AJAX or other languages comes down to a few simple rules:

1.) Never trust user input
2.) Always assume user input is malicious until proven otherwise,
3.) Validate and verify user input using a variety of scripting techniques such as regular expressions to validate data, functions to prevent the injection of tags where tags shouldn't be...don't rely on size & maxlength settings in your html forms. Use functions to prevent excess data...etc.,
4.) Examine the input for data you will accept and reject everything else.
5.) Be aware of input designed to get around certain security techniques such as the includion of ASCII characters.
6.) Log, log, log, log and log. In other words don't just rely on reviewing your server logs. Log additional data directly from your pages, get the IP address & the referrer (the referrer variable is unreliable but collect it if its available anyway). Log all the data input and review it for potential exploits.

I hope this gives you some assistance with your forms. If I get time I'll write some detailed articles about SQL injection and email injection.

Best of luck!

[kgun]

Var regex = new RegExp("string");

Source: Kevin Yank & Cameron Adams (September 2007): Simply JavaScript Page 243.

does most of that job on the client.

In addition you have to test it on the server if you are paranoid like me.

1.) Never trust user input
2.) Always assume user input is malicious until proven otherwise.

That is Opera's principle in a nutshell.

Related WPW threads:
phpBB and security

Is MS SQL server the most secure SQL server?

[kurt.santo]

Great stuff!!! You have been more than helpful. Had a read through the given websites (although I have to admit after 5 minutes reading the RFCs got a headache and had to stop) and will purchase the two books from Sitepoint. Read through the synopsis, seems to give a lot of valuable info. Hopefully I am able soon to tackle my forms in a better way and also to built my first AJAX site...

Kurt

[kgun]

There is a third book "Learning jQuery" jQuery: The Write Less, Do More, JavaScript Library implementing the jQuery library that you should also think of buying.

The most advanced library I know of is NCZOnline - Downloads

zXml 1.0.2 A JavaScript library for cross-browser XML, XPath, and XSLT support. (24 KB)

Book on home page NCZOnline - The Official Web Site of Nicholas C. Zakas "Professional AJAX".

Quote:

Originally Posted by kurt.santo

Great stuff!!! You have been more than helpful. Had a read through the given websites (although I have to admit after 5 minutes reading the RFCs got a headache and had to stop) and will purchase the two books from Sitepoint. Read through the synopsis, seems to give a lot of valuable info. Hopefully I am able soon to tackle my forms in a better way and also to built my first AJAX site...

Kurt

Recommendations:

1. Start with the AJAX book from SitePoint. You get a very soft introduction to OOP. You can not do any serious DOM building and AJAX without having a simple understanding of OOP.
2. Don't drown yourself in details. Learn to use libraries and modify code. Test the code that comes with the books. Look at it. Sometimes minor modifications are all you need to implement your own applications.

[kurt.santo]

Cheers