[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Hello again all
Thanks very very much for help.
Been working for a few days with: have got contacts, no spam messages
coming through. So hopefully all well.
Closure on the matter - report-back code and say thanks.
A normal interaction goes
-> contact.html -> mail_handler.php -> thanks_fsub.html
index.html blocks listing the directory.
You have dir something like
/phpcode/
in website root.
You can see all this code working on my hosted web space at
http://weldsmith.co.uk/contactform/contact.html
Best wishes,
Rich Smith
vvvvvvvv index.html vvvvvvvv
<html>
<head>
<title>Contact form page</title>
</head>
<body bgcolor=#FFFFFF>
<br><br>
<center>
You want the
<a href="contact.html">
Contact Form
</a>
</center>
</body></html>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
vvvvvvvv contact.html vvvvvvvv
<!DOCTYPE html>
<head>
<title>Contact form</title>
<link rel="stylesheet" href="/stylesheets/html_std.css" type="text/css">
</head>
<body>
<h2>Contact me - send me a message</h2>
<p>
To be recognised as a real person trying to make contact with me, in
the "Message" write:
<ul>
<li>
a topic - <i>eg</i> "splunge grommets", "job
offer", <i>etc</i> (as there is one "Contact Form" and you need to say
what topic brings you here)
</li>
<li>
briefly on what interests you, what you know, how you know
it, <i>etc</i> - anything which is unique showing you are a person
interacting with this topic
</li>
</ul>
</p>
<p>
Don't invest a lot at this stage - be recognised as a genuine person
first here.
</p>
<p>
<ul>
<li>
make sure the email you provide is valid (else you will never be in
receipt of a response!)
</li>
<li>
It is permissible to include your phone number in the "Message"
</li>
</ul>
</p>
<p>
In the rhyme hey diddle diddle the cat and the fiddle the cow jumped
over the moon what action did the athletic farmyard inhabitant do?
</p>
<form action="mail_handler.php" method="post">
That answer: <input type="text" name="captcha_answer"><br><br>
Your Name: <input type="text" name="submitter_name"><br>
Your Email Address: <input type="text" name="email"><br>
Message:<br><textarea rows="16" name="message" cols="64"></textarea><br>
<input type="submit" name="submit" value="Submit">
</form>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
mail_handler.php ...
"forms" submissions - spaces trimmed, put through "binary-safe"
"off-the-shelf" PHP functions which strip nefarious stuff, and checked
for plausible size (okay, would do that first-and-foremost in future,
but this is an ephemeral message sender, not some database with
financially valuable information). This is most of the code.
This is what I wrote myself per advice here.
There is only one message sent, to me. No "confirmation message" to
alleged person getting in contact. A spamster might use a real email
for someone else, because they usually (?) are trying to get you to go
to a website. So the email going to some party nothing to do with
this would be "spammed".
vvvvvvvv mail_handler.php vvvvvvvv
<?php
if(isset($_POST['submit'])){
$to = "ME@xxxxxxxxxx"; // this is your Email address
// handle captcha
if(strcasecmp(trim($_POST['captcha_answer']), "CAPTCHA-ANS") != 0) {
echo "Are a human test - think again. You might be able to return to your
input with the browser back button.";
exit(0);
}
// handle supplied email...
$sf_from = filter_var(trim($_POST['email']), FILTER_SANITIZE_EMAIL);
if(strlen($sf_from) > 64){
echo "Use a briefer email addr";
exit(0);
}
if (!filter_var($sf_from, FILTER_VALIDATE_EMAIL)) {
echo("$sf_from is not a valid email address. You might be able to
Browser-back, correct and re-submit");
exit(0);
}
// handle supplied name...
$sf_name = filter_var(trim($_POST['submitter_name']), FILTER_SANITIZE_STRING);
if(strlen($sf_name) > 64){
echo "Use a briefer name";
exit(0);
}
// handle the submitted message...
$sf_message = filter_var(trim($_POST['message']), FILTER_SANITIZE_STRING);
if(strlen($sf_message) > 2000){
exit("Submit a briefer message");
}
// DEBUG // echo $to . " " . $sf_from . " " . $sf_name . " " . $sf_message;
// this is assembling what's passed to mail()...
$subject = "Form submission";
$message = $sf_name . " at " . $sf_from . "\n\n" . " wrote the following:" .
"\n\n" . $sf_message;
$headers = "From:" . $sf_from;
mail($to,$subject,$message,$headers);
// echo "Mail Sent. Thank you " . $sf_name . ", I will contact you shortly.";
header('Location: thanks_fsub.html');
// You cannot use header and echo together. It's one or the other.
}
?>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
vvvvvvvv thanks_fsub.html vvvvvvvv
<html>
<head>
<title>Thanks for your message submission</title>
<link rel="stylesheet" href="/stylesheets/html_std.css" type="text/css">
</head>
<body bgcolor=#FFFFFF>
<h2>Thanks for your message submission</h2>
<p>
Your message is sent.
</p>
<p>
You web browser's "Back" button may get you back to a page you want to
return to.
</p>
<p>
Alternatively, go to this website's main
<a href="/">
index page
</a> - the entry page to this site.
</p>
</body></html>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> On 5 Jul 2023, at 21:28, Simon Avery <digdilem@xxxxxxxxx> wrote:
>
> Hi Rich,
>
> PHP web to email forms have a long and murky history - not helped by one of the
> most popular early ones being very easy to manipulate - and it was! I've no doubt
> it's still out there in many places and acting as an open relay for thousands of
> badly intentioned people. I certainly see bots searching for it on my web servers.
>
> The technical side of writing a web form is really very easy, php has email
> built-in after all, or you can use a local or remote smtp server to send it.
>
> Follow a few basic rules, and ensure you read up on php and web security first
> (there's lots of good guides out there so I won't repeat them badly here)
>
> DO: Sanitise input.
> DO: Hardcode the "To" address, always, to stop it being used as an open gateway.
>
> It will be abused, of course, and almost instantly. Bots are crawling html
> constantly for any form elements and will try to send spam through them. Why not,
> it costs them nothing?
>
> But generally - as with all things security - you can never be totally secure. If
> you have doubts, don't do it, or use one of the many freely available webforms,
> even if they're commercially operated.
>
> (The first example on your link is horrible - even if just because it doesn't
> hardcode the from. The first replier has fixed that.)
>
> On Sun, 2 Jul 2023 at 00:27, rds_met <dcglug@xxxxxxxxxxxxxxx> wrote:
> Hello all
>
> I found suggested code here:
> https://stackoverflow.com/questions/18379238/send-email-with-php-from-html-form-on-submit-with-the-same-script
>
> I copied the coupled html-forms code and PHP code into the two
> respective files.
> With due edits for my individual details.
>
> It seems to work perfectly.
>
> Anyone comment how
> * secure
> * etc.
> this is?
>
> Best wishes,
> Rich Smith
>
> --
> The Mailing List for the Devon & Cornwall LUG
> FAQ: https://www.dcglug.org.uk/faq/
> --
> The Mailing List for the Devon & Cornwall LUG
> FAQ: https://www.dcglug.org.uk/faq/
--
The Mailing List for the Devon & Cornwall LUG
FAQ: https://www.dcglug.org.uk/faq/