Secure feedback form


Hello again.
Now I have rewrite the feedback form.
I am not using echo in functions anymore.
I use return $html instead.

Also I have not used empty() but rewrite it after advices from Jerry and other.
I don't use strip_tags, either. I use htmlspecialchar() instead.

The content of the form are put into body of email message, and nothing will be written to the headers of the mail.

I test for additional fields that could be written in the body of the mail, and if so: A note are written to the spammer, and the mail will not be sent.

Thanks a lot for all your help to do this to a better application.

The sourch of the form secure_mail.php are posted below. Thanks for all suggestion to do a better job!

Regards
Karl-Arne

filename: secure_mail.php
=========================
<?php
/*
secure_mail.php v.0.1
By Karl-Arne Gjersøyen
Email: post@xxxxxxxxxxxxxx
Homepage: www.karl-arne.name
=============================
This program is freeware.(GN Public Licence. Se below)

The secure_mail.php is a little feedback application which
print a empty form at the accessed time.
It checks for input and and use simple but powerful validation
functions on every values.

The program has also a view_form() function were the user can
read his feedback before he confirm it. At that stage the
user can select to "edit" the information" and will then find
a new form were his content are written in respective field.

When the user "confirm" his message, it will be sent by email
to the owner(You) of the pages.

Note: Read carefully what is written below under "Config"
before you use this program. You have to alter a few things
like the email address for that person who shall receive feedback.
Also You need to alter the value of action to the filename you
save this file as.

You can use it and change it as you like, but if you do so,
write a note like Modified by Your name <youremail@xxxxxxxxxxxxxx>
at the very beginning of this comment.

This project started as a way to learn how to use functions in PHP5
I wrote my first program and posted it into alt.php. There I received
a lot of good advices for do the program better.
I like to bring my thanks to those people mention below:

A special thanks to:
Jerry Stuckle
JDS Computer Training Corp.
jstuckle@xxxxxxxxxxxxx

Colin McKinnon
colin.mckinnon@xxxxxxxxx
http://symcbean.blogspot.com/

Erwin Moller

Raymond Schmit
Raymond.Schmit@xxxxxxxxxxx

and all those in alt.php that have helped me
to learn a lot during this last week!

Regards
Karl-Arne
-------------------------------------------------

CONFIG
======
If you not save this file as secure_mail.php,
then you have to scroll through the code and
change the value of action form secure_mail.php
to the filename of your choice.

In the function submitted form you need to
change $to = karl@localhost to the email address
who shall receive the feedback

You also have to alter the line
$headers = "From:karl@localhost\n";
to your own email address.
----------------------------------------------------
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/


















// empty_form() function
// Use empty_Form() if submit, edit or confirm not is clicked
function empty_form(
$name = '',
$email = '',
$subject = '',
$message = ''
){
// NOTE: You neeed to specify the url of that document from where you
// call the functions. I have tried with $PHP_SELF but it did not work
$html = "<form action=\"secure_mail.php\" method=\"post\">";
$html .= "<p><strong>Name:</strong> <input type=\"text\" name=\"name\" /></p>";
$html .= "<p><strong>Email:</strong> <input type=\"text\" name=\"email\" /></p>";
$html .= "<p><strong>Subject:</strong> <input type=\"text\" name=\"subject\" /></p>";
$html .= "<p><strong>Message:</strong><br /><textarea cols=\"20\" rows=\"5\" name=\"message\"></textarea></p>";
$html .= "<p><input type=\"submit\" name=\"submit\" value=\"Send Your Feedback\" /></p>";
$html .= "</form>";

// Print the form
return $html;
}


// edit_form()
// If the user need to fix errors, or like to change
// contents in one or more form fields
function edit_form(
$name = '',
$email = '',
$subject = '',
$message = ''
){

$name = $_POST['name'];
$email = $_POST['email'];
$subject = $_POST['subject'];
$message = $_POST['message'];

// The edit form that were the user can edit his information
$html = "<form action=\"secure_mail.php\" method=\"post\">";
$html .= "<p><strong>Name:</strong> <input type=\"text\" name=\"name\" value=\"$name\"/></p>";
$html .= "<p><strong>Email:</strong> <input type=\"text\" name=\"email\" value=\"$email\" /></p>";
$html .= "<p><strong>Subject:</strong> <input type=\"text\" name=\"subject\" value=\"$subject\" /></p>";
$html .= "<p><strong>Message:</strong><br /><textarea cols=\"20\" rows=\"5\" name=\"message\">$message</textarea></p>";
$html .= "<p><input type=\"submit\" name=\"submit\" value=\"Send Your Feedback\" /></p>";
$html .= "</form>";

// Print it
return $html;
}


// view_form()
// This let the user read his feedback and he can
// select to edit the information or confirm it and send it
function view_form(
$name = '',
$email = '',
$subject = '',
$message = ''
){
// Form fields
$name = $_POST['name'];
$email = $_POST['email'];
$subject = $_POST['subject'];
$message = $_POST['message'];


// If fields contain HTML/PHP
$name = htmlspecialchars($name);
$subject = htmlspecialchars($subject);
$message = htmlspecialchars($message);

// Insert line break into the message before
// printing it to the screen
$message = str_replace("\n", "<br />", $message);

// Print out the result
$html = "<p><strong>Name:</strong> $name</p>";
$html .= "<p><strong>Email:</strong> $email</p>";
$html .= "<p><strong>Subject:</strong> $subject</p>";
$html .= "<p><strong>Message:</strong><br />$message</p>";

// Remove <br /> from the message and use \n instead before you
// put it into the form
$message = str_replace("<br />", "\n", $message);

// Insert the values into a form and let the user
// select edit or confirm the message before sending it
$html .= "<form action=\"secure_mail.php\" method=\"post\">";
$html .= "<input type=\"hidden\" name=\"name\" value=\"$name\" />";
$html .= "<input type=\"hidden\" name=\"email\" value=\"$email\" />";
$html .= "<input type=\"hidden\" name=\"subject\" value=\"$subject\" />";
$html .= "<input type=\"hidden\" name=\"message\" value=\"$message\" />";
$html .= "<input type=\"submit\" name=\"edit\" value=\"Edit\" />&nbsp;&nbsp;";
$html .= "<input type=\"submit\" name=\"confirm\" value=\"Confirm\" />";
$html .= "</form>";

// Print the function results
return $html;
}


// submitted_form()
// Print a thank you note to the user
function submittet_form(
$name = '',
$email = '',
$subject = '',
$message = ''
){
// Form fields
$name = $_POST['name'];
$email = $_POST['email'];
$form_subject = $_POST['subject'];
$message = $_POST['message'];


// Prepare sending the message
// Mail headers
$to = "karl@localhost\n";
$subject = "Secure feedback form\n";
$body = "Name: $name\n";
$body .= "Email: $email\n";
$body .= "Subject: $form_subject\n";
$body .= "Message:\n$message\n";
$headers = "From:karl@localhost\n";
$headers .= "MIME-Version: 1.0\n";
$headers .= "Content-Type: text/plain; charset=iso-8859-1\n";
$headers .= "Content-Transfer-Encoding: 8bit\n";
$headers .= "X-Posting-Host: {$_SERVER['REMOTE_ADDR']}\n";
$headers .= "X-HTTP-UserAgent: {$_SERVER['HTTP_USER_AGENT']}\n";
$headers .= "X-Complaints-To: {$_SERVER['SERVER_ADMIN']}\n";
;

// Check if somebody try to use additional mail headers in body
$crack=eregi("(\r|\n)(to:|from:|cc:|bcc:)",$body);
//$crack = preg_match("/\r|\n|to:|from:|cc:|bcc:/", $body);

// Check that no additional fields are written in the body
if(!$crack)
{
// If everything is Ok, then send the message
if(mail($to, $subject, $body, $headers))
{
// Print to screen
$html = "<h3>Thank you $name!</h3>";
$html .= "<p>Your message has been sent and I will read it soon!</p>";

return $html;
}

}else
{
// If crack discover additonal fields in the body,
// the mail will not be sent and this message are written to the screen
echo "<h1 style=\"color:red;\">Spammer!</h1>";
echo "<p>You have no rights to use this feedback form!</p>";
}
}

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<title>A secure mail application</title>
<meta name="generator" content="TSW phpCoder 2008" />
</head>
<body>
<h1>Feedback</h1>
<?php
if((!isset($_POST['submit']))&&(!isset($_POST['edit']))&&(!isset($_POST['confirm']))){
echo empty_form();
}
// If edit is clicked in view_form()
if(isset($_POST['edit'])){
echo edit_form();
}

// If confirm is clicked in view_form()
if(isset($_POST['confirm'])){
echo submittet_form();
}

// If submit is clicked in empty_form();
if(isset($_POST['submit']))
{

// Form field names and short variable name
$name = $_POST['name'];
$email = $_POST['email'];
$subject = $_POST['subject'];
$message = $_POST['message'];

// Check for information in fields
// Name
if(!isset($name) || $name == '')
{
$error_name = "<p>You haven't told us your <strong style=\"color:red;\">Name</strong>!</p>";
}
elseif((strlen($name) < 3) || (strlen($name) > 20))
{
$error_name = "<p><strong style=\"color:red\">Name</strong> need at least 3 letter and maximum 20!</p>";
}
elseif(preg_match("/@/", $name))
{
$error_name = "<p><strong style=\"color:red;\">Invalid character</strong> is found in field Name. You can not us \"@\" in this field</p>";
}
else
{
$error_name = "";
}


// Email
if(!isset($email) || $email == '')
{
$error_email = "<p>Please insert your correct <strong style=\"color:red;\">Email</strong> address!</p>";
}
elseif(isset($email))
{
if(!preg_match("^[a-z0-9]+([_\\.-][a-z0-9]+)*" . "@" . "([a-z0-9]+([\.-][a-z0-9]+)*)+" . "\\.[a-z]{2,}" . "$^", $email))
{

$error_email = "<p><strong style=\"color:red;\">Invalid Email!</strong> Please tell us your correct email address!</p>";
}
else
{
$error_email = "";
}
}

// Subject
if(!isset($subject) || $subject == '')
{
$error_subject = "<p>Have you forgot the <strong style=\"color:red;\">Subject</strong> of this message?</p>";
}
elseif(preg_match("/@/", $subject)){
$error_subject = "<p>Invalid character is found in <strong style=\"color:red;\">Subject</strong>. You can not us \"@\" in this field</p>";
}
elseif((strlen($subject) < 3) || (strlen($name) > 20))
{
$error_subject = "<p><strong style=\"color:red\">Subject</strong> need at least 3 letter and maximum 20!</p>";
} else {
$error_subject = "";
}


// Message
if(!isset($message) || $message == '')
{
$error_message = "<p>You have to write something in the field <strong style=\"color:red;\">Message</strong>!</p>";
}
elseif(preg_match("/@/", $message)){
$error_message = "<p>Invalid character is found in <strong style=\"color:red;\">Message</strong>. You can not us \"@\" in this field</p>";
}
elseif((strlen($message) < 10) || (strlen($message) > 300))
{
$error_message = "<p><strong style=\"color:red\">Message</strong> need at least 10 letter and maximum 300!</p>";
} else {
$error_message = "";
}


// Collect error messages
$error = array(
$error_name,
$error_email,
$error_subject,
$error_message
);

// If no error is found.
// delete the error_variable from the array
if(!$error[0]){
unset($error[0]);
}
if(!$error[1]){
unset($error[1]);
}
if(!$error[2]){
unset($error[2]);
}
if(!$error[3]){
unset($error[3]);
}
// If error is detected..
if(isset($error)){
foreach($error as $error_msg => $value){
// Print error message to the screen
echo "<p>$value</p>";
}

// If error are detected.. activate edit form
// and let the user alter his information in
// on ore more fields
if(isset($value) != ""){
echo edit_form();
} else {
// If no error are detected, activate
// the view_form() function
echo view_form();
}
} // End of if(isset($error))
} // end of if(isset($_POST['submit']...
?>

</body>
</html>
.

Relevant Pages

  • Re: [PHP] generating an html intro text ...
    ... > html and htmlentities that may be part of the content. ... > original string: ... HTML special characters ... echo $str."\n"; ...
    (php.general)
  • Re: Script Need to check disk space on remote servers
    ... You might find this easier using WMIC (PowerShell would be even easier). ... A command like this will check one computer, myComputer and create a simple HTML table with the name, size and freespace. ... echo Checking drives on Server %%S... ... REM and then launches it using the default browser. ...
    (microsoft.public.windows.server.scripting)
  • Re: Getting ID from a presented table
    ... Jerry Stuckle ... JDS Computer Training Corp. ... Same idea - just generated with a PHP echo statement instead. ... I do not know how to do that in HTML. ...
    (comp.lang.php)
  • Re: set user=%username%
    ... Your most recent feedback confirms that Windows is ... Type this: echo %MyName% ... > usertest=This is a long string. ...
    (microsoft.public.windows.server.general)
  • Re: FW: Call for comments: CoxR, a CVS/mail-lists/BTS
    ... > We modified the CoxR based on feedback. ... please try CoxR function once more. ... I suggest you run a HTML validator on the page and clean up the HTML ... To unsubscribe, ...
    (freebsd-current)