I thought putting up a Contact Me type of page would be easy. After many hours I've learned a little PHP, a little HTML, and have something that appears to work.
First of all, some requirements. I wanted some way for people to contact me without putting my email address up on a page and attracing even more spam. I wanted a server based form since I don't want to have to rely on Javascript.
If you Google search for this sort of thing you'll find lots of pages about using PHP and HTML forms. There's even a web site that will generate a contact us form. But it was a bit simplistic. Still, between that and a book on PHP from the library I started putting something together.
Early on in my search I had found this page on the vunerability of PHP based form processing to send email. So after getting a simple form with a simple PHP script I tried out some of the injection methods. I never got %0A characters to inject extra email headers, but I was able to inject quotes and HTML tags to mess up my pages.
I spent a long time trying to get Pear Mail class working. It's supposed to be secure from these sorts of attacks. And although I eventually figured out I have Pear installed, I couldn't get it working and I didn't want to start modifying my Plesk generated Apache configuration files to include the Pear library.
So I went back to an earlier version of the contact form and got PHP to handle quotes and HTML stuff safely. I figure this form and script will work and be reasonably safe. And if it gets abused I can always fix it or take it down.
<p>By phone: (250) 474-0520</p>
By letter: 287 ILott Place, Victoria, BC, V9C3V6, Canada
<p>Please use the following form to send me an email. Required fields are marked with a *.</p>
<form method="POST" action="contact.php">
<table border='0'>
<tr>
<td>Your email id: *</td>
<td><input type='text' name='EmailFrom' size='35' maxlength='100' value='' /></td>
</tr><tr>
<td>Name:</td>
<td><input type='text' name='Name' size='35' maxlength='100' value='' /></td>
</tr>
<tr>
<td>Website:</td>
<td><input type='text' name='Website' size='35' maxlength='100' value='' /></td>
</tr><tr>
<td>Message: *</td>
<td><textarea name='Message' rows='10' cols='35'></textarea></td>
</tr></table>
<p><input type='submit' name='submit' value='Send Email' /></p>
</form>
First Pass";
show_form();
}
else {
### second time, edit form, process, and redisplay
## echo "Second Pass
";
$err = 'N';
$EmailFrom = htmlentities($_POST['EmailFrom'],ENT_QUOTES);
if (empty($EmailFrom)) {
echo "Your email id is required. Please enter your email id.
";
$err = 'Y';
}
$Message = htmlentities($_POST['Message'],ENT_QUOTES);
if (empty($Message)) {
echo "There's no point in sending an empty message. Please enter a message.
";
$err = 'Y';
}
$Name = htmlentities($_POST['Name'],ENT_QUOTES);
$Website = htmlentities($_POST['Website'],ENT_QUOTES);
if ($err == 'Y') {
#echo "display form here...";
show_form($EmailFrom, $Name, $Website, $Message);
}
else {
$ef = html_entity_decode($EmailFrom,ENT_QUOTES);
$err = !mail('someone@somedomain.com','Email from Webmaster Mike Blog',
"Name: $Name\n\nWebsite: $Website\n\nMessage:\n$Message\n",
"From: $ef");
if ($err) {
show_form($EmailFrom, $Name, $Website, $Message);
echo "There was an error sending your email.
";
}
else {
echo "Thank you for sending me an email.
";
}
}
}
?>The key section is the mail() function call where you would replace someone@somedomain.com with your own email id and your own subject line for the email note.
I stripped off the HMTL headers and footers and sidebar leaving just the PHP code and the HTML for the form.
