Archived

This topic is now archived and is closed to further replies.

cza

form mailer sending blanks

Recommended Posts

cza    122
hey guys another problem which i have googled for abotu 2 hours now and found no resolve my problem is this email script is sending blank emails: this info comes from the previous page in which all the feilds in the form are shown to the person who has entered the information , in order to check to see if they are all correct. is this the problem that they are comming from the actual form itself or am i doing somethign wrong. this needs to be finished by tomorrow so im desperate thanks ALOT of any help cza [edit] this is the code from which the info is being sent: http://calebt.recoil.net.nz/others/check2.phps (if it is any help) [edit] [edited by - cza on August 14, 2003 8:11:55 AM] [edited by - cza on August 14, 2003 8:12:18 AM]

Share this post


Link to post
Share on other sites
LordLethis    122
If your code is in the same order as you posted it, you should move the
$message = "$Q1 $Q2 $Q3 $Q4 $Q5 $Q6 $Q7 $Q8 $Q9 $Q10";
under the initialization of the vars $Q1-$Q10.

Share this post


Link to post
Share on other sites
cza    122
okay sweet will try now

i thought that was abit weird but i got it off a tutorial here :

http://resma.net/tutorials/php/form_finish.php


hmmm still no joy i just tryed it then

if i add ',' inbetween the $Q1 etc it send the , mark only

so the problem can only be in them :/

[edited by - cza on August 14, 2003 8:23:48 AM]

Share this post


Link to post
Share on other sites
LordLethis    122
Well then I guess your var's are empty...
...
Sorry I didn't look at the file you posted
You don't seem to be passing any vars to your email function...
You could pass them as
<input type="hidden" name="Q1" value="<?php echo $Q1; ?>">
and similar...

[edited by - LordLethis on August 14, 2003 8:31:45 AM]

Share this post


Link to post
Share on other sites
cza    122
hmmm

thanks

should i put that on the sending page or on the check page

here is how the site works

survey.php (fill ths out , click the continue button)
----takes u to
check.php (shows all your answers to make sure they are correct)
-----click send button (Which is meant to email the answers)
sent.php (just says thank u and all that)

so now where do i put the hidden things on ? on the check.php page i would say??


Share this post


Link to post
Share on other sites
cza    122
OMG!@#! this is frustrating me somewhat (welcome to the world of coding)

this is the code on my check page:

<input type="hidden" name="Q1" value="">
<input type="hidden" name="Q2" value="">
<input type="hidden" name="Q3" value="">
<input type="hidden" name="Q4" value="">
<input type="hidden" name="Q5" value="">
<input type="hidden" name="Q6" value="">
<input type="hidden" name="Q7" value="">
<input type="hidden" name="Q8" value="">
<input type="hidden" name="Q9" value="">
<input type="hidden" name="Q10" value="">

<form action="sending.php" method="post">
<input type="submit" name="submit" value="Send Survey">

(where is says value=" there is this in there "< ? php echo $Q10 ; ? >)

this is the code on the sending page:

$address = "Tamihere@world-net.co.nz";
$subject = "Survey";

$from = "geo_survey";

$Q1=$_POST['Q1'];
$Q2=$_POST['Q2'];
$Q3=$_POST['Q3'];
$Q4=$_POST['Q4'];
$Q5=$_POST['Q5'];
$Q6=$_POST['Q6'];
$Q7=$_POST['Q7'];
$Q8=$_POST['Q8'];
$Q9=$_POST['Q9'];
$Q10=$_POST['Q10'];

$message = "$Q1, $Q2, $Q3, $Q4, $Q5, $Q6, $Q7, $Q8, $Q9, $Q10";

mail($address, $subject, $message, $from);


?>

and it still doesnt have anythign in the variables

im getting very close to just making the first submit button send the information D:

[edited by - cza on August 14, 2003 8:52:00 AM]

Share this post


Link to post
Share on other sites
hellz    356
Edit: Bah, it's messed up the PHP tags. I've sort of fixed it, but ignore the space after each < when a ? follows (it does make a difference in PHP), so make sure there's no space there.

Ok, here is what you want to be structuring your code as.

The first page where the user enters their survey answers wants to have a form that uses the POST method, which submits the information to your checking page.

Now, I *think* what you've done, is to just echo out the contents of $Qx on the checking page, not $_POST['Qx']. The difference is that PHP doesn't assume it should be checking the POST collection for the reference of $Qx, so instead of displaying the contents from each of your variables in the POST collection, in the hidden field values for your checking form, it's displaying nothing (another words, null) as a value.

To correct this, change your hidden form inputs on your checking page, to the following:

<input type="hidden" name="Q1" value="< ?php echo $_POST['Q1']; ?>">
<input type="hidden" name="Q2" value="< ?php echo $_POST['Q2']; ?>">
...
etc.

Now there's 2 things I need to point out. Firstly, double check that your form on your first survey page is using POST as it's sending method (same goes for your form on your checking page) and secondly, before outputing the contents of each POST variable, on your second form, you should validate the contents.

Example:

< ?php

/* Assume isFormSafe() is a function you've written to validate the data. */
$v_Q1 = isFormSafe($_POST['Q1']);
/* Do the same for the other question variables. */

?>

Then on your form, instead of directly accessing the POST collection to output the information on your forms (which is dangerous and very open to exploitation), use the $v_Qx variables instead, as in:

<input type="hidden" name="Q1" value="< ?php echo $v_Q1; ?>">

Incidentally, you can echo out variables in PHP using a shorthand similar to that of ASP; example:

<input type="hidden" name="Q1" value="< ?=$_POST['Q1'];?>">

Notice there is no longer the need for "php echo" in that statement.

Hope that helps,

--hellz

[edited by - hellz on August 14, 2003 10:19:30 AM]

[edited by - hellz on August 14, 2003 10:20:47 AM]

Share this post


Link to post
Share on other sites
capn_midnight    1707
instead of sending all you data as seperate variables, I would send it as one.

There is a function called implode that takes an array and a string. It makes a string that is all of the elements of the array seperated by the string

$arr=array(1,2,3,4,5);
$str=implode($arr,''|'');

//$str is now "1|2|3|4|5";


$arr2=explode(''|'',$str);

//$arr2 is now equivalent to $arr



you could do a little javascript before you submit to do the implode.

<!-- survey.html -->
<HTML>
<FORM NAME="fillForm">
<INPUT NAME="ff1" TYPE="text" VALUE="all the stuff for your survey">
<INPUT NAME="ff2" TYPE="text" VALUE="all the stuff for your survey">
<INPUT TYPE="button" onClick="send()">
</FORM>

<FORM NAME="subForm" ACTION="POST" METHOD="check.php">
<INPUT TYPE="hidden" NAME="DATA" VALUE="">
</FORM>

<SCRIPT LANGUAGE="
JavaScript">
function implode(arr,str){
var temp="
";
for(i=0;i<arr.length-1;i++)
temp+=arr[i]+str;
temp+=arr[arr.length-1];
}
function send(){
var v=new Array(2);
v[0]=document.fillForm.ff1.value;
v[1]=document.fillForm.ff2.value;
var temp=implode(v,''|'');
document.subForm.DATA.value=temp;
document.subForm.submit();
}
</SCRIPT>
</HTML>


<!-- check.php -->
<HTML>
<FORM NAME="hidForm" ACTION="POST" METHOD="send.php">
<?php
print "<INPUT TYPE=''hidden'' NAME=''DATA'' VALUE=''$DATA''>\n";
$arr=explode("|",$DATA);
foreach($arr as $item){
$item<BR>";
}
?>
<INPUT TYPE="
submit"><INPUT TYPE="button" VALUE="reset" onClick="parent.location=''survey.html''">
</FORM>
</HTML>


<!-- send.php -->
<HTML>
<?php
$address="yey@yey.com";
$subject="Survey";
$header="FROM:geo_survey";

mail($address,$subject,$DATA,$header) or die("Message could not be sent);
?>

notice the change send.php. There is no $from, instead it is $header, because you are directly editing the email''s header. In order for the FROM information to get through properly, you need the "FROM" qualifier in front of the address.

Don''t let people put in their own email addresses in the from field without some major checking. Besides the obvious problem of people making fake email addresses, I''ve read that it can be exploited to send you messages that you wouldn''t expect.


Do you use your powers for good or for awesome?
My newly updated site | The Cutter Project | Association of Computing Machinery

Share this post


Link to post
Share on other sites
hellz    356
quote:
Original post by capn_midnight
you could do a little javascript before you submit to do the implode.


You should never rely on any client-side code to ensure that a data operation is completed successfully. This is dangerous and open to malicious input. As well as this, some users may have javascript disabled and/or the browser may not even support it.

Not worth the hassle, IMHO.

--hellz

[edited by - hellz on August 14, 2003 11:45:16 AM]

Share this post


Link to post
Share on other sites
PhilVaz    144
this is the code on my check page:

<input type="hidden" name="Q1" value="">
<input type="hidden" name="Q2" value="">
<input type="hidden" name="Q3" value="">
<input type="hidden" name="Q4" value="">
<input type="hidden" name="Q5" value="">
<input type="hidden" name="Q6" value="">
<input type="hidden" name="Q7" value="">
<input type="hidden" name="Q8" value="">
<input type="hidden" name="Q9" value="">
<input type="hidden" name="Q10" value="">

Whoops, you should have paid attention to what I wrote in that previous PHP thread. Remember? I said to do this in your check.php

print"<input type=''hidden'' name=''Q1'' value=''$Q1''>";
etc....

In other words, you need to print" " or echo" " these hidden vars with value=''$Q1'' etc.... ALONG WITH your submit button to have the email.php REMEMBER the values. What you were doing is passing blanks to your email.php so no wonder you got blanks in the mail( ) command. I''ve done that myself when I was learning PHP last year.

Also the $Q1 = $_POST etc lines are not required, I''ve never used those. You only need to reference the variables themselves and as long as they''re passed you''ll have the values.

Phil P

Share this post


Link to post
Share on other sites
superpig    1825
I believe that in the more recent versions of PHP, you''re meant to use $_REQUEST[] rather than $_POST[]. $_REQUEST contains values passed in through both GET and POST.

Sometimes you can access them directly by name (i.e. $Q1 rather than $_REQUEST["Q1"]) but I think that''s turned off by default because it''s a security hazard (''register_globals'' or something).

Superpig
- saving pigs from untimely fates, and when he''s not doing that, runs The Binary Refinery.
Enginuity1 | Enginuity2 | Enginuity3 | Enginuity4

Share this post


Link to post
Share on other sites
hellz    356
quote:
Original post by PhilVaz
Also the $Q1 = $_POST etc lines are not required, I've never used those. You only need to reference the variables themselves and as long as they're passed you'll have the values.



Edit: Read my reply after this mate, it'll explain more where I'm getting at.

Incorrect. The reason is that if you don't specify where the values are to be read from, it would be simple to inject information into those variables. For example, if you had a variable $test in your program, which you wanted to retrieve from a form via post, it would be very easy for an attacker to change the variable from the URL string, as in: something.php?test=whatever

Whilst this doesn't demonstrate exactly *how* it's dangerous, you should *always* specify where a variable is to be read from, for the safety of your own scripts (and to enforce the principle of least privilege).

--hellz

[edited by - hellz on August 15, 2003 2:20:59 PM]

Share this post


Link to post
Share on other sites
hellz    356
quote:
Original post by superpig
I believe that in the more recent versions of PHP, you're meant to use $_REQUEST[] rather than $_POST[]. $_REQUEST contains values passed in through both GET and POST.

Sometimes you can access them directly by name (i.e. $Q1 rather than $_REQUEST["Q1"]) but I think that's turned off by default because it's a security hazard ('register_globals' or something).


Whilst that is true, there's a lot you should be aware of. Firstly, register_globals was switched from ON to OFF in versions PHP 4.2.0 and upwards. Taken from the PHP manual:

"Reliance on this directive was quite common and many people didn't even know it existed and assumed it's just how PHP works. This page will explain how one can write insecure code with this directive but keep in mind that the directive itself isn't insecure but rather it's the misuse of it.

When on, register_globals will inject (poison) your scripts will all sorts of variables, like request variables from html forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier. It was a difficult decision, but the PHP community decided to disable this directive by default. When on, people use variables yet really don't know for sure where they come from and can only assume. Internal variables that are defined in the script itself get mixed up with request data sent by users and disabling register_globals changes this. Let's demonstrate with an example misuse of register_globals:

Example 15-14. Example misuse with register_globals = on


< ?php
// define $authorized = true only if user is authenticated
if (authenticated_user()) {
$authorized = true;
}

// Because we didn't first initialize $authorized as false, this might be
// defined through register_globals, like from GET auth.php?authorized=1
// So, anyone can be seen as authenticated!
if ($authorized) {
include "/highly/sensitive/data.php";
}
?>


When register_globals = on, our logic above may be compromised. When off, $authorized can't be set via request so it'll be fine, although it really is generally a good programming practice to initialize variables first. For example, in our example above we might have first done $authorized = false. Doing this first means our above code would work with register_globals on or off as users by default would be unauthorized."

--hellz


[edited by - hellz on August 15, 2003 2:19:42 PM]

Share this post


Link to post
Share on other sites