Re: anybody want a contact us script?

05-29-2005, 00:00

Doug wrote:

>
> In the spirit of open source, here is a contact us php script that you
> may use on your site.

Bug report:

* Inputs marked up as paragraphs, they almost certainly don't qualify.
* Distinct lack of <label>s
* User provided data is not entity encoded. This leads to rendering errors
and cross-site scripting vulnerabilities.

--
David Dorward <http://blog.dorward.me.uk/> <http://dorward.me.uk/>
Home is where the ~/.bashrc is

05-29-2005, 08:00

David Dorward wrote:
> Doug wrote:
>
>
>>In the spirit of open source, here is a contact us php script that you
>>may use on your site.
>
>
> Bug report:
>
> * Inputs marked up as paragraphs, they almost certainly don't qualify.

ok, thanks

> * Distinct lack of <label>s

True. Although they aren't necessary to make the page display or to make
the script work correctly, it would be a nice addition.

> * User provided data is not entity encoded. This leads to rendering errors
> and cross-site scripting vulnerabilities.

True on the entity encoding. Could you expound on the cross-site
scripting vulnerabilities? I would like to know more.

version 2 is below (put in file called contact_us.php). If you are
using unix, the validation function can use the dns records instead as
suggested by Toby I (see validate_email function) otherwise, it just
uses a regular expression.

<?php
// where you want the emails to go to
$contact_to_email="yourusername@place.com";

// first part of the subject line
$contact_subject="[your-website]";

// emails will come from
$contact_from_email="website@yourwebsite.com";

function previous_request_value($str)
{
if (isset($_REQUEST[$str]) )
return $_REQUEST[$str];
else
return '';
}

$visitor_email=trim(previous_request_value('visito r_email'));
$visitor_name=trim(previous_request_value('visitor _name'));
$message_body=previous_request_value('message_body ');
$message_subject=previous_request_value('message_s ubject');

$errors="";
$message_sent=false;

// We can tell if they are trying to submit contact data,
// because the request method will be post.
// so, check to see if there are any errors, if not,
// then send email.

function validate_email($email) {

// The commented part below only works when using *nix
// You may uncomment if you are using a unix system,
// and comment the line that comes after.

/*
$regexp =
"^([_a-z0-9-]+)(\.[_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]+)*(\.[a-z]{2,4})$";
$valid = 0;
if (eregi($regexp, $email)) {
list($username,$domaintld) = split("@",$email);
if (getmxrr($domaintld,$mxrecords)) $valid = 1;
}
return $valid;
*/

// you may comment out this when using *nix platforms
// and uncomment the above line
return
preg_match('/^[A-Za-z0-9_\-\.]+@[A-Za-z0-9_\-\.]+\.[A-Za-z0-9_\-\.]+$/',
$email)==0;
}

if ($_SERVER['REQUEST_METHOD'] == 'POST')
{

if (validate_email($visitor_email) ) {
$errors.="Please enter a valid email address in the form of
user@place.ext<br/><br/>";
}

if ($message_body == '')
$errors.="Please enter a message<br/><br/>";

if ( !$errors ) {
$ip = getenv("REMOTE_ADDR");
$httpagent = getenv ("HTTP_USER_AGENT");
$time = date("F j, Y, g:i a T");

$message = "
From: $visitor_name ($visitor_email)

Subject: $message_subject

Browser Info: $ip $httpagent

Server Time: $time

Message:

$message_body";

if ($visitor_name)
$reply_to_address="$visitor_name <$visitor_email>";
else
$reply_to_address="$visitor_email";

mail($contact_to_email, $contact_subject." $message_subject",
$message, "From: $contact_from_email\r\nReply-To: $reply_to_address");

echo "Your message";
echo "<div style='border: 1px solid black; margin: 10px 10px 10px
10px; padding: 10px 10px 10px 10px;'>From:
".htmlentities($visitor_name)." ($visitor_email)<br />Re:
".htmlentities($message_subject)."<br
/>".htmlentities($message_body)."</div>";
echo "Has been sent. Thank you for contacting us.";
$message_sent=true;
}
}

// only show the form if the message was not sent successfully

if (!$message_sent) {

?>
<strong>We are happy to hear from you. Please enter your email address
<?php if (!$message_body) echo "and message" ?> below, then click the
Send button. </strong>
<?php
// if there are errors, show the errors
if ($errors) {
echo "<br /><br />";
echo "<span style='color:red'>$errors</span>";
}
?>

<form name="ContactForm" id="ContactForm" method="post"
action="contact_us.php">

<label for="visitor_name">Your name</label><br />
<input name="visitor_name" type="text" id="visitor_name" value="<?php
echo htmlentities($visitor_name) ?>" size="25" />
<br /><br />

<label for="visitor_name">Your Email Address (required) </label><br />
<input name="visitor_email" type="text" id="visitor_email"
value="<?php echo htmlentities($visitor_email) ?>" size="25"/>
<br /><br />

<label for="message_subject">Subject</label><br />
<input name="message_subject" type="text" id="message_subject"
value="<?php echo htmlentities($message_subject) ?>" size="25"/>
<br /><br />

<label for="message_body">Message (required)</label><br />
<textarea name="message_body" cols="30" rows="6" id="message_body"
><?php echo htmlentities($message_body) ?></textarea>
<br /><br />

<input type="submit" name="Submit" value="Send" />

</form>
<?php
}
?>

05-29-2005, 12:00

send email from web page contact us form

Just wanted to write this for indexing purposes.

thanks.

05-29-2005, 00:00	#1 (permalink)
David Dorward Civilians	Re: anybody want a contact us script? Doug wrote: > > In the spirit of open source, here is a contact us php script that you > may use on your site. Bug report: * Inputs marked up as paragraphs, they almost certainly don't qualify. * Distinct lack of <label>s * User provided data is not entity encoded. This leads to rendering errors and cross-site scripting vulnerabilities. -- David Dorward <http://blog.dorward.me.uk/> <http://dorward.me.uk/> Home is where the ~/.bashrc is

05-29-2005, 08:00	#2 (permalink)
Doug Civilians	Re: anybody want a contact us script? David Dorward wrote: > Doug wrote: > > >>In the spirit of open source, here is a contact us php script that you >>may use on your site. > > > Bug report: > > * Inputs marked up as paragraphs, they almost certainly don't qualify. ok, thanks > * Distinct lack of <label>s True. Although they aren't necessary to make the page display or to make the script work correctly, it would be a nice addition. > * User provided data is not entity encoded. This leads to rendering errors > and cross-site scripting vulnerabilities. True on the entity encoding. Could you expound on the cross-site scripting vulnerabilities? I would like to know more. version 2 is below (put in file called contact_us.php). If you are using unix, the validation function can use the dns records instead as suggested by Toby I (see validate_email function) otherwise, it just uses a regular expression. <?php // where you want the emails to go to $contact_to_email="yourusername@place.com"; // first part of the subject line $contact_subject="[your-website]"; // emails will come from $contact_from_email="website@yourwebsite.com"; function previous_request_value($str) { if (isset($_REQUEST[$str]) ) return $_REQUEST[$str]; else return ''; } $visitor_email=trim(previous_request_value('visito r_email')); $visitor_name=trim(previous_request_value('visitor _name')); $message_body=previous_request_value('message_body '); $message_subject=previous_request_value('message_s ubject'); $errors=""; $message_sent=false; // We can tell if they are trying to submit contact data, // because the request method will be post. // so, check to see if there are any errors, if not, // then send email. function validate_email($email) { // The commented part below only works when using nix // You may uncomment if you are using a unix system, // and comment the line that comes after. / $regexp = "^([_a-z0-9-]+)(\.[_a-z0-9-]+)@([a-z0-9-]+)(\.[a-z0-9-]+)(\.[a-z]{2,4})$"; $valid = 0; if (eregi($regexp, $email)) { list($username,$domaintld) = split("@",$email); if (getmxrr($domaintld,$mxrecords)) $valid = 1; } return $valid; / // you may comment out this when using nix platforms // and uncomment the above line return preg_match('/^[A-Za-z0-9_\-\.]+@[A-Za-z0-9_\-\.]+\.[A-Za-z0-9_\-\.]+$/', $email)==0; } if ($_SERVER['REQUEST_METHOD'] == 'POST') { if (validate_email($visitor_email) ) { $errors.="Please enter a valid email address in the form of user@place.ext<br/><br/>"; } if ($message_body == '') $errors.="Please enter a message<br/><br/>"; if ( !$errors ) { $ip = getenv("REMOTE_ADDR"); $httpagent = getenv ("HTTP_USER_AGENT"); $time = date("F j, Y, g:i a T"); $message = " From: $visitor_name ($visitor_email) Subject: $message_subject Browser Info: $ip $httpagent Server Time: $time Message: $message_body"; if ($visitor_name) $reply_to_address="$visitor_name <$visitor_email>"; else $reply_to_address="$visitor_email"; mail($contact_to_email, $contact_subject." $message_subject", $message, "From: $contact_from_email\r\nReply-To: $reply_to_address"); echo "Your message"; echo "<div style='border: 1px solid black; margin: 10px 10px 10px 10px; padding: 10px 10px 10px 10px;'>From: ".htmlentities($visitor_name)." ($visitor_email)<br />Re: ".htmlentities($message_subject)."<br />".htmlentities($message_body)."</div>"; echo "Has been sent. Thank you for contacting us."; $message_sent=true; } } // only show the form if the message was not sent successfully if (!$message_sent) { ?> <strong>We are happy to hear from you. Please enter your email address <?php if (!$message_body) echo "and message" ?> below, then click the Send button. </strong> <?php // if there are errors, show the errors if ($errors) { echo "<br /><br />"; echo "<span style='color:red'>$errors</span>"; } ?> <form name="ContactForm" id="ContactForm" method="post" action="contact_us.php"> <label for="visitor_name">Your name</label><br /> <input name="visitor_name" type="text" id="visitor_name" value="<?php echo htmlentities($visitor_name) ?>" size="25" /> <br /><br /> <label for="visitor_name">Your Email Address (required) </label><br /> <input name="visitor_email" type="text" id="visitor_email" value="<?php echo htmlentities($visitor_email) ?>" size="25"/> <br /><br /> <label for="message_subject">Subject</label><br /> <input name="message_subject" type="text" id="message_subject" value="<?php echo htmlentities($message_subject) ?>" size="25"/> <br /><br /> <label for="message_body">Message (required)</label><br /> <textarea name="message_body" cols="30" rows="6" id="message_body" ><?php echo htmlentities($message_body) ?></textarea> <br /><br /> <input type="submit" name="Submit" value="Send" /> </form> <?php } ?>

05-29-2005, 12:00	#3 (permalink)
Doug Civilians	contact us php script FormMail send email from web page contact us form Just wanted to write this for indexing purposes. thanks.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Useful script perhaps	Toby Inkster	Web Design	0	08-28-2005 00:00
script.js	Kurt Van Keymeulen	Microsoft Applications	5	08-02-2004 10:30
Which Script Are They Using?	http://links.i6networks.com	Web Design	2	08-02-2004 09:30
Need Help with PHP Script	mcp6453	Web Design	2	07-08-2004 07:29
VB script	Antony	Microsoft Applications	1	06-16-2004 07:46

Community Information
Options
	Contact Us - FAX - Terms of Service - Privacy Policy - Trackpads - Archive - Top
Trackpads Non-Commercial Ad

Time
	All times are GMT -4. The time now is 12:12.
Copyright
	The header is based off of work by Vipixel.com and modified by this site. Trackpads and the Trackpads Logo are both Registered Trademarks of Jason Edwards and cannot be used without prior written permission. The only exception is as a link back to this site. Trackpads is a private website run by a small legion of volunteers, 3 dogs, 12.5 cats and an army of small, super smart, bio-engineered mice with pointy hats and tutu's. Search Engine Friendly URLs by vBSEO 3.2.0 RC7
Archive Links
	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70