0

I am trying to set up a simple contact form for my website. The end goal of the form is for the user to submit their information and have the server process and deliver the email as if it came directly from the user. In other words, if John Doe, whose email address is johndoe@example.com, fills out the form, then the email would read as if John Doe sent it from his email address, johndoe@example.com. What's mind-boggling to me is that I figured my server might not have authorization to send on the user's behalf; however, an older PHP form that I'm trying to move away from executes just fine.

Currently, this is my mail processing form PHP:

<?php 
if (($_SERVER['REQUEST_METHOD'] == 'POST') && (!empty($_POST['action']))):

if (isset($_POST['myname'])) { $myname = $_POST['myname']; }
if (isset($_POST['myemail'])) {
        $myemail = filter_var($_POST['myemail'], FILTER_VALIDATE_EMAIL ); 
}
if (isset($_POST['mysubject'])) { $mysubject = $_POST['mysubject']; }
if (isset($_POST['mycomments'])) {
        $mycomments = filter_var($_POST['mycomments'], FILTER_SANITIZE_STRING ); 
}
if (isset($_POST['reference'])) { $reference = $_POST['reference']; }
if (isset($_POST['requesttype'])) { $requesttype = $_POST['requesttype']; }

$formerrors = false;

if ($myname === '') :
    $err_myname = '<div class="error">Sorry, your name is a required field</div>';
    $formerrors = true;
endif; // input field empty

if ($mysubject === '') :
    $err_myname = '<div class="error">Please enter a subject for your message.</div>';
    $formerrors = true;
endif; // input field empty

if ( !(preg_match('/[A-Za-z]+, [A-Za-z]+/', $myname)) ) :
    $err_patternmatch = '<div class="error">Sorry, the name must be in the format: Last, First</div>';
    $formerrors = true;
endif; // pattern doesn't match

if (!($formerrors)) :
    $to     =   'example@example.com';
    $subject    =   "$mysubject";
    $message    =   "\nName: $myname\n\nEmail: $myemail\n\nSubject: $mysubject\n\nComments: $mycomments\n";
    $from       =   $myname.'<'.$myemail.'>';
    $headers    =   'From: '.$from."\r\n".
                    'Reply-To: '.$myemail."\r\n";

    if (mail($to, $subject, $message, $headers)):
        $msg = "Thanks for filling out our form";
    else:
        $msg = "Problem sending the message";
    endif; // mail form data

endif; // check for form errors

endif; //form submitted
?>

Currently the reply-to works just fine, but the email received via the form indicates LastName@hostdomain.com. Thank you for your contributions.

jjcarlson
  • 73
  • 1
  • 5
  • 1
    Watch out for mail header injection. And exposing that you use PHP and which version is asking for hackers. – Marcel Korpel Dec 18 '13 at 22:59
  • @MarcelKorpel I appreciate the advice. Do you have suggestions as to what else to do to beef up security on our forms? I agree that there's vulnerability in this method and have been interested in various validation efforts. There are some that I didn't include above that I'm planning on implementing, but am always open to suggestion. Thanks! – jjcarlson Dec 18 '13 at 23:06
  • Hm... I didn't know that till now @MarcelKorpel You're indeed a wealth of information; *thanks for that.* – Funk Forty Niner Dec 18 '13 at 23:10
  • When putting an email address in a header (e.g., in the From-field), use [`filter_var`](http://php.net/filter_var) to check if it's a valid email address or not. Generally, use white-listing for header fields. And drop that `'X-Mailer: PHP/' . phpversion()` header! – Marcel Korpel Dec 18 '13 at 23:10
  • I suggest then, that you go through the [`mail() function manual`](http://php.net/manual/en/function.mail.php) on PHP.net, while not using `'X-Mailer: PHP/' . phpversion()` as Marcel pointed out. – Funk Forty Niner Dec 18 '13 at 23:19
  • Without going into great detail, I found that if I changed how a user inputs their name, it will affect the way their information is displayed in the header. For example, I changed the format to "First Last" removing the comma, and the name displayed correctly. Also, the @hostdomain.com no longer shows in the email. – jjcarlson Dec 19 '13 at 17:32

0 Answers0