# email me form in HTML?



## cnelson04 (Dec 29, 2003)

ok, here what i want to, when you click the submit button it should email me your email addres except i don't want it to open up an email program i just want it to email it from the websever. is this possible? heres the code..

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">

MusicJunkie.be Early '06










*E-Mail me when the site is done!

<font="Comic Sans" size="3">Your E-mail:

*​*

thanks -cnelson. *


----------



## Sequal7 (Apr 15, 2001)

It cant be done in html because modern browsers no longer support email forms in html.
It wont run unless you have a perl script to execute the html document.
A good example of this is Matts formail
http://www.scriptarchive.com/formmail.html

Does your host support php? it can be doen easily in php


----------



## cnelson04 (Dec 29, 2003)

yes i do have php. could you maybe show me an example of how to do it? -cnelson.


----------



## Sequal7 (Apr 15, 2001)

Heres a simple way, please change the email in $sendto ="[email protected]" to where you want the form to send

```
<?php
  // if submitted form process and send mail
  if ($REQUEST_METHOD == "POST") {

    // just to be on the safe side
    // I'll strip out HTML tags
    // (scripting code may mess with some email clients)
    $realname = strip_tags($realname);
    $email = strip_tags($email);

    $sendto = "[email protected]";
    $subject = "Website Feedback ";
    $message = "$realname, $email\n";

    mail($sendto, $subject, $message);

  }

?>

  insert title here

[B][SIZE=14]Send Mail When site complete[/SIZE][/B]

An easy way to get feedback on a site is to have
it emailed to you. This script shows you how to create
a Feedback form with the response being emailed to you
using PHP.

The first thing we need is our HTML form.
Keeping it simple I'll only ask for Name and Email. Use your browser's view source
if you would like the HTML code.

<?php
    // if submitted form display sent message
    if ($REQUEST_METHOD=="POST") {
        echo("

[B]Message Sent[/B]

\n");
        echo("[QUOTE]\n");
        echo("$message");
        echo("[/QUOTE]");
    }
    // if not display form
    else {
?>

  " METHOD="POST">
  [TABLE]
    [TR][TD][B]Name: [/B][/TD][TD][/TD][/TR]
    [TR][TD][B]Email:[/B][/TD][TD][/TD][/TR]
    [TR][TD][/TD][/TR]
  [/TABLE]



<?php } ?>
```


----------



## jiml8 (Jul 3, 2005)

Matt's formmail is insecure and can be used as an open relay. Don't use it.

There are other mailers out there, including the nms Formmail which can be configured as a drop in replacement for Matt's and which is secure.


----------



## jiml8 (Jul 3, 2005)

Sequal7 said:


> // if not display form
> else {
> ?>
> 
> ...


You sure this isn't a syntax error? Seems to me that an open brace in an if...else statement, followed by the end of the PHP section should be a syntax error, though I haven't tried it.

Seems to me to avoid the syntax error you need to echo the form HTML into the stream from PHP. This way the closing brace is part of the same PHP module.


----------



## jiml8 (Jul 3, 2005)

Well, I just tried it on one of my servers, and it worked as writtten. You learn something new every day.


----------



## Sequal7 (Apr 15, 2001)

*EDIT: sorry, didnt see you already tested it, posted at same time as yours I guess.*

The code is fine as far as I know.

The if statement is to submit the data from the form in the page, the else is to display the form again if not filled out, I didn't write in an error process, just a returned blank form. 
I was trying to keep it very simple. I am not certain however how secure this is to defy spam, I usually process through a seperate php script that handles spam and errors better. WHat do you think about security of this code?


----------



## TechGuy (Feb 12, 1999)

jiml8 said:


> You sure this isn't a syntax error? Seems to me that an open brace in an if...else statement, followed by the end of the PHP section should be a syntax error, though I haven't tried it.


This is actually one of the wonderful things about PHP -- it will hold the statement open until you bring it back to <?php -- no syntax error there, and it makes it much easier to enter HTML without worrying about quotes or strange pipes.


----------



## Sequal7 (Apr 15, 2001)

Thanks for the support!

Again any advice as far a bots? does this look ok?


----------



## TechGuy (Feb 12, 1999)

Because the Send To address is hard coded into the PHP file (and not a variable sent with the message, from address, etc), they can only spam you. I doubt this will cause much trouble for you.


----------



## Sequal7 (Apr 15, 2001)

Thanks for the tip, then thats settled.


----------



## jiml8 (Jul 3, 2005)

Ummm...

They could insert a bcc or any header into the text of the message and relay that way. Known issue with PHP mail() function. Need some pretty smart code to keep that from happening.

I think it is cool that PHP will hold a clause open that way. I didn't know about it because I wouldn't ordinarily program that way. Were I to write it, I would have embedded the HTML in PHP and escaped the quotes wherever needed. 

I do agree that it is more readable the way it is done here and I'll keep that in mind in the future.


----------



## Sequal7 (Apr 15, 2001)

Thanks, can you give it a try on this form, I would like to see what you mean

spam it to removedemail

Thanks


----------



## TechGuy (Feb 12, 1999)

Hmm, guess that could be possible, but I'm not completely convinced yet.  Maybe strip_tags($message) would help... Not sure.


----------



## jiml8 (Jul 3, 2005)

Well, I gave it a try but I'm not sure about the syntax. Let me know if it came through.

I put this

\n bcc: [email protected]

in the email field.

and your form responded with this string:

Joe, \\n bcc: [email protected]

[Edited by TechGuy]


----------



## TechGuy (Feb 12, 1999)

*If* that code does work, it would be easy enough to run a search/replace on $message to put spaces around the @ or write it out as -at-


----------



## Sequal7 (Apr 15, 2001)

Hey Thanks.

The email has not come through yet, but I will wait a while to see if it does as I am interested in what you have found. I have received the original email that the form is to submi to, it is:

Joe, \\n bcc: [email protected]_itbutyouknowwhere.com


----------



## jiml8 (Jul 3, 2005)

Seems to me this syntax should do it. I tried spamming your address and one of mine, and it isn't arriving at mine.

Joe, %0Abcc:[email protected],[email protected]%0Amessage:this got it I think

[Edited by TehGuy]


----------



## Sequal7 (Apr 15, 2001)

I have received nothing yet, (other than your original messages) but nothing to the yahoo email. have you successflly sent to your own?

Also, I am going to remove my yahoo email from my post , can you also please remove it from yours too so I dont get too much spam.... I am at your mercy...


----------



## TechGuy (Feb 12, 1999)

I suspect Jim will be back momentarily, but I just edited the addresses out anyway.


----------



## jiml8 (Jul 3, 2005)

Well, I don't seem to be able to make it happen, but it is discussed here, which is where I first heard of it:

http://securephp.damonkohler.com/index.php/Email_Injection

It is my beddy-bye time.


----------



## jiml8 (Jul 3, 2005)

Yeah, editing the addresses was a good choice. Of course, I get mountains of spam anyway...


----------



## Sequal7 (Apr 15, 2001)

Thanks for the edits Techguy! You are a god!

Not that I use that email much, but I try to practice safe surfing, and that was one blond moment for me, but as I said i am very interested in what jiml8 is trying so I hope he can do it and let me know the flaw I have.

I have read about parsing cgi into emails, but never really seen it happen. I know as he said eariler, Matts Script has been attacked successfully allot.

Thanks for trying anyhow jiml8, it was the most coding anxiety I've had in a while.


----------



## TechGuy (Feb 12, 1999)

Very interesting! Looks like the problem takes place when you add the BCC to the email address (not the from name) -- not sure if you tried it that way. The $email=strip_tags($email) might already be fixing this, but they suggest replacing it with the code:

```
if (eregi("\r",$email) || eregi("\n",$email)){
     die("Why ?? :(");
}
```


----------



## jiml8 (Jul 3, 2005)

The mailheader thing is also discussed here:

http://us2.php.net/manual/en/ref.mail.php


----------



## TechGuy (Feb 12, 1999)

To test this, you can fill out the form and enter your email address as:


```
[email protected]%0ACc:[email protected]
```
(where [email protected] and [email protected] are the two addresses, and a CC is sent to the gmail account)


----------



## Sequal7 (Apr 15, 2001)

yes $email=strip_tags($email) is fixing that, but I would try that way it seems more logical to me to die, I like that Thanks.
I havent tried the form as a from name.
I usually create a seperate php script that handles the html form, and it has die on it for spamming, but the code is allot more advansced. This is really the second simple php emil form i've created so it is noce to try these things out.


----------



## Sequal7 (Apr 15, 2001)

no go, again I get the original message, but the others are not sent. I read that $email=strip_tags($email) does a very effectibe job, and apparently it does! 
I wonder if I could also add $name, $message and every other part of the form to this too?

Yay PHP!


----------



## jiml8 (Jul 3, 2005)

Sequal7 said:


> no go, again I get the original message, but the others are not sent. I read that $email=strip_tags($email) does a very effectibe job, and apparently it does!
> I wonder if I could also add $name, $message and every other part of the form to this too?
> 
> Yay PHP!


Probably a good idea.

There seems no doubt that the technique described in the links I posted is not working here. I keep fiddling with it because the header syntax is very specific and getting it wrong will stop things from happening. I would prefer to be sure that it is not my error that is keeping this from working.


----------



## Sequal7 (Apr 15, 2001)

Thanks for all your insight jiml8 and Techguy

i think that cnelson04 has a good simple form here.

Cheers to you all!


----------



## cnelson04 (Dec 29, 2003)

hey guys, thanks for all the input=]] i don't know PHP that well, but i'm learning, and i don't really understand how to block all the spam if there even is a way, but maybe i'll just make an e-mail for this, incase i do get loads of spam? or one of those like "please type the image you see?" would that work? alright well i'm going to look around a little bit i'm sure i'll find something. thanks. -cnelson. 

EDIT: after re-reading through the post's all i have to do is add the "strip_tags" (i don't knwo the exact code) message to the code? if this is so, then where in the code do i add this? thanks. -cnelson.


----------



## TechGuy (Feb 12, 1999)

It's already in the original code:


```
$email=strip_tags($email);
```


----------



## linuxphile (Mar 6, 2003)

The PHP manual has a simple function example for preventing header injections. Check it out at http://us3.php.net/manual/en/ref.mail.php


----------



## cnelson04 (Dec 29, 2003)

alright thx, tech guy=]]]]] -cnelson.


----------



## brendandonhu (Jul 8, 2002)

FYI, the header injection is only a problem when the additional_headers parameter can take user input. The script at the beginning of this thread doesn't use that parameter and isn't vulnerable to the injection at all.


----------



## jiml8 (Jul 3, 2005)

It so happens that when this topic came up, I was in the process of rolling out a new version of my website, this one being fully done in PHP (the predecessor site was mostly static). I had known I needed a contact form with email output, but I had pretty much planned on doing it the way the previous site did it; with a CGI script in perl. I needed a new contact form even though I am also keeping the old contact form on a different part of the site, and this was going to motivate some changes to the perl because I wanted each contact form to go to a different place.

This thread was timely because I decided to use the script at the front of this thread as the basis for my new contact form. Here is a php routine that fully implements a contact form including some checkboxes, some validation and error handling, and a "thank you" email for the person who filled out the form. It also keeps the existing form data in case it bombs on an error so that the user doesn't have to retype everything.

This routine does not do the HTML header or HTML footer stuff because I include that from another module. This form can be seen running here.

Now, the original code referred to a variable $script_name that was undefined. This was the action for the Form submit, and it worked even undefined. I suppose it is probably an apache thing, to self-refer the script when the action variable is blank. I didn't think that was a good plan, so I replaced $script_name with $sname=$_SERVER['PHP_SELF']; just to make the self-reference explicit and (hopefully) server independent.

```
<?php $ourmode=0 ?>
<?php include "header.php" ?>
<!--user code begins here -->
<?php
$sname = $_SERVER['PHP_SELF'];
 $errmsg = "";
 $checked4="checked";
 $checked1="";
 $checked2="";
 $checked3="";
 if ($REQUEST_METHOD == "POST") {
    // just to be on the safe side
    // I'll strip out HTML tags
    // (scripting code may mess with some email clients)
    $realname = strip_tags($realname);
    $email = strip_tags($email);
    $allow_send = false;
    if($email ==""){$errmsg = "invalid email";}
    $em2 = strstr($email,'@');
    if($em2){
       $valid_email=strpos($em2,'.');
       if (!$valid_email) {$errmsg = "invalid email";}
       if ($realname ==""){$errmsg = "invalid name";}
       if($valid_email and $realname<>""){$allow_send=true;}
    }
    if ($allow_send) {
       $sa1 = strip_tags($sa1);
       $sa2 = strip_tags($sa2);
       $city = strip_tags($city);
       $state = strip_tags($state);
       $zip = strip_tags($zip);
       $tel = strip_tags($tel);
       $option1 = strip_tags($option1);
       $option2 = strip_tags($option2);
       $option3 = strip_tags($option3);
       $option4 = strip_tags($option4);
       $comments = strip_tags($comments);
       $sendto = "[email protected]";
       $subject = "Website Feedback ";
       $message = "$realname\n $email\n $sa1\n $sa2\n $city\n $state\n $zip\n $tel\n $option1\n $option2\n $option3\n $option4\n $comments\n";
       $returnaddr = "[email protected]";
       $headers="Return-Path: $returnaddr\n";
       $headers.="X-Sender: $returnaddr\n";
       $headers.="From:$returnaddr\n";
       $headers.="MIME-Version: 1.0\n";

       mail($sendto, $subject, $message,$headers);
       $thanksmsg = "Thank you for your interest.  The following message has been sent, and someone will contact you soon.\n - My Company Team\n\n $message";
       $subject =   "Thank you for your interest in my product";     
       mail($email,$subject,$thanksmsg,$headers);
    }
    else {
      if ($option1<>""){$checked1="checked";} else {$checked1="";}
      if ($option2<>""){$checked2="checked";} else {$checked2="";}
      if ($option3<>""){$checked3="checked";} else {$checked3="";}
      if ($option4<>""){$checked4="checked";} else {$checked4="";}
    }
 }
?>
<table class="listTable3" align="center"><tr><td bgcolor="#ddddbb">
<center><h2>Contact My Company</h2></td></tr>
<tr><td>
<table CELLPADDING="10" align="center"><tr><td width="70%" bgcolor="#f8dcc8"><font face="arial" size="3">
<p>If you would like more information about our products and services, or if you have comments on this site, please send us a message.</p>

<p>Fields identified with asterisks are mandatory fields</p></font>
<hr size="1" noshade></p>

<?php
    // if submitted form display sent message
    if ($REQUEST_METHOD=="POST" and $allow_send) {
        echo("<P><b>Message Sent</b></p>\n");
        echo("<blockquote><pre>\n");
        echo("$message");
        echo("</pre></blockquote>");
    }
    // if not display form
    else {
        if($errmsg<>""){echo "<br><font color=\"red\">$errmsg</font></br>";}
        echo "
<!-- ***  START HTML FORM -->
  <form action=\"$sname\" METHOD=\"POST\">
  <table cellpadding=\"4\" cellspacing=\"0\" border=\"0\">
    <tr><td><font size=\"-1\" face=\"Verdana, Arial, Helvetica, sans-serif\"><b>*Name: </b></font></td><td><input type=\"text\" name=\"realname\" value=\"$realname\" size=\"25\"></td></tr>
    <tr><td><font size=\"-1\" face=\"Verdana, Arial, Helvetica, sans-serif\"><b>*Email:</b></font></td><td><input type=\"text\" name=\"email\"  value=\"$email\" size=\"40\"></td></tr>
    <tr><td><font size=\"-1\" face=\"Verdana, Arial, Helvetica, sans-serif\"><b>Street Address 1:</b></font></td><td><input type=\"text\" name=\"sa1\" value=\"$sa1\" size=\"40\"></td></tr>
    <tr><td><font size=\"-1\" face=\"Verdana, Arial, Helvetica, sans-serif\"><b>Street Address 2:</b></font></td><td><input type=\"text\" name=\"sa2\" value=\"$sa2\" size=\"40\"></td></tr>
    <tr><td><font size=\"-1\" face=\"Verdana, Arial, Helvetica, sans-serif\"><b>City:</b></font></td><td><input type=\"text\" name=\"city\" value=\"$city\" size=\"40\"></td></tr>
    <tr><td><font size=\"-1\" face=\"Verdana, Arial, Helvetica, sans-serif\"><b>State:</b></font></td><td><input type=\"text\" name=\"state\" value=\"$state\" size=\"2\"></td></tr>
    <tr><td><font size=\"-1\" face=\"Verdana, Arial, Helvetica, sans-serif\"><b>Zip:</b></font></td><td><input type=\"text\" name=\"zip\" value=\"$zip\" size=\"10\"></td></tr>
    <tr><td><font size=\"-1\" face=\"Verdana, Arial, Helvetica, sans-serif\"><b>Telephone:</b></font></td><td><input type=\"text\" name=\"tel\" value=\"$tel\" size=\"10\"></td></tr>
    <tr><td></td><td><input type=\"checkbox\" name=\"option1\" value=\"Send me more information about your product\" $checked1> Send me more information about your product<br></td></tr>
    <tr><td></td><td><input type=\"checkbox\" name=\"option2\" value=\"Call me to discuss my needs\" $checked2> Call me to discuss my needs<br></td></tr>
    <tr><td></td><td><input type=\"checkbox\" name=\"option3\" value=\"I am interested in the Hosted Edition.  Call me.\" $checked3> I am interested in the <a href=\"hosteded.php\">Hosted Edition</a>.  Call me<br></td></tr>
    <tr><td></td><td><input type=\"checkbox\" name=\"option4\" value=\"Add me to your email list\" $checked4> Add me to your email list (<a href=\"privacy.php\">privacy policy</a>)<br></td></tr>
    <tr><td><font size=\"-1\" face=\"Verdana, Arial, Helvetica, sans-serif\"><b>Comments:</b></font></td><td><textarea cols=\"40\" rows=\"6\" name=\"comments\">$comments</textarea></td></tr>
    <tr><td colspan=\"2\" align=\"center\"><input type=\"submit\" value=\"Submit\"></td></tr>
  </table>
  </form>";} ?>
<!-- *** END HTML FORM -->
</td><td width="30%" bgcolor="#ddddbb"><font face="arial" size="3">My Company, Inc.<br>MyOfficeStreetAdd<br>MyCity,MyState,Myzip <br>MyPhone</font></td></tr></table>
</td></tr></table>
<!--user code ends here-->
<?php include "footer.php"?>
```


----------



## jiml8 (Jul 3, 2005)

A spammer found my contact form and tried to use it as an open relay. I received 6 emails this morning. Here is the full text from one of them (I have obfuscated some info)



> Return-Path: <[email protected]>
> Delivered-To: my desired [email protected]
> Received: from localhost (cm-ms2 [127.0.0.1])
> by cm-ms2.globat.com (Postfix) with ESMTP id D30DD398271
> ...


Note that the contents of the comments section of the form start with the word "expression" in this message. Quite obviously, someone was trying to spam using my website, and equally obviously they failed. I received a half dozen messages, about a minute and a half apart, where someone made multiple test attempts. The "from" address, of course, was bogus since it was a nonexistent address at my domain.

Now, these attempts have pointed up a glaring error in my script; I should be sending the IP address of the sender in the message. I really would like to know where this spammer came from, and now I won't know until my hosting service posts the site logs where I can get them, which won't be for almost two days.

Oh well. I have changed the script and henceforth will have IP addresses and, when I get the address of the source of this I will cheerfully pass it on.

In any case, the script proved to be secure, at least from this attack.


----------



## jiml8 (Jul 3, 2005)

I have to report back on this.

This script was successfully exploited by header injection on 19 Mar 2006. A week previous, I had moved the website from globat.com (which I found to be unsatisfactory) to bluehost.com (which overall is a vast improvement).

While at globat.com, attempts to inject headers failed. After moving to bluehost.com, the attempt succeeded. I presume some setting in bluehost.com's PHP config is making it vulnerable.

At the time the exploit occurred, I was online and became aware of it very quickly when I started receiving emails from the script, which were showing up in HTML format. I examined the headers, then disabled the script on the website and patched it.

The script now does some regex processing to identify "\n" or any of several specific mail headers ("Subject:", "Content-type:", "From:", "MIME-Version:") in the email address field. Also I hardened it further by limiting the email address field to 50 characters; after the POST occurs, that field length is evaluated and, if it is too long, it is chopped to the first 50 chars.

In any case, the experiment we performed in this thread was not conclusive; evidently the strip_tags is not good enough by itself to protect the script.


----------



## brendandonhu (Jul 8, 2002)

Your script very well may be vulnerable still, since other things can replace \n and there are many headers that can be used. Remember that the To: header can be set multiple times.


----------

