Announcement

**zuriatman** · 01-23-2008, 02:02 PM

Re: seeking php form and email link help

Submit a support ticket for your treasure chest password.
There is a Pro software in there waiting for you.

**brianinportland** · 01-23-2008, 02:52 PM

Re: seeking php form and email link help

Thanks for your reply.

I've tried to follow the Bv web-building intruction, but can not find any php html text when the tutorial asks to cut paste from start of page to between head tag.

If what you're recommending to me is the ABVFPv2.0 - the more detailed pro form - it looks far to complicated to attempt, unless there's a beginner's baby step how to, which I've not seen.

Here's my site www.bikempowered.com to see the reply form.

there follows 2 strings of html: the 1st is the results of following

The second string is my existing start of page html that supposed to have some php text in it - which it does not.

Thanks for your help or forwarding it on to others.

Brian

1st html text:
PHP Mailto Form
Revised instructions: 6/2006
PHP mailto forms are simply the most user friendly way to interact with those using your website. They simply fill in the boxes, hit submit and everything is sent to your e-mail address. No muss- no fuss. No other programs to open or configure. The php script takes care of all that. It is very user friendly and universally applicable. Thats it's appeal. It is a little harder to set up- but is well worth the effort. There have been recent security exploits pertaining to php scripted form submission. You can read about it here. This tutorial will address those issues and if you follow these directions- you may rest assured that your form will be safe from exploit. So get a cup of coffee and get ready to dig in.
If you haven't already done so, I HIGHLY recommend that you watch the BV tutorials on the basics of building a form. You can find them here; http://www.vodahost.com/DemoDemo/bvt..._basicform.htm http://www.vodahost.com/DemoDemo/bvt...rmelements.htm
So lets come up with a typical form so that we can see how this whole process works. Once complete- you will be able to take and adapt these methods to create a more elaborate fom if you need too. So lets take a look at the form below;
Name
E-mail address
Comments
*Limit of 300 characters
Things to remember while making the form: (1) Make in logical order so that when users tab from field to field it goes from top to bottom. It will tab in the order that the fields were produced. If you made the Name field and then Comments and then E-mail address- that is how it will tab. (2) Name each element field. When naming them- try to use one word and it is good practice to have all lower case. EACH FIELD MUST BE NAMED! By default- fields contain a name of T1 or S1. If you fail to place a proper name to each element field - the process123.php script will not work and no information will reach your mail box. If you must use two words to name an element field, make sure to place the under score between each word. For example: contact_us.
Right Click on the form to access the form properties. We will set our form properties as shown below:
The Form Name is -cmnow1 (contact me now 1) which incorporates a security measure to hide the form from automatic detection by obscuring the name. The Action also utilizes this security measure with process123.php. Finally- we are going to use the Encoding Type- multipart/form-data. Save and publish!
****If you have a computer with a processor of 1.2ghz or better- click here for a soundless video demonstration / re-cap of how to build the form.
As you have (hopefully) read in the article in the beginning of this tutorial- even this simple form is vulnerable to exploit. This is due to the ability to inject additional information into the elements of the form. In the form above, we did not set a limit on characters permitted in any given element. Even if we had- it could be by passed as that limit would be visable in the source code. One could copy the form- remove the limits and then send out mass e-mails with the new form. To really combat this and make a secure form we need to have our limits and validation done within the php script. The php script is not visable to anyone on the internet. This is the real power of php. So lets look at php scripting and use it to properly protect our form.
All php scripts must start with an opening and ending tag. For this tutorial we will use <?php for the opening and ?> for the closing tag.
Next we need to declare our variables. Not all of them- just the ones we are going to secure and validate. Our variables are the names of the element fields. In the form above we have three - name, email and comments. We would declare them like so;
$name = $HTTP_POST_VARS['name'];
$email = $HTTP_POST_VARS['email'];
$comments = $HTTP_POST_VARS['comments'];
So if your form has more elements that you wish to secure and validate- this is the manner in which you would declare the variables. Check boxes and Radio Buttons do not need to be secured - therefore we will not need to declare them. Any text field should be validated and secured with a length limit in php.
Next we're going to do a simple test or- validation. We are going to make sure that a field has not been left empty. Not every field must have this- only those fields that you absolutely want your customer to fill in- or your required fields. Lets take the name field for example. The script to make sure that there is an entry in that field looks like this;
if (strlen($name == 0 )
In this script the computer gathers the variable named $name and checks to see if equals a null or empty entry. Thats it. Now this can either be True (there is no entry) or False (there is an entry). We will now add instruction for what to do in either case. In this instance- if the customer forgot to enter a name- we want to tell them so and instruct them to make sure to fill in a name. We will use the echo() function to accomplish this and the code would look like this;
if(strlen($name) == 0)
{
echo "It would appear that you have not put your name in the Name Field. Please use the Back Button to return to the form and put your name in that field. Thank you!";
exit;
}
Ok- lets break the function down. The script takes the element field $name and checks to see if it is null or empty. If it is empty- the next part of the script posts a message to your customer in a new browser window telling them that they have forgot to put a Name in the field "Name". If you'll notice the exit; . That is the scripts instruction to continue on if there is no problem or exit this script and go to the next one. The great part about using the echo method is that you can be very explicit as to what the problem is for each field and instructing your customer how to correct it. This is very user friendly. Also the echo is easily customized / changed, and perhaps the best part- there is no need to create multiple error message pages.
So here we are. Take a breather. Not as complicated as you thought. The above validation does nothing for security. The above script only ensures that your customer put something in a field. Now we are going to write script that will provide security. So re-fill that coffe cup and lets get started.

The next thing we have to do is limit the length of the field elements that our customers will fill in. These are any text field such as - Name, Address, E-mail, Phone# etc. etc.... and of course the large free text area field or more commonly - Comments or Message section. Why do we want to limit these fields. To prevent injection of script/code in that field. Think about it for minute. If the field is left at NO LIMIT- then some one can take one line (field) of my form and inject thousands of e-mail addresses and use my submit button to send them on their merry way. This is happening a great deal. That is why I have spent many hours researching this and providing you with a simple and sound solution. It has happened to me and others on the forum. Don't get discouraged about php mailto forms- just take the necessary precautions.
So now lets take a look at setting a length limit for our fields. Again, we are going to make use of the
if (strlen) method. So lets test to make sure our customer (or a hacker for that matter) cannot exceed a
predetermined length of characters in a given field element. The script would be written as follows;
if (strlen($name) >= 45 )
{
echo "You have placed too many characters in the Name field- please shorten the entry. Thank You!";
exit;
}
The script asks- if the name field has over 45 chatacters then tell the user "You have placed too many characters in the Name field- please shorten the entry. Thank You!" But if the entry is 45 characters or less- contiunue on with the rest of the script. This would give them a maximum of 45 characters/space to enter their name. This should be plenty. If you feel you need more- by all means adjust it. What does this do? If only gives a potential hacker 45 spaces to add code which is not enough to be worth his/her time to send only a couple of spam e-mails. It would be more trouble that what it is worth. There are plenty of vulnerable forms out there- BELIEVE ME!. So we would do this for each text element we have. If we only did this alone- It would improve your security immensely.

In the free text area (comments) we are most vulnerable. This is because we do not want to limit (too much) what our customer wishes to tell us. Additionally- limiting them might make them angry. But I believe it is a necessary evil. So on the form- in the text area (comments) lets give an initial value that informs and warns our customer that they are limited to 300 characters/spaces to write their novel- (see the form above.) We will not be checking this field to see if it was left null or empty. We do not want to force our customers into writing something. Limiting the amount of characters / spaces still leaves us vulnerable to injection (but we will take care of that in a minute). Truthfully- if we took no additional steps to prevent injection- a potential hacker will only be able to send about 8 to 15 spam e-mails as we have limited the character length to 300. So it is not too worrysome. But lets take a moment to add an extra security measure. Lets check the text area for an "@" symbols and if we find any we will limit it to only two (2). If a hacker were to try to fill this area with e-mails an error message like so- would appear; "For security reasons this text (comments) area limits the number of @ symbols that can appear within it. It would appear that you have exceeded that number. Please use the Back Button to return to the form and correct this. Thank you for your patience!"
The script to accomplish this looks like this;
So if our customer decided to include an alternate e-mail in their comments to us- they could do so. They just couldn't add more than two (2). If you want to adjust this number- by all means do so.
Ok- thats it. We're done as far as security. What have we employed? 1- We have limited the useable size of vulnerable text fields such as name, email, comments etc..... 2- In our most vulnerable field- text area, we have limited the amount of @ symbols that can be contained therein thus protecting (in both instances) from mass injection spamming. These have been done on the server side- so they are invisable to user or (hacker). Again- there are more restrictive methods to protect your form. I have provided you with a quick - simple and effective method to keep your form secure.
E-mails are special as they are a vital avenue to get back in touch with our customer. Sometimes, in our haste, we may enter our e-mail address incorrectly. We want to help our customer not fall into this category.
So let's do an e-mail validation that checks to make sure the entered an e-mail that fits the proper e-mail format. The script would look like this;
if (! ereg('[A-Za-z0-9_-]+\@[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+', $email))
{
echo "I believe that there is an error in the way you entered your E-mail address. Please
check your entry and re-submit. Thank you!";
exit;
}
Ok- so this little beauty checks the field $email and makes sure that it is comprised of an initial set of characters A-Z both upper or lower case, and allows for numbers 0-9. Then makes sure it has a proper @ symbol. Then it makes sure the rest contains only upper/lower case letters, numbers 0-9 and a .com (.net, .org etc....) at the end. This is pretty standard for field validation and will keep you from scratching your head as you cannot make hide nor tails of the entry. Thought it was going to be difficult eh!
Now we have to mail it. So lets set up the last part of the coding process. Below is posted the script to mail the collected info to our e-mail address;
$mailto = "webmaster@yoursite.com";
$mailsubj = "Put what ever you like here";
$mailhead = "From: $email\n";
reset ($HTTP_POST_VARS);
$mailbody = "Values submitted from web site form:\n";
while (list ($key, $val) = each ($HTTP_POST_VARS))
{
$mailbody .= "$key : $val\n";
}
mail($mailto,$mailsubj,$mailbody,$mailhead);
echo "Thank you for visiting our site and filling out our form. We will get back to you very soon!";
?>
In the script above-
$mailto = "the e-mail address you wish to receive the form information at"; SO- delete webmaster@yoursite.com and replace it with your e-mail address. **MAKE SURE NOT TO DELETE THE QUOTES " "

$mailsubj = "What you put here will appear in the subject line of your e-mails"; SO- put what ever you like.

$mailbody= "Place what ever you wish here"; (*and example = Submission from.......)

And then there is the last line-
echo "Thank you for visiting our site and filling out our form. We will get back to you very soon!"; You can put what ever you like here.

Our completed php mailto scritp complete with security validation looks like this;
I am no form or php code expert. This tutorial was not designed to give you a Fort Knox strong form. It is designed to be efficent at giving you security measures against "automatic form injections". It is meant to thwart your form from being discovered and reported to those hackers scanning the internet for vulnerable forms. The methods we will imploy are basic but wilI do the job. I have gained a great deal of knowledge by trial/error and have relied heavely on members of this forum to help me along the way. I owe much to Navaldesign, Pablo, Nyoman, Watdaflip and davidundalicia ( members of the Blue Voda /Voda Host forum) who have spent a great deal of time sharing their extensive knowledge with me. Making this tutorial is my way of saying thank you to those individuals. I hope that this tutorial saves you a great deal of time and frustration. I am confidient that it will protect you from malicious mass spamming attacks/attempts
- Andy128 **Additional resource- For excellent script writing service- click here or for a pre-maid and easy to use contact form- visit davidundalicia's site here
if (substr_count($comments , '@') > "2")
{
echo "For security reasons this text (comments) area limits the number of @ symbols that can appear within it. It would appear that you have exceeded that number. Please use the Back Button to return to the form and correct this. Thank you for your patience!"
exit;
}
Please make note:
Congratulations- you made it to the end. It's your turn. Right here and now is where we're going build your script. You can cut and paste if you like. So lets start writing it down. Open note pad and cut and paste the above code and edit to suit your needs. Once your done- you can simply save that script in note pad and give it a name that you will understand- like "php mailto security script". Save it as regular text document on your computer. Keep it open though- we're not done yet.

Now we're ready to put this script into our Error reporting page that we have previously created and named process123.php So now we need to highlight and copy our completed script-MAKE SURE TO GET ALL OF IT (IF YOU MISS AN OPENING OR CLOSING PHP TAG- IT WILL NOT WORK!). Then we go to our process123.php error reporting page and open an HTML box. This box is located at the upper left corner of the left sided tool bar on your BV web builder. Now double click on it to open it. Paste the code inside it and then click OK. Now save and publish to the server. Now TEST YOUR FORM!!!! It should be working just fine. You can adjust the size of the HTML box to adjust the way in which your error messages appear on the page. Experiment a little. Now you have a good looking form with ONE- (THATS ONE!) Error page that displays all your custom error messages and you can make it match your site!!

***If you have a form that is exactly as the one above- you could simply copy the above code and paste it to the HTML box of the error reporting page that you create and then modify the mailto section. Then save and publish!
<?php
$name = $HTTP_POST_VARS['name'];
$email = $HTTP_POST_VARS['email'];
$comments = $HTTP_POST_VARS['comments'];
if (strlen($name) == 0)
{
echo "It appears that you have forgot to fill in your name in the Name field. Please use the Back Button to return to the form and enter your name. Thank you!";
exit;
}
if (strlen($name) >=30)
{
echo "The length limit for the Name field cannot exceed 30 characters / spaces. Please use the Back Button to return to the form and shorten this entry. Thank you!";
exit;
}
if (strlen($email) == 0)
{
echo "The E-mail field is a required entry. Please use the Back Button to return to the form and enter a contact E-mail address. Thank you!";
exit;
}
if (strlen($email) >= 45)
{
echo "The length limit for the E-Mail field cannot exceed 45 characters / spaces. Please use the Back Button to return to the form and shorten this entry. Thank you!";
exit;
}
if (! ereg('[A-Za-z0-9_-]+\@[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+', $email))
{
echo "I believe that there is an error in the way you entered your E-mail address. Please check your entry and re-submit. Thank you!";
exit;
}
if (strlen($comments) >= 300)
{
echo "The comments area is limited to 300 characters / spaces. It appears that you have exceeded that limit. Please use the back button to return to the form and shorten this entry.Thank you!";
exit;
}
if (substr_count($comments , '@') > "2")
{
echo "For security reasons this text (comments) area limits the number of @ symbols that can appear within it. It would appear that you have exceeded that number. Please use the Back Button to return to the form and correct this. Thank you for your patience!";
exit;
}
//SEND MAIL
$mailto = "webmaster@yoursite.com";
$mailsubj = "Put what ever you like here";
$mailhead = "From: $email\n";
reset ($HTTP_POST_VARS);
$mailbody = "Values submitted from web site form:\n";
while (list ($key, $val) = each ($HTTP_POST_VARS))
{
$mailbody .= "$key : $val\n";
}
mail($mailto,$mailsubj,$mailbody,$mailhead);
echo "Thank you for visiting our site and filling out our form. We will get back to you very soon!";
?>
So lets continue on. We will discuss two more issues. E-mail validation and finally setting up the script to send our info to our e-mail address.
Want to see how it works? Scroll back up to the form and fill it out. Make some mistakes- leave the name blank, wrong e-mail format and/or too many @ symbols in the comments section.
If you find this all too daunting- Watdaflip (Blue Voda forum member) has set up a very affordable script service and will write a script for any form you create.
Check it out- CLICK HERE

Ok Lets create our page that will display our Error Messages. You can custom make this page to match your site. For example- here is our basic error page (HERE) You can see that it uses the basic web-page building skills that you have already used. The blob-shape is there simply to highlight our error message. You can make it any shape/color you wish. **It is recommended to utilize a shape to bring attention to the error message. You will save this page as process123 and you will save it with a php extension. This is found in the page properties (right click page- choose php in the extension drop down menu).

Ok- now lets leave this page and we'll come back to it!
Our Error Message Page

end 1st string, start of 2nd

Below is the html for that page.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>thank you</title>
<meta name="AUTHOR" content="Brian Lacy">
<meta name="KEYWORDS" content="Bicycle, repair, bicycling, empowered, cycling, Portland, healthy, lifestyle, fit, motivation, coaching, skills, group, fun, goals, riding, health, family, commute, commuting, pleasure, sport, exercise, urban, ">
<meta name="DESCRIPTION" content="index home page">
<meta http-equiv="Page-Enter" content="blendTrans(Duration=2)">
<meta name="GENERATOR" content="Created by BlueVoda">
<script type="text/javascript" src="./jscookmenu.js"></script>
<style type="text/css">
.MenuBarMenuBar1Menu,.MenuBarMenuBar1SubMenuTable
{
font-family: Papyrus, arial, sans-serif;
font-size:16px;
color: #000000;
background-color: #F44917;
font-weight: normal;
padding: 0;
border: 0;
cursor: pointer;
}
.MenuBarMenuBar1SubMenu
{
position: absolute;
visibility: hidden;
border: 0;
padding: 0;
}
.MenuBarMenuBar1SubMenuTable
{
border-top: 1px solid white;
}
.MenuBarMenuBar1Menu td
{
padding: 0px 3px 0px 3px;
}
.MenuBarMenuBar1SubMenuTable td
{
white-space: nowrap;
}
.MenuBarMenuBar1MainItem,.MenuBarMenuBar1MainItemH over,.MenuBarMenuBar1MainItemActive,
.MenuBarMenuBar1MenuItem,.MenuBarMenuBar1MenuItemH over,.MenuBarMenuBar1MenuItemActive
{
white-space: nowrap;
}
.MenuBarMenuBar1MainItemHover,.MenuBarMenuBar1Main ItemActive,
.MenuBarMenuBar1MenuItemHover,.MenuBarMenuBar1Menu ItemActive
{
color: #FFFF00;
background-color: #800080;
font-weight: normal;
font-size: 16px;
}
td.MenuBarMenuBar1MenuSplit
{
overflow: hidden;
background-color: inherit;
}
div.MenuBarMenuBar1MenuSplit
{
height: 1px;
margin: 1px 0px 1px 0px;
overflow: hidden;
background-color: inherit;
border-top: 1px solid #000000;
}
.MenuBarMenuBar1MenuVSplit
{
display: block;
width: 1px;
margin: 0px 3px 0px 3px;
overflow: hidden;
background-color: inherit;
border-right: 1px solid #000000;
}
</style>
<style type="text/css">
a.style1:link {color: #0000FF;}
a.style1:visited {color: #800080;text-decoration: underline;}
a.style1:active {color: #FF0000;text-decoration: underline;}
a.style1:hover {color: #0000FF;text-decoration: underline;}
</style>
<style type="text/css">
img { behavior: url("pngfix.***"); }
</style>
</head>
<body bgcolor="#58D381" text="#000000">
<img src="bv01029.png" align="top" alt="" border="0" width="517" height="172" style="position:absolute;left:232px;top:8px;width: 517px;height:172px;z-index:0">
<div id="bv_" style="position:absolute;left:296px;top:152px;widt h:376px;height:38px;z-index:1" align="left">
<font style="font-size:24px" color="#000000" face="Papyrus"><b><i>empowering your cycling goals</i></b></font></div>
<div id="bv_" style="position:absolute;left:16px;top:16px;width: 144px;height:25px;z-index:2" align="left">
 </div>
<div id="bv_" style="position:absolute;left:192px;top:297px;widt h:544px;height:125px;z-index:3" align="left">
<font style="font-size:16px" color="#000000" face="Papyrus">Thank you for getting involved with BIKEmpowered.  I'll be in touch with you as soon as possible to further these steps to reach your goals.  Click<a href="http://bikempowered.com/index.html"> here</a> or above for further cycling through BE's website.<br>
<br>
Brian </font></div>
<div id="bv_" style="position:absolute;left:158px;top:192px;widt h:574px;height:25px;z-index:4" align="left">
<script type="text/javascript">

</script>
<div id="MenuIDMenuBar1"></div>
<script type="text/javascript">

</script>
</div>
</body>
</html>