how to create a web form

[adelburn]

How do I create a form that a customer can fill in that'll come through to my email

Something simple like seperate boxes for name, address, comments and then submit

All help much appreciated

 

[TomaHawk]

A quick Google brings up loads of results for customizable free web email forms on the internet. Something like this: looks suitable though.

If not plenty more tutorials are available on 'w3schools', which are very useful.
Hope that helps.

 

[marc_howarth]

not sure this is the best way of doing it but a simple php mailer works nicely

<form name="form" method="post" action="emailscript.php">
<table cellspacing="5" cellpadding="5" border="0">
	<tr>
		<td>
			<strong> Name: </strong>
		</td>
		<td>
			<input type="text" name="name" size="35" />
		</td>
	</tr>
	<tr>
		<td>
			<strong> Email Address: </strong>
		</td>
		<td>
			<input type="text" name="email" size="35" />
		</td>
	</tr>
		<tr>
		<td>
			<strong> Subject: </strong>
		</td>
		<td>
			<input type="text" name="subject" size="35" />
		</td>
	</tr>
	<tr>
		<td>
			<strong> Question: </strong>
		</td>
		<td>
			<textarea name="question" cols="27" rows="4" ></textarea>
		</td>
	</tr>
	<tr>
		<td align="center"><div align="right">
			  <input name="reset" type="reset" value=" Reset Form " />
		</div>
		</td>
		<td align="center"><div align="left">
			  <input name="submit" type="submit" value=" Submit Form " />
		</div>
		</td>
	</tr>
</table>
</form>

emailscript.php then looks like this:

<?php
$to = "[email protected]";
$subject = $_REQUEST['subject'];
$email = $_REQUEST['email'];
$name = $_REQUEST['name'];
$question = $_REQUEST['question'];

$message = $question;

$headers = "From: $email\n";

$sent = mail($to, $subject, $message, $headers) ;
if($sent) {
header ( "Location: index.php?id=emailsuccess" ) ; 
}
else {
header ( "Location: index.php?id=emailfail" ) ; 
}
?>

 

[psyr33n]

^ Vulnerable to header injection.

 

[blade007]

vulnerable to everything

 

[marc_howarth]

that header injection stuff, i'm not sure but but do you just change $_REQUEST to $_POST to solve that one??

 

[psyr33n]

Not quite. $email is unsanitised user input put straight into the mail headers, which leaves it open to exploitation:

<?php

$email = $_REQUEST['email'];
$headers = "From: $email\n";
$sent = mail($to, $subject, $message, $headers);

?>

 

[Deleted member 11679]

So, how would you secure the email header just out of interest? Lock it to something generic that the user has no control over?

 

[adelburn]

Am I right in thinking an input validater needs to be added i.e spamcheck

 

[TomaHawk]

Am I right in thinking an input validater needs to be added i.e spamcheck

Yeah it's always best to take extra care when creating and adding input forms to your website, for whatever use they may have.

With email forms you should really be looking at adding in validation for each input field, which helps 'combat' spam and poorly written forms. But also the security side of the form needs to be looked at to ensure it cannot (or greatly reduce the risk) be exploited.