3 Replies - 1065 Views - Last Post: 12 June 2011 - 06:37 AM Rate Topic: -----

#1 freeman015  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 16
  • Joined: 28-July 10

PHP Mysql mail form problem

Posted 12 June 2011 - 04:42 AM

Dear people,

I have a little problem with my php mysql mail form.
It wont post if I not fill out the date but if I not fill in the telefoon and email it will post.

inject.php
<?php
require"mysql.php";
$naam = $_REQUEST["naam"];
$telefoon = $_REQUEST["telefoon"];
$email = $_REQUEST["email"];
$type = $_REQUEST["type"];
$date = $_REQUEST["date"];
$message = $_REQUEST["message"];

echo "<center>";

function spamcheck($field)
  {
  $field=filter_var($field, FILTER_SANITIZE_EMAIL);
  if(filter_var($field, FILTER_VALIDATE_EMAIL))
    {
    return TRUE;
    }
  else
    {
    return FALSE;
    }
  }
if (isset($_REQUEST['email']))
  {
  $mailcheck = spamcheck($_REQUEST['email']);
  if ($mailcheck==FALSE)
    {
   echo "vul u A.U.B het E-mail in<br />";
   }

if(empty($_REQUEST['telefoon']))
{
	echo "Geen telefoonnummer ingevuld<br />";
	}
	
if(empty($_REQUEST['date']))
{
	echo "Geen Datum ingevuld<br />";
	}

  else

    {
    $email = $_REQUEST['email'] ;
    $subject = "De Bruiloft Test Formulier" ;
    $body .= "
" ;
    $body .= "Naam: ";
    $body .= "
" ;
    $body .= $_REQUEST['naam'] ;
    $body .= "
" ;
    $body .= "E-mail: ";
    $body .= "
" ;
    $body .= "$email" ;
    $body .= "
" ;
    $body .= "telefoon: ";
    $body .= "
" ;
    $body .= $_REQUEST['telefoon'] ;
    $body .= "
" ;
    $body .= "
" ;
    $body .= "Bruiloft: ";
    $body .= "
";
    $body .= $_REQUEST['type'];
    $body .= "
" ;
    $body .= "
" ;
    $body .= "Datum Bruiloft: ";
    $body .= "
" ;
    $body .= $_REQUEST['date'];
    $body .= "
" ;
    $body .= "
" ;
    $body .= "Bericht of uitleg" ;
    $body .= "
" ;
    $body .= $_REQUEST['message'];
	$to  = 'Emailadress@webserver.com'; // note the comma

    mail($to, $subject, $body, "From: $email" );
   	
	//mysql injection
	mysql_query("INSERT INTO agenda (naam, email, telefoon, type, date, message) VALUES('$naam', '$email', '$telefoon', '$type', '$date', '$message')") or die("inject.php".mysql_error());
	echo "Data Injected!";  
	echo "<br />Email Send!"; 
	echo "<center><br>Bedankt voor het invullen van ons contact-formulier<br> Klik<a href='http://www.debruiloftfeestdj.nl/contact.php'> Hier</a> om terug te gaan</center>" ;
	 	
	}
}
else {
  echo "<br />";
  echo "U heeft het niet goed ingevuld ga <a href='index.php'>terug</a>";
  echo "</center";
 }
?>


mail.php
<?php echo "
  <img src='../../media/email.gif' border='0'>&nbsp; E-mail formulier
<form method='post' action='inject.php'> 
  Naam: <input name='naam' type='text' maxlength='50' value='De Bruiloft Feest Dj' /><br /> 
  Telefoon<font color='red' size='2'>*</font>: <input name='telefoon' maxlength='16' type='text' value='06-21291599' /><br /> 
  Email<font color='red' size='2'>*</font>: <input name='email' type='text' maxlength='100' value='Naam@Webserver.com' /><br /> 
  Bruiloft: <select name='type'> 
  <option> Regulair </option> 
  <option> Deluxe </option> 
  <option> Superior </option> 
  </select> <br /> 
  Datum Bruiloft<font color='red' size='2'>*</font>: <input name='date' type='text' maxlength='10' value='01-01-2011' /><br /> 
  Bericht of uitleg:<br /> 
  <textarea name='message' rows='9' cols='40'>
  Vul hier uw bericht in. 
  </textarea><br /> 
  <input type='submit' value='Verzenden' /><input type='reset' value='Reset' /> <br /> 
  <font color='red' size='2'> * Vereist </font> 
  </form>";
?>


hope someone can help.
i did try to work with if and else but didn't work out

Greetings,

Freeman015

Is This A Good Question/Topic? 0
  • +

Replies To: PHP Mysql mail form problem

#2 Duckington  Icon User is offline

  • D.I.C Addict

Reputation: 170
  • View blog
  • Posts: 608
  • Joined: 12-October 09

Re: PHP Mysql mail form problem

Posted 12 June 2011 - 05:46 AM

Addressing only your specific question:

It's happening because you are telling that if the date is empty, it should echo "Geen Datum ingevuld", otherwise if it is not empty, then it should send the email.

You could change it to something like:

if (isset($_REQUEST['email']))
{

$okay = true; // This variable will be used to decide whether or not to send the email
$errors = array(); // This variable will be used to display any errors

$mailcheck = spamcheck($_REQUEST['email']);

if ($mailcheck==FALSE)
{
$errors[] = "vul u A.U.B het E-mail in<br />";
$okay = false;
}

if(empty($_REQUEST['telefoon']))
{
$errors[] = "Geen telefoonnummer ingevuld<br />";
$okay = false;
}
	
if(empty($_REQUEST['date']))
{
$errors[] = "Geen Datum ingevuld<br />";
$okay = false;
}


if($okay == true)
{ 
// Is okay, so send the email

    $email = $_REQUEST['email'] ;
    $subject = "De Bruiloft Test Formulier" ;
    $body .= "
" ;
    $body .= "Naam: ";
    $body .= "
" ;
    $body .= $_REQUEST['naam'] ;
    $body .= "
" ;
    $body .= "E-mail: ";
    $body .= "
" ;
    $body .= "$email" ;
    $body .= "
" ;
    $body .= "telefoon: ";
    $body .= "
" ;
    $body .= $_REQUEST['telefoon'] ;
    $body .= "
" ;
    $body .= "
" ;
    $body .= "Bruiloft: ";
    $body .= "
";
    $body .= $_REQUEST['type'];
    $body .= "
" ;
    $body .= "
" ;
    $body .= "Datum Bruiloft: ";
    $body .= "
" ;
    $body .= $_REQUEST['date'];
    $body .= "
" ;
    $body .= "
" ;
    $body .= "Bericht of uitleg" ;
    $body .= "
" ;
    $body .= $_REQUEST['message'];
	$to  = 'Emailadress@webserver.com'; // note the comma

    mail($to, $subject, $body, "From: $email" );
   	
	//mysql injection
	mysql_query("INSERT INTO agenda (naam, email, telefoon, type, date, message) VALUES('$naam', '$email', '$telefoon', '$type', '$date', '$message')") or die("inject.php".mysql_error());
	echo "Data Injected!";  
	echo "<br />Email Send!"; 
	echo "<center><br>Bedankt voor het invullen van ons contact-formulier<br> Klik<a href='http://www.debruiloftfeestdj.nl/contact.php'> Hier</a> om terug te gaan</center>" ;
	 	
	
} // End of "okay"
else 
{
// Is not okay, so display error messages
  echo "<br />";
  echo "U heeft het niet goed ingevuld ga <a href='index.php'>terug</a>";
  for($i = 0; $i < count($errors); $i++)
  {
    echo $errors[$i];
  } 

 }






ALso, I should point out that by doing this:

 mysql_query("INSERT INTO agenda (naam, email, telefoon, type, date, message) VALUES('$naam', '$email', '$telefoon', '$type', '$date', '$message')") or die("inject.php".mysql_error());



Without sanitising the data you are inputting, you will be open to SQL injections.

E.g. If I entered my name as: '); DROP TABLE agenda;--

Then your SQL would look like this:

INSERT INTO agenda (naam, email, telefoon, type, date, message) VALUES(''); DROP TABLE agenda;--)', '$email', '$telefoon', '$type', '$date', '$message')



And it would run that SQL and drop your table.

You should also run any data you are going to be using in any SQL statement through mysql_real_escape_string() first.

So, eg:

$naam = mysql_real_escape_string($naam);
$email = mysql_real_escape_string($naam);
$telefoon = mysql_real_escape_string($telefoon);
$type = mysql_real_escape_string($type);
$message = mysql_real_escape_string($message);
$date = mysql_real_escape_string($date);

 mysql_query("INSERT INTO agenda (naam, email, telefoon, type, date, message) VALUES('$naam', '$email', '$telefoon', '$type', '$date', '$message')") or die("inject.php".mysql_error());


Was This Post Helpful? 2
  • +
  • -

#3 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 6077
  • View blog
  • Posts: 23,545
  • Joined: 23-August 08

Re: PHP Mysql mail form problem

Posted 12 June 2011 - 06:13 AM

Better, for debugging purposes (because invariably the next question is "nothing is showing up in my database, WHY?????):

$naam = mysql_real_escape_string($naam);
$email = mysql_real_escape_string($naam);
$telefoon = mysql_real_escape_string($telefoon);
$type = mysql_real_escape_string($type);
$message = mysql_real_escape_string($message);
$date = mysql_real_escape_string($date);

$query = "INSERT INTO agenda (naam, email, telefoon, type, date, message) VALUES('$naam', '$email', '$telefoon', '$type', '$date', '$message')";
mysql_query($query) or die("inject.php query $query failed: " . mysql_error());




Also, using $_REQUEST isn't suggested, because it makes it much easier for people to abuse your script. Substitute $_POST for $_REQUEST, as you are in fact using the POST method.

And actually, you shouldn't die with that in there, as it exposes your SQL and DB schema; instead you should log it to the error log and die without the error message.

$query = "INSERT INTO agenda (naam, email, telefoon, type, date, message) VALUES('$naam', '$email', '$telefoon', '$type', '$date', '$message')";
if (!mysql_query($query)) {
    error_log("inject.php query $query failed: " . mysql_error());
    die("DB Insertion failed");
}

Was This Post Helpful? 1
  • +
  • -

#4 freeman015  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 16
  • Joined: 28-July 10

Re: PHP Mysql mail form problem

Posted 12 June 2011 - 06:37 AM

dear Duckington,

you where very helpfull.
thanks for that.

my code is looking like this right now:

<?php
require"mysql.php";
$naam = $_REQUEST["naam"];
$telefoon = $_REQUEST["telefoon"];
$email = $_REQUEST["email"];
$type = $_REQUEST["type"];
$date = $_REQUEST["date"];
$message = $_REQUEST["message"];

echo "<center>";

function spamcheck($field)
  {
  $field=filter_var($field, FILTER_SANITIZE_EMAIL);
  if(filter_var($field, FILTER_VALIDATE_EMAIL))
    {
    return TRUE;
    }
  else
    {
    return FALSE;
    }
  }
if (isset($_REQUEST['email']))
{

$okay = true; // This variable will be used to decide whether or not to send the email
$errors = array(); // This variable will be used to display any errors

$mailcheck = spamcheck($_REQUEST['email']);

if ($mailcheck==FALSE)
{
$errors[] = "vul u A.U.B het E-mail in<br />";
$okay = false;
}

if(empty($_REQUEST['telefoon']))
{
$errors[] = "Geen telefoonnummer ingevuld<br />";
$okay = false;
}
	
if(empty($_REQUEST['date']))
{
$errors[] = "Geen Datum ingevuld<br />";
$okay = false;
}

if($okay == true)
{ 
// Is okay, so send the email

    $email = $_REQUEST['email'] ;
    $subject = "De Bruiloft Test Formulier" ;
    $body .= "
" ;
    $body .= "Naam: ";
    $body .= "
" ;
    $body .= $_REQUEST['naam'] ;
    $body .= "
" ;
    $body .= "E-mail: ";
    $body .= "
" ;
    $body .= "$email" ;
    $body .= "
" ;
    $body .= "telefoon: ";
    $body .= "
" ;
    $body .= $_REQUEST['telefoon'] ;
    $body .= "
" ;
    $body .= "
" ;
    $body .= "Bruiloft: ";
    $body .= "
";
    $body .= $_REQUEST['type'];
    $body .= "
" ;
    $body .= "
" ;
    $body .= "Datum Bruiloft: ";
    $body .= "
" ;
    $body .= $_REQUEST['date'];
    $body .= "
" ;
    $body .= "
" ;
    $body .= "Bericht of uitleg" ;
    $body .= "
" ;
    $body .= $_REQUEST['message'];
	$to  = 'EmailAdresse@webserver.com'; // note the comma

    mail($to, $subject, $body, "From: $email" );
   	
	//mysql injection
	mysql_query("INSERT INTO agenda (naam, email, telefoon, type, date, message) VALUES('$naam', '$email', '$telefoon', '$type', '$date', '$message')") or die("inject.php".mysql_error());
	echo "Data Injected!";  
	echo "<br />Email Send!"; 
	echo "<center><br>Bedankt voor het invullen van ons contact-formulier<br> Klik<a href='http://www.debruiloftfeestdj.nl/contact.php'> Hier</a> om terug te gaan</center>" ;
	 	
	
} // End of "okay"
else 
{
// Is not okay, so display error messages
  echo "<br />";
  for($i = 0; $i < count($errors); $i++)   
  {
    echo $errors[$i];
  }  
  echo "U heeft het niet goed ingevuld ga <a href='index.php'>terug</a>";



}}
?>


The script will be in a htaccess secured folder and only used by 2 ppl
so that isn't realy important.

I did tryd to exploit it and it doesn't work as you said.
(he says my mysql server version isn't right ahh well )

Thank you for your quick reply.
my problem is solved!

Greetings,
Freeman015
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1