Excluding Hidden Form Fields from being sent to e-mail and DB

Spycat

Hello all,
I have asked this question in a couple of other forums.
While I got answers, when I did a follow-up, asking WHERE to put their code and what I needed to omit from my proir code, no one answered back.
I am totally new to this, so I have no clue, so please spell it out for me.
I have ordered a book on php, but in the mean time,
I am hoping that someone here will help me.

I am using the following script to process a form.
It e-mails me the results and writes to a tab-delimited file:

<?php
//            dbmailer.php version 1.1 Feb 24, 2000
//            Norman Clarke <norman@dontblink.com>  

//
// dbmailer.php is copyright 2000 Norman Clarke, and
// is released under the terms of the GNU General
// Public License. Please see the file "COPYING" that
// should have come with this program, or visit
// [url]http://www.gnu.org[/url] for details.

// ***********************CONFIG SECTION***********************
// To get the program working correctly, you will need to make some
// modifications here. Also, please read the README file for
// more details if you need them.

// This gets displayed when people submit the form without errors.
// If you want to include a whole file instead of just a message,
// comment it out and uncomment and alter the next variable

#$confirmation = 'Your message has been sent successfully!';

// Uncomment and specify this if instead of a simple message,
// you want a whole HTML or PHP file shown to the user after
// they successfully submit the form.

#$confirmation_file = 'absoulte/path/to/my/file/success.html';

// If you instead want to rdirect the visitor to a specific URL
// once their page is successfully sent, uncomment and alter the
// variable below. Can be an absolute or relative URL.

$redirect = 'thanks.html';

// This is where you want email sent to if you are emailing
// the results rather than saving them to a file. As of version
// 1.1 it *must* be specified here and not in a hidden form field
// for security reasons.

$mailto = "rshrum@california.com";

// This is where your form submissions will be saved if you are
// saving the results to a delimited file rather than emailing them
// somewhere. It can not be specified as a hidden form value
// because this is a security risk.

$filename="moveme.tab";

// This is the character used as the delimiter in delimited files.
// "\t" is a tab character. Other ideas might be comma or pipe ("|").
// By default, all entries in the delimited files a enclosed by double
// quotes, and odd characters (like double quotes) are escaped by a
// backslash. If you don't know what this means, don't worry. You'll
// easily figure it out when you need to and will be fine if the
// occaison does not arise.

$delim = "\t";

// Make "keep_blanks" TRUE to keep blank form fields in your emails.
// Make it FALSE to ignore blank form fields.
// Delimited files automatically keep the blank values in order to
// remain consistent.

$keep_blanks = TRUE;

// ***********************END CONFIG SECTION********************
// don't alter anything below unless you know what you're doing.

function confirm_sent() {
    global $redirect;
    global $confirmation;
    global $confirmation_file;

if ($redirect) {
    header("Location: $redirect");
}

if ($confirmation) {
    echo "$confirmation";
    exit();
}
elseif ($confirmation_file) {
    include "$confirmation_file";
    exit();
}
else { // The default confirmation, just in case.
    echo "Thank you. Your message was sent successfully!";
}
}

# check for a few simple errors

// If someone tries to use the file functionality to overwrite pages on
// your site it won't succeed.

if ($HTTP_POST_VARS[filename]) {
    die("The filename variable can not be declared in a hidden form
    field as of version 1.1. Please specify it in the script
    file itself as this is a potential security hole.");
}

// If someone tries to use your form to spam people anonymously
// it won't succeed.

if ($HTTP_POST_VARS[mailto]) {
    die("The mailto variable can not be declared in a hidden form
    field as of version 1.1. Please specify it in the script
    file itself as this is a potential security hole.");
}

// GET vars don't work, only POST.
if (!$HTTP_POST_VARS || $HTTP_GET_VARS) {
die("No vars were *posted* to the form. Check your form design and make sure
you set the \"method\" attribute on the form tag to \"post\"; i.e;
&lt;form action=\"dbmailer.php\" method=\"post\"&gt;. You should not see
any form garbage in the URL if everything is set up right.");
}

if (!$action) {
    $action = 'doboth';
}

if (($action == 'mail' || $action == 'doboth') && !$from) {
    $from = 'www';
}

if (($action == 'mail' || $action == 'doboth') && !$mailto) {
    die ("No mailto is specified! If you want the form to email the results, then
    you must specify a mailto variable so that they get sent somewhere.");
}
if (($action == 'file' || $action == 'doboth') && !$filename) {
    die ("No filename is specified! If you want the form results saved to a file,
    you must specify where you want them saved. A valid filename would look
    like \"/my/file/path/filename.tab\"");
}

# the main loop, assuming all errors got trapped above.

if ($action == 'mail') {
    while(list($key, $val) = each($HTTP_POST_VARS)) {
        if ($keep_blanks) {
            $message .= "$key: $val\n";
        }
        else {
           if($val) {
           $message .= "$key: $val\n";
           }
        }
    }
    mail("$mailto", "$subject", "$message","From: $from");
    confirm_sent();
}
if ($action == 'file') {
    $i = 0;
    while(list($key, $val) = each($HTTP_POST_VARS)) {
        $num_fields = count($HTTP_POST_VARS);
        $message .= "\"$val\"";
        if ($i < ($num_fields - 1)) {
            $message .= $delim;
        }
        $i++;
    }
    $message .= "\n";
    $fp = fopen("$filename","a");
    fwrite($fp,$message);
    confirm_sent();
}

if ($action == 'doboth') {
    $i = 0;
    while(list($key, $val) = each($HTTP_POST_VARS)) {
        if ($keep_blanks) {
            $message .= "$key: $val\n";
        }
        else {
           if($val) {
           $message .= "$key: $val\n";
           }
        }
        $num_fields = count($HTTP_POST_VARS);
        $message2 .= "\"$val\"";
        if ($i < ($num_fields - 1)) {
            $message2 .= $delim;
        }
        $i++;
    }
    mail("$mailto", "$subject", "$message","From: $from");
    $message2 .= "\n";
    $fp = fopen("$filename","a");
    fwrite($fp,$message2);
    confirm_sent();
}
?>

The problem is, it includes ALL the fields -- even the hidden and "Submit".
How would I exclude these?
The following is a snippet of my html form:

<form name="donationForm" method="post" action="dbmailer.php" onClick="highlight(event)" onsubmit="return validateForm()"onKeyUp="highlight(event)">
 <input type="hidden" name="action" value="doboth">
<input type="hidden" name="subject" value="Auto Donation Form">

This is the link to the actual form

Any ideas on how to remedy this?
Any help will be appreciated

laserlight

The script looks like it is in need of a fair bit of updating, and possibly restructuring and optimisation.

Anyway, a quick fix at this point would be to store the incoming variable names to be excluded in an array. As the loop that generates $message is run it checks this array and skips if the variable name is found in the array.
e.g.

if ($action == 'mail') {
	$exclude = array('action', 'subject');
    while(list($key, $val) = each($HTTP_POST_VARS)) {
		if (!in_array($key, $exclude)) {
            if ($keep_blanks) {
                $message .= "$key: $val\n";
            }
            else {
               if($val) {
                   $message .= "$key: $val\n";
               }
            }
		}
    }
    mail("$mailto", "$subject", "$message","From: $from");
    confirm_sent();
}

Spycat

Hi laserlight -- thanks for the fast reply -- that was nice of you 🙂
I have one question however.
In the code, for the if ($action == 'mail') you included the $exclude = array('action', 'subject'); statement.
Should I do the same for the if ($action == 'file') and if ($action == 'doboth') portions as well?
Also, I was wondering why the file and doboth have a counter (i=0") but mail does not (just curious).

Thanks 🙂

Rick

laserlight

For the ($action == 'doboth') block yes.

I was wondering why the file and doboth have a counter (i=0") but mail does not (just curious).

That deals with generating the string to be written to file.

Spycat

Ok, I think I must be slow-witted lol!
Now, when the form is e-mailed to me, the hidden fields are indeed removed, but it sends it to me twice 🙁
However, it does not write to the file -- all I get is a set of double quotes ""
Here is what I have -- I have omitted some of the top lines:

<?php
function confirm_sent() {
    global $redirect;
    global $confirmation;
    global $confirmation_file;

if ($redirect) {
    header("Location: $redirect");
}

if ($confirmation) {
    echo "$confirmation";
    exit();
}
elseif ($confirmation_file) {
    include "$confirmation_file";
    exit();
}
else { // The default confirmation, just in case.
    echo "Thank you. Your message was sent successfully!";
}
}

# check for a few simple errors

// If someone tries to use the file functionality to overwrite pages on
// your site it won't succeed.

if ($HTTP_POST_VARS[filename]) {
    die("The filename variable can not be declared in a hidden form
    field as of version 1.1. Please specify it in the script
    file itself as this is a potential security hole.");
}

// If someone tries to use your form to spam people anonymously
// it won't succeed.

if ($HTTP_POST_VARS[mailto]) {
    die("The mailto variable can not be declared in a hidden form
    field as of version 1.1. Please specify it in the script
    file itself as this is a potential security hole.");
}

// GET vars don't work, only POST.
if (!$HTTP_POST_VARS || $HTTP_GET_VARS) {
die("No vars were *posted* to the form. Check your form design and make sure
you set the \"method\" attribute on the form tag to \"post\"; i.e;
&lt;form action=\"dbmailer.php\" method=\"post\"&gt;. You should not see
any form garbage in the URL if everything is set up right.");
}

if (!$action) {
    $action = 'doboth';
}

if (($action == 'mail' || $action == 'doboth') && !$from) {
    $from = 'www';
}

if (($action == 'mail' || $action == 'doboth') && !$mailto) {
    die ("No mailto is specified! If you want the form to email the results, then
    you must specify a mailto variable so that they get sent somewhere.");
}
if (($action == 'file' || $action == 'doboth') && !$filename) {
    die ("No filename is specified! If you want the form results saved to a file,
    you must specify where you want them saved. A valid filename would look
    like \"/my/file/path/filename.tab\"");
}

# the main loop, assuming all errors got trapped above.

if ($action == 'mail') {
    $exclude = array('action', 'subject' , 'Submit');
    while(list($key, $val) = each($HTTP_POST_VARS)) {
        if (!in_array($key, $exclude)) {
            if ($keep_blanks) {
                $message .= "$key: $val\n";
            }
            else {
               if($val) {
                   $message .= "$key: $val\n";
               }
            }
        }
    }
    mail("$mailto", "$subject", "$message","From: $from");
    confirm_sent();
}  

if ($action == 'file') {
    $i = 0;
    while(list($key, $val) = each($HTTP_POST_VARS)) {
        $num_fields = count($HTTP_POST_VARS);
        $message .= "\"$val\"";
        if ($i < ($num_fields - 1)) {
            #$message .= $delim;
        }
        $i++;
    }
    $message .= "\n";
    $fp = fopen("$filename","a");
    fwrite($fp,$message);
    confirm_sent();
}
   if ($action == 'doboth') {
 $exclude = array('action', 'subject' , 'Submit');
    while(list($key, $val) = each($HTTP_POST_VARS)) {
        if (!in_array($key, $exclude)) {
            if ($keep_blanks) {
                $message .= "$key: $val\n";
            }
            else {
               if($val) {
                   $message .= "$key: $val\n";
               }
            }
        }
    }
    mail("$mailto", "$subject", "$message","From: $from");
    confirm_sent();
  }  

 \n\";

    #   }
    #}
    $num_fields = count($HTTP_POST_VARS);
    $message2 .= "\"$val\"";
    if ($i < ($num_fields - 1)) {
        $message2 .= $delim;
    }
    $i++;
#}
mail("$mailto", "$subject", "$message","From: $from");
$message2 .= "\n";
$fp = fopen("$filename","a");
fwrite($fp,$message2);
confirm_sent();
#}
?>

Any clues?Any chance you can just plug it into the code for me, in the appropriate places.
Like I said, I want to learn php -- I am not lazy...but at this point....frustrated :queasy:

Thank you so much -- I DO appreciate all your help.

laserlight

Probably has something to do with register_globals, check this forum's FAQ.

Spycat

oh, ok; thanks for your efforts...