Email Form Header Problems

karmalade

I am very familiar with HTML and CSS but have only started learning PHP recently.

I want people to be able to send me feedback through a form that collects their name, email address, a URL (if they have their own site), and a message. In the current state of the php script, I will receive the email with the requested information in the body of the email. Unfortunately, it comes into my spam folder because the from and reply-to headers are missing. This is expected because the from header is wrong (neither Email nor Name should be capitalized but when I un-capitalize them, the script no longer sends the email) and the reply-to header is missing entirely. I have tried every permutation to get Hotmail to show up the proper headers. Only this obviously wrong script works. I am absolutely perplexed.

After I get this blasted script to work, I also need to add some security measures. Can anyone please rework this script so that it works as it should and is secure?

Here is the semi-working code:
<?php
$to = "myemail@hotmail.com" ;
$subject = "Website Comments" ;
$name = $REQUEST['name'] ;
$email = $REQUEST['email'] ;
$URL = $REQUEST['URL'] ;
$message = $REQUEST['message'] ;
$ip = $REQUEST['ip'];
$httpref = $REQUEST['httpref'];
$httpagent = $_REQUEST['httpagent'];

$body = "Name: $name \n
Email: $email \n
URL: $URL \n
Message: $message \n
IP: $ip \n
Browser Information: $httpagent \n
Referral: $httpref \n" ;
$from = $REQUEST['Name'] ;
$from .= $REQUEST['Email'] ;

$send = mail( $to, $subject, $body, "From: $from" );
if($send)
{print "Your message was sent successfully. Please close this window.";}
else
{print "An error was encountered while sending your message. Please notify the webmaster."; }
?>

bradgrafelman

First off, you should never build a "From:" e-mail header based on a user-supplied e-mail address. That's just begging mail servers to mark the message as spam and toss it. Instead, use a valid e-mail address on the e-mail server (e.g. your own). If you really want to incorporate the user's e-mail address, do it in the Reply-To header, but definitely not the From header.

Second, search the board (or Google) for more headers you can add to the e-mail to make it appear valid. Some examples might be Content-Type, MIME-Version, Reply-To (mentioned above), etc.

Also, why are you getting their IP from $REQUEST? Are you relying on some form field for the IP, which would be changed/altered (or even passed in the URL)? Why not just get it directly from $SERVER? Same for the 'httpagent' data.

karmalade

Honestly, I don't care if the from/reply-to email is mine or the user's. I just want it to be filled in when I receive the email at my hotmail account. But when I set it to my own, it didn't work. The email never got sent. At least the way it is now, the email gets sent. I have no idea how to fix this beyond what I've already tried.
I've tried various from/reply-to headers including what you suggested. Perhaps I scripted it incorrectly. How EXACTLY should they be written? I've also tried several types of headers including mime, content type, reply-to, cc, and bcc. I left out the X-mailers though to keep the script as simple as possible. The headers I tried caused an error in the script, and the form never mailed. Again, perhaps I was scripting them incorrectly, though some I copied directly from supposedly functional mailers. Moreover, I thought I'd only need mime and content-type if I was sending HTML-based emails; I'm only sending plain text.
IP is a form field. Being a newbie, I didn't realize I could use $SERVER. I found that tidbit in a pre-made form and thought it could be useful for security purposes. How would you use $SERVER?

karmalade

In regard to the $_SERVER, I rewrote the code:

<?php
$to = "sam_gide_cav@hotmail.com" ;
$subject = "Website Comments" ;
$name = $REQUEST['name'] ;
$email = $REQUEST['email'] ;
$URL = $REQUEST['URL'] ;
$message = $REQUEST['message'] ;
$ip = $SERVER['REMOTE_ADDR'] ;
$hostname = gethostbyaddr($SERVER['REMOTE_ADDR']) ;
$httpref = $SERVER['HTTP_REFERER'] ;
$httpagent = $SERVER['HTTP_USER_AGENT'] ;

$body = "Name: $name \n
Email: $email \n
URL: $URL \n
Message: $message \n
IP: $ip \n
Host Name: $hostname \n
Browser Information: $httpagent \n
Referral: $httpref \n" ;

$headers = $REQUEST['Name'] ;
$headers .= $REQUEST['Email'] ;

$send = mail($to, $subject, $body, "From: $headers");
if($send)
{print "Your message was sent successfully. Please close this window.";}
else
{print "An error was encountered while sending your message. Please notify the webmaster."; }
?>

I also tried the following code for the headers but with no luck:
$headers = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/plain; charset=iso-8859-1\r\n";
$headers .= "From: myemail@hotmail.com\r\n";
$headers .= "Reply-To: $email\r\n";

...
$send = mail($to, $subject, $body, $headers);

nrg_alpha

Karmalade, I too have email sent from my site to my hotmail account.. sort of.. what I do is I have the email sent to my email on the hosting server, which in turn cc's it to my hotmail account. This way, I know all email sent will reach my hotmail account because I configured my site's email address options through the service provider's options.. I just check my hotmail and voila! It's there..

So I wouldn't get too caught up with the from header stuff. I kept mine uber simple:

$to = "blah@mysite.com"; // my email address on the hosting server
$from = $_POST['emailfield'];
$subject = "User Feedback...";
$message = $_POST['textarea'] . '  - Browser used:' . $_SERVER['HTTP_USER_AGENT'];
mail($to, $subject, $message, $from);

It does the trick. Probably not the prettiest, but I get my emails.

Cheers

NRG

karmalade

I finally got it to work. Thank you both for your suggestions. The working script is below in case any other newbies want to use it.

Do either of you have any suggestions for security? I don't really want any required fields on my form, but I also don't want spammers to abuse it. Would limiting the length of the text fields help at all? Should I add a question only a human could answer (similar to a CAPTCHA)? I've seen tidbits of php scripts that check to see if the email entered contains only valid characters, but does that require inputting an email address? Is the email text field the only seriously vulnerable one or are the others vulnerable as well?

<?php
$to = "myemail@hotmail.com" ;
$subject = "Website Comments" ;
$name = $REQUEST['name'] ;
$email = $REQUEST['email'] ;
$URL = $REQUEST['URL'] ;
$message = $REQUEST['message'] ;
$ip = $SERVER['REMOTE_ADDR'] ;
$hostname = gethostbyaddr($SERVER['REMOTE_ADDR']) ;
$httpref = $SERVER['HTTP_REFERER'] ;
$httpagent = $SERVER['HTTP_USER_AGENT'] ;

$body = "Name: $name \n
Email: $email \n
URL: $URL \n
Message: $message \n
IP: $ip \n
Host Name: $hostname \n
Browser Information: $httpagent \n
Referral: $httpref \n" ;

$from = "From: Form Mailer<myemail@mydomain.com>\r\n";
$from .= "Reply-To: $name <$email>";

$send = mail($to, $subject, $body, $from);
if($send)
{print "Your message was sent successfully. Please close this window.";}
else
{print "An error was encountered while sending your message. Please notify the webmaster."; }
?>

nrg_alpha

As for 'security' (non-spam), I have made this on my contact form. In essence, what happens is that a series of numbers / letters is randomly generated and stored in an array, which is in turn imploded and stored into a $_SESSION[' '] variable. when user fills out and submits the form (including the verification field), the page refreshes itself and checks against all the information submitted. So part of the check is obviously checking against the verification field. So long as the other conditions are correct, if the verification check matches, the form is submitted.

Admittedly, this was a very frustrating part of development. The trick (at least for me), was to have the verification last. It had a lot to do with the flow /structure of everything.. so it goes bascially like this/..once the user enters info and hits, submit, the page refreshes and does the following:

some variables at top of page are set to false (example: emailVerify, messageVerify and finally verifyVerify). Basically, this means guilty till proven innocent so-to-speak

email is checked for valid format.. if so, emailVerify is true

then textmessage is checked.. if valid, messageVerify is true

then finally, at the beginning of the entire verification set, check against user verification..
if false, a new verification is generated and stored into session varaible and awaits submittion to recheck.. if the initial user entry for verification is a match however, verifyVerify is set to true.

Finally, at the bottom , the system checks if all 3 conditions are true (email, message and verify variables).. if so, proceed with the email code we have been discussing in this thread.

It was a heck of a system to work on (lots of pain and suffering).. but I wanted to go through with it for the sake of experience.. I got it working.. but it was tough.. if you don't have the patience to go through with it, there are probably some good custom systems out there that you can use.

Sorry for the long post. Just a lot to explain.

Cheers,

NRG

MichielM

Hey NRG, nice page there! Question: would you be willing to show the actual code you are referring* to? As a beginner it's still difficult for me to translate your description into the actual syntax.
Much obliged in advance,
Cheers, M.

*(your last post)

nrg_alpha

Hi Mich..

Thank you for the compliment 🙂

As for displaying the syntax, nothing personal but I prefer not to (for security / refinement issues).
You should be able to find online articles or even complete downloadable systems that would work better.

Again, my apologies.

Cheers,

NRG

MichielM

🆒
Hey NRG, no problem whatsoever.
I quite understand. Just bought myself a hefty php book which (I trust) will provide a lot of the information that I seek.
Thx for your friendly and prompt reply.
Cheers, Mitch