problem sending checkbox array values in an email

SteveMTNO

I'm trying to send form values via email and everything works great, with the exception of the checkbox array for Services. I can't get the values to come thru at all. All I'm getting is "Services: Array"

Is this possible to do with PHP? I'm a serious PHP newbie.

This is the checkbox code I'm using:

<table width="440" border="0" cellpadding="0" cellspacing="0" style="margin-top: 5px">
                                <tr>
                                    <td width="220">
                                        <label><input type="checkbox" name="services[]" id="services_1" value="New tire(s)" style="margin-left: 0" />New tire(s)</label>
                                        <br />
                                        <label><input type="checkbox" name="services[]" id="services_2" value="Tire repair/maintenance" style="margin-left: 0" />Tire repair/maintenance</label>

... snip ...

                                </td>
                            </tr>
                        </table>

and here is the PHP I'm using:

<?PHP  putenv("TZ=US/Central"); $time = date("M j, Y, g:i a");

$name = $_POST["name"];
$email = $_POST["email"];
$dphone = $_POST["dphone"];
$ephone = $_POST["ephone"];
$callback = $_POST["callback"];
$services = $_POST["services[]"];
$year = $_POST["year"];
$make = $_POST["make"];
$model = $_POST["model"];
$comments = $_POST["comments"];
$mailingList = $_POST["mailingList"];

$recipient = "smarshall@stltoday.com";

$subject = "Compare Automotive estimate request";

$body = "<p><b>Name:</b> $name<p><b>Email:</b> $email<p><b>Daytime Phone:</b> $dphone<p><b>Evening Phone:</b> $ephone<p><b>Best time to call back:</b> $callback<p><b>Services:</b> $services<p><b>Vehicle Year:</b> $year<p><b>Vehicle Make:</b> $make<p><b>Vehicle Model:</b> $model<p><b>Questions or comments:</b> $comments<p><b>Mailing List?</b> $mailingList";

//$headers = "From: \"$fname " . "" . "$lname \" <$email>\r\n";

$headers = "From: \"$name\" <$email>\r\n";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "X-Mailer: Drupal\n";
$headers .= 'MIME-Version: 1.0' . "\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";

$send = mail($recipient,$subject,$body,$headers);

header( "Location: http://dmsgroup.co/contemp-refinish/thank_you.html" ) ;

?>

Here's a link to the page: http://www.dmsgroup.co/compare-automotive/estimate.html

If anyone can help me, it will be greatly appreciated. Thanks!

SteveMTNO

dalecosp

Looks like a simple text-only email. Only a couple things to do.

$services = $POST['services'][] is wrong. $services is coming in as an array, so
you'll just leave it that way:
```
$services=$_POST['services'];
```
I'll suggest that in this case [man]implode/man is your friend:
```
$services=implode("|",$services);
```
This would put the following
into your mail message:
```
service1 | service2 | service 3 .... etc.
```

Finally, to not look like a newbie, put both the calls in the same line:

$services=implode("|",$_POST['services'];

There are a few other things that might be good to discuss, but we can leave that for some other post ;-)

SteveMTNO

dalecosp;10988216 wrote:
Looks like a simple text-only email. Only a couple things to do.
$services = $POST['services'][] is wrong. $services is coming in as an array, so
you'll just leave it that way:
$services=$_POST['services'];
I'll suggest that in this case [man]implode/man is your friend:
$services=implode("|",$services);
This would put the following
into your mail message:
service1 | service2 | service 3 .... etc.
Finally, to not look like a newbie, put both the calls in the same line:
$services=implode("|",$_POST['services'];
There are a few other things that might be good to discuss, but we can leave that for some other post ;-)

thanks for the reply, dalecosp!

Before I saw your post, I got this to work:

extract($_POST);
$serviceslist = implode(", ", $services);

You mentioned that there were a few other things to discuss.

One thing I'd also like to do is format the emails a little better.

This is all new to me, so I'm open to any help or suggestions you might have.

Thanks!

SteveMTNO

bradgrafelman

Here's one suggestion: do not use [man]extract/man on external data as you have done. Doing so simply replicates the behavior of the (highly) deprecated 'Register Globals' feature. For more on the security risks/concerns that go along with it, see this manual page: [man]security.globals[/man].

SteveMTNO

bradgrafelman;10988270 wrote:
Here's one suggestion: do not use [man]extract/man on external data as you have done. Doing so simply replicates the behavior of the (highly) deprecated 'Register Globals' feature. For more on the security risks/concerns that go along with it, see this manual page: [man]security.globals[/man].

What should I do instead?

bradgrafelman

See dalecosp's post above.

dalecosp

First off, I see I was wrong ... it's an HTML email. I'm probably
not the one to ask on making HTML "prettier". The girl in the
next cube knows what pretty is ... she draws it and I make it
happen, lol.

To elucidate on further issues:

There's no check to verify that the mail was sent successfully.
There's no sanitizing form input to protect from spammers ($name and $email
in particular are vulnerable to an "\r\nbcc:" type attack).

SteveMTNO

dalecosp;10988288 wrote:
First off, I see I was wrong ... it's an HTML email. I'm probably
not the one to ask on making HTML "prettier". The girl in the
next cube knows what pretty is ... she draws it and I make it
happen, lol.

To elucidate on further issues:

There's no check to verify that the mail was sent successfully.

There's no sanitizing form input to protect from spammers ($name and $email
in particular are vulnerable to an "\r\nbcc:" type attack).

What do you recommend - just change the variable names to something else?

bradgrafelman

@: No, I don't think you were wrong. The issue was that the OP wasn't handling the [man]array[/man] being passed back properly, and you gave some example code of how it could be properly handled. Whether or not the e-mail is plain text, HTML, or BlargityBlargBlarg is irrelevant.

SteveMTNO wrote:
What do you recommend - just change the variable names to something else?

Er... do you really think that "just [changing] the variable names to something else" is actually doing to prevent anything dalecosp talked about in any way? If bank robbers took over a bank, do you think the bank manager would say "Safe?? Oh no, that's not a safe, we call that the big shiny door to the bathroom" ? 😉

For #1, you actually can't check if the mail was sent succesfully in PHP or any other programming language. You can, however, check to see if the MTA accepted your message (meaning you know it will at least try to send it - perhaps unsuccessfully, but there's no way of knowing that). To do this, you should be checking the value that [man]mail/man returns (see the manual to learn what it returns).

For #2, dalecosp is referring to what's commonly called a "header injection attack." In other words, if I said my e-mail address was:

brad@example.com>
Bcc: spamvictim1@example.com, spamvictim2@example.com, ..., <spamvictim9999@example.com

then your e-mail message header would look like:

From: Brad <brad@example.com>
Bcc: spamvictim1@example.com, spamvictim2@example.com, ..., <spamvictim9999@example.com>
MIME-Version: 1.0
...

and you've now become an open mail relay, something that will most likely get your server blacklisted very quickly (meaning even your legitimate e-mails will automatically be considered spam and thrown in the trash).

To get around this, never insert user-supplied data into e-mail headers without sanitizing it first. For example, you could verify that their e-mail address is valid and that none of their inputs contain line breaks.

SteveMTNO

bradgrafelman;10988313 wrote:
@: No, I don't think you were wrong. The issue was that the OP wasn't handling the [man]array[/man] being passed back properly, and you gave some example code of how it could be properly handled. Whether or not the e-mail is plain text, HTML, or BlargityBlargBlarg is irrelevant.

Er... do you really think that "just [changing] the variable names to something else" is actually doing to prevent anything dalecosp talked about in any way? If bank robbers took over a bank, do you think the bank manager would say "Safe?? Oh no, that's not a safe, we call that the big shiny door to the bathroom" ? 😉

For #1, you actually can't check if the mail was sent succesfully in PHP or any other programming language. You can, however, check to see if the MTA accepted your message (meaning you know it will at least try to send it - perhaps unsuccessfully, but there's no way of knowing that). To do this, you should be checking the value that [man]mail/man returns (see the manual to learn what it returns).

For #2, dalecosp is referring to what's commonly called a "header injection attack." In other words, if I said my e-mail address was:
brad@example.com>
Bcc: spamvictim1@example.com, spamvictim2@example.com, ..., <spamvictim9999@example.com
then your e-mail message header would look like:
From: Brad <brad@example.com>
Bcc: spamvictim1@example.com, spamvictim2@example.com, ..., <spamvictim9999@example.com>
MIME-Version: 1.0
...
and you've now become an open mail relay, something that will most likely get your server blacklisted very quickly (meaning even your legitimate e-mails will automatically be considered spam and thrown in the trash).

To get around this, never insert user-supplied data into e-mail headers without sanitizing it first. For example, you could verify that their e-mail address is valid and that none of their inputs contain line breaks.

OK, can you be a little more specific here? Like I said in my original post, I'm a serious PHP newbie. The code I have was given to me to use. All I've done so far is change field names here and there. I don't have a clue what it's actually doing. That's why I'm here.

dalecosp

Well, email validation might be a tad beyond the scope of a single post: try Googling for it, perhaps.

To check for newlines, something like:

if (strstr($email,"\n")) {
   echo "Die, spammer!";
   exit;
}

Might be the general idea.

Of course, you might not have to kill the script. You could, perhaps, just take the portion to the left of the newline marker. But, of course, this "person" has already proven themselves untrustworthy. So, I guess another idea might be to redirect them to spamhaus, or fbi.gov 😃