Click here to Skip to main content
15,065,644 members
Please Sign up or sign in to vote.
4.00/5 (1 vote)
Hello everyone. My task is to create a 'Contact Us' form where the users can type a message, click a button, and it will send it to my e-mail.

What I have:
four files:

error_message.html -- 'Oops, something went wrong' form.
feedback_form.html -- This contains my actual form.
send_mail.php -- This is the action which would send the email.
thank_you.html -- Confirmation of the send.

Here is the feedback_form.html

<div class="main_body">
                <p>Send Us Your Feedback!</p>
                <form action="send_mail.php" method="post">
                <td>Email Adress:</td>
                <input type="text" name="email_address" value="" maxlength="100" />
                <textarea rows="10" cols="50" name="comments"></textarea>
                <input type="submit" value="Submit" />

Now, What I wanted to happen, was to run the send_mail.php:

This first bit sets the email address that you want the form to be submitted to.
You will need to change this value to a valid email address that you can access.
$webmaster_email = "";

This bit sets the URLs of the supporting pages.
If you change the names of any of the pages, you will need to change the values here.
$feedback_page = "feedback_form.html";
$error_page = "error_message.html";
$thankyou_page = "thank_you.html";

This next bit loads the form field data into variables.
If you add a form field, you will need to add it here.
$email_address = $_REQUEST['email_address'] ;
$comments = $_REQUEST['comments'] ;

The following function checks for email injection.
Specifically, it checks for carriage returns - typically used by spammers to inject a CC list.
function isInjected($str) {
	$injections = array('(\n+)',
	$inject = join('|', $injections);
	$inject = "/$inject/i";
	if(preg_match($inject,$str)) {
		return true;
	else {
		return false;

// If the user tries to access this script directly, redirect them to the feedback form,
if (!isset($_REQUEST['email_address'])) {
header( "Location: $feedback_page" );

// If the form fields are empty, redirect to the error page.
elseif (empty($email_address) || empty($comments)) {
header( "Location: $error_page" );

// If email injection is detected, redirect to the error page.
elseif ( isInjected($email_address) ) {
header( "Location: $error_page" );

// If we passed all previous tests, send the email then redirect to the thank you page.
else {
mail( "$webmaster_email", "Feedback Form Results",
  $comments, "From: $email_address" );
header( "Location: $thankyou_page" );

But, instead, what happens is that when I click submit on the first form, I end up downloading the send_mail.php file.

What is my problem? And what is the proper approach? Thanks to all.

NOTE: I had downloaded this as a template from a website:[^]
Peter_in_2780 14-Sep-12 1:43am
Find out about your server config. I'd bet that your send_mail.php is not recognised as executable PHP, but rather as just some text. The PHP code looks OK at a quick glance.
(If this is correct, reply and I'll turn it into an answer.)
vlad781 14-Sep-12 23:17pm
As of right now, I am hosting on a dropbox server. That may be the issue, dropbox may not recognize it. I'll look more into this, and let you know.
vlad781 15-Sep-12 18:05pm
Yes, you are correct, DropBox doesn't support php scripts. Time to look for a better way to host the site. GO ahead and post it as an answer, I'll accept it.
It's great that you fight injection, but not sure you cover all possible situations. Do you have some formal logical proof it does? If injection is possible, it could turn your host computer into a zombie sending spam in no time...
Kislay Raj 15-Sep-12 1:15am
I think it may happen due to .php extension file not setuped in your server.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900