Form Processor issues

[rlhanson]

I have an awesome form processor that a good friend of mine wrote that worked on my other host, but the strlen checks began to fail once I moved my sites here. I was hoping someone may be able to give me some ideas on how to resolve this.

Or tell me what to add to the bare script so I can strip html and prevent some spammers.

There are two hidden input fields in the form itself, one for redirect and one for recipient.

Here's the bare code which still works:
<?php
/**
* Form Processing Script
* Version 0.1a
* @DATE November 29, 2006
* @author Genesis Font
* @copyright 2006 prolinuxwebhosting.com
* Form must have the following hidden fields: recipient (should be the email address that will eceive the emailed message) and redirect (full url including http:// to the thankyou page)
*/
$datetime = date("l dS of F Y H:i:s");
$message = "On $datetime\n";
$message .= "<br />Here are the details of the form submission:\n";
while (list($key, $val) = each($_POST)) {
if ($key == 'redirect') {
$redirect = $val;
}
if ($key == 'recipient') {
$to = $val;
}
if (($key != 'redirect') and ($key != 'recipient')) {
$val = trim($val);
$message .= "<br />$key: $val\n";
}
//echo "$key: $val<br />";//debugging info
$lcval = strtolower($val);
$pos = strpos($lcval,"http://");

}
$ServerName = $_SERVER["HTTP_HOST"];
$message .= "<br /> Site: $ServerName \n";
$visitorip = $_SERVER['REMOTE_ADDR'] ;
$message .= "<br /> IP: $visitorip \n";
//Format Email
$email = $to;
$subject = "New Form Submission";
$headers = "From: $email\r\n";
$headers .= "Content-type: text/html\r\n";
//Send Email
mail($to,$subject,$message,$headers);
//redirect
header("Location: $redirect");
?>


Here's the code with the strlen which doesn't work and gives an error about the header already being sent:

<?php
/**
* Form Processing Script
* Version 0.1a
* @DATE November 29, 2006
* @author Genesis Font
* @copyright 2006 prolinuxwebhosting.com
* Form must have the following hidden fields: recipient (should be the email address that will receive the emailed
message) and redirect (full url including http:// to the thankyou page)
*/

$datetime = date("l dS of F Y H:i:s");
$message = "On $datetime\n";
$message .= "<br />Here are the details of the form submission:\n";
while (list($key, $val) = each($_POST)) {
if ($key == 'redirect') {
$redirect = $val;
}
if ($key == 'recipient') {
$to = $val;
}
if (($key != 'redirect') and ($key != 'recipient')) {
$val = trim($val);
$message .= "<br />$key: $val\n";
}
}

echo "$key: $val<br />";//debugging info
$lcval = strtolower($val);
$pos = strpos($lcval,"http://");

//Genesis' code//
$ServerName = $_SERVER["HTTP_HOST"];
$message .= "<br /> Site: $ServerName \n";
$visitorip = $_SERVER['REMOTE_ADDR'] ;
$message .= "<br /> IP: $visitorip \n";
//new code
// Validation
if (strlen($first_name) <1)
{
header("Location: error.php");
exit;
}
if (strlen($first_name) >25)
{
header("Location: error.php");
exit;
}
if (strlen($last_name) <1)
{
header("Location: error.php");
exit;
}
if (strlen($last_name) >25)
{
header("Location: error.php");
exit;
}
if (! ereg('[A-Za-z0-9_-]+\@[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+', $vis_email))
{
header("Location: error.php");
exit;
}
if (strlen($vis_email) == 0 )
{
header("Location: error.php");
exit;
}

//end new code

//Format Email
$email = $to;
$subject = "New Form Submission";
$headers = "From: $vis_email\r\n";
$headers .= "Content-type: text/html\r\n";
//Send Email
mail($to,$subject,$message,$headers);
//redirect
header("Location: $redirect");

?>

Thanks in advance!

[Dmitriy]

Hey

Just comment-out the line
//echo "$key: $val<br />";//debugging info

The script can send HTTP headers only before any output. This should help.

It worked on your previous host because default PHP error level was not showing all script errors. However on GlowHost servers PHP will show all errors, unless specified other option. This is good, because you can debug your scripts & see all errors they're causing.

[rlhanson]

I originally did have that commented out...but thank you. What was happening is no matter what was input in the form, it went to the error page.
Any thoughts?

[Dmitriy]

Looks like $first_name, $last_name, $vis_email etc comes from form via POST request. You should always referrer to these variables as $_POST['key'] - $_POST['last_name'], $_POST['first_name'] etc. Refering to $_POST['last_name'] as $last_name will return PHP error & empty string in this variable. This code works:
if (strlen($first_name) <1)
{
header("Location: error.php");
exit;
}

This is another bad security example. On some hosts register_globals PHP option is enabled. Disabling register_globals gives more security to your scripts - this is PHP team recommendation. This is done on GlowHost servers to gain better security level for PHP scripts.

[rlhanson]

Thank you Dmitriy!

Can you give me a full block example?

[jmarcv]

This is what he means

PHP Code:

if (strlen($_POST['first_name']) 
{ 
header("Location: error.php"; 
exit; 
} 


[rlhanson]

John_Marc -
I understand the code that you sent - thank you so much!

But, what I don't get is: how come the formprocessor works fine until I start checking for strlen or ereg?

This processor was cool because no matter what field you had in the form, it processed it and submitted all fields to the recipient.
Doesn't the code specify here:

Quote:

while (list($key, $val) = each($_POST)) {

that it's a $_POST?

[jmarcv]

Yes it is, but .... it ONLY looks for redirect and recipient and ignores the rest. Something tells me wht he meant to do was this line: $val = trim($val); is a typo and he meant: ${$key} = trim($val); which essentially bypasses the register globals off setting. Not recommended. So what you end up with is a bunch of empty PHP vars, all with a strlen of 0 - hence the error triggering. Best, as Dmitriy points out is to just refer to the var in its POST format and be done with it. PHP 4 is almost dead. PHP 6 will not allow overriding this like your old host did, and when that happens, there will be a lot of companies scrambling.

[rlhanson]

Thanks for clearing that up for me....
I guess I am back to the drawing board on this one.

Thanks so much for both of your help!

[jmarcv]

>I guess I am back to the drawing board on this one

Really? I thought you were getting it.
I'll rewrite it for you if its that much of an issue.