FRIHOSTFORUMSSEARCHFAQTOSBLOGSCOMPETITIONS
You are invited to Log in or Register a free Frihost Account!


please please beta test it (PHP coders)





imagefree
Friends its my first project in PHP and i have made a tool to generate a custom "Contact us" or "Tell A Friend" Form that an end user can easily modify.
Please test it and tell me if any problem is there?

http://ads-extension.uni.cc/test/form_maker.php


Till now just Contact Us form is available and Tell A Friend form is a little complex so i will code it after a get direction from all of you.

Thanks and Bye
rheanna
Cool I think you did a good job on it. Didn't test it out but look through it... Seems alright. ;o) Worked past the first section. Laughing
mathiaus
hmmm... my suggestions

HTML - Your form
Any CSS would be nice. The page really isn't that nice to look at


HTML - Output
Quote:
What the lable should be?

I can't see any labels being used. You should!
Get rid of the nasty table.
Provide some form of basic css for it
Indent the code


PHP - Output
There doesn't seem to be any sort of validation.
Check required fields
Output to form and highlight field if missing
Prevent header injections - http://www.securephpwiki.com/index.php/Email_Injection


It's a very good start though. Well done and good luck with your 'Tell a friend' one Very Happy
imagefree
actually currently i just want to just scipt and adding CSS will just increase the problems.

Yes actually there is no lable in the form but by lable i meant just Labeling (not html lable). Very Happy
imagefree
I am pasting all the code here, can you please help me improving its security.


This is the Form_maker.php
Code:
<?php
//original page code.
$form_type=$_POST['form_type'];

if($form_type=='tellafriend')
include('include_tellafriend.php');

else if($form_type=='contactus')
include('include_contact.php');

else
{
require('include_originalpage.php');
}
?>



This is include_originalpage.php



Code:
<?php
//contact us code.
$namebox         =      'yes';
$namewidth         =      30;
$namelength         =      50;
$namelable         =      'Your Name';
$namedefalt         =      'enter you name here';
$emailbox         =      'yes';
$emailwidth         =      30;
$emaillength      =      50;
$emaillable         =      'Your Email';
$emaildefalt      =      'enter you email here';
$subjectbox         =      'yes';
$subjectwidth      =      50;
$subjectlength      =      250;
$subjectdefalt      =      'enter your subject here';
$messagewidth      =      50;
$messageheigth      =      10;
$messagelength      =      2000;
$messagedefalt      =      'enter you message here';
$submitbuttonname   =      'Submit';
$sendto            =      'youremail@email.com';
$showresult         =      0;
if($_POST['showresult']=='yes')
{
$namebox         =      $_POST['namebox'];
$namewidth         =      $_POST['namewidth'];
$namelength         =      $_POST['namelength'];
$namelable         =      $_POST['namelable'];
$namedefalt         =      $_POST['namedefalt'];
$emailbox         =      $_POST['emailbox'];
$emailwidth         =      $_POST['emailwidth'];
$emaillength      =      $_POST['emaillength'];
$emaillable         =      $_POST['emaillable'];
$emaildefalt      =      $_POST['emaildefalt'];
$subjectbox         =      $_POST['subjectbox'];
$subjectwidth      =      $_POST['subjectwidth'];
$subjectlength      =      $_POST['subjectlength'];
$subjectdefalt      =      $_POST['subjectdefalt'];
$messagewidth      =      $_POST['messagewidth'];
$messageheigth      =      $_POST['messageheight'];
$messagelength      =      $_POST['messagelength'];
$messagedefalt      =      $_POST['messagedefalt'];
$submitbuttonname   =      $_POST['submitname'];
$sendto            =      $_POST['sendto'];
$showresult         =      1;
}
?>

<p>This online form processing software maker lets you make your own forms in php language even if you dont have even the basic knowledge of php language. All you have to have is just the knowledge of using the HTML forms and CSS if you want to style your form elements. Rest is done by the script that you will get here, or you will be instructed what to do.</p>


<form name="contactformbuilder" method="post" action="">
  <p>Please specify which of the fields you want in the form and customize them.</p>
  <hr />
  <p>Dou you need the Sender's Name Box in the form?</p>
  <p> 
    <input name="namebox" type="radio" value="yes" <?php if($namebox=='yes')echo 'checked="checked"'; ?> />
  Yes
  <input name="namebox" type="radio" value="no" <?php if($namebox=='no')echo 'checked="checked"'; ?> /> No
  </p>
  <p>If yes, please specify the width of the name box
    <input name="namewidth" type="text" id="namewidth" size="6" value="<?php echo $namewidth; ?>" maxlength="3" />
  </p>
  <p>Please specify how much keystrokes (characters) a name box should accept?
    <input name="namelength" type="text" id="namelength" size="6" value="<?php echo $namelength; ?>" maxlength="3" />
  </p>
  <p>What the lable should be?
    <input name="namelable" type="text" id="namelable" value="<?php echo $namelable; ?>" size="30" maxlength="50" />
  </p>
  <p>What should be the defalt value in the Name Box?
    <input name="namedefalt" type="text" id="namedefalt" value="<?php echo $namedefalt; ?>" size="30" maxlength="50" />
  </p>
  <hr />
  <p>Do you need the &quot;Sender's Email&quot; Address Box?</p>
  <p>
    <input name="emailbox" type="radio" value="yes" <?php if($emailbox=='yes')echo 'checked="checked"'; ?> />
    Yes
  <input name="emailbox" type="radio" value="no" <?php if($emailbox=='no')echo 'checked="checked"'; ?> />
    No </p>
  <p>If yes, please specify the width of the name box
    <input name="emailwidth" type="text" id="emailwidth" size="6" value="<?php echo $emailwidth; ?>" maxlength="3" />
  </p>
  <p>Please specify how much keystrokes (characters) a name box should accept?
    <input name="emaillength" type="text" id="emaillength" size="6" value="<?php echo $emaillength; ?>" maxlength="3" />
  </p>
    <p>What the lable should be?
    <input name="emaillable" type="text" id="emaillable" value="<?php echo $emaillable; ?>" size="30" maxlength="50" />
  </p>
  <p>What should be the defalt value in the Email Box?
    <input name="emaildefalt" type="text" id="emaildefalt" value="<?php echo $emaildefalt; ?>" size="30" maxlength="50" />
</p>
  <hr />
  <p>Do you want the person to submit a Subject line in the message? </p>
  <p>
    <input name="subjectbox" type="radio" value="yes" <?php if($subjectbox=='yes')echo 'checked="checked"'; ?> />
Yes
<input name="subjectbox" type="radio" value="no" <?php if($subjectbox=='no')echo 'checked="checked"'; ?> />
No </p>
  <p>If yes, please specify the width of the Subject box
    <input name="subjectwidth" type="text" id="subjectwidth" size="6" value="<?php echo $subjectwidth; ?>" maxlength="3" />
  </p>
  <p>Please specify the total characters it should accept
    <input name="subjectlength" type="text" id="subjectlength" value="<?php echo $subjectlength; ?>" size="6" maxlength="3" />
  </p>
  <p>What should be the defalt value in the Subject Box? 
    <input name="subjectdefalt" type="text" id="subjectdefalt" value="<?php echo $subjectdefalt; ?>" size="30" maxlength="50" />
  </p>
  <hr />
  <p>What should be the width in characters of the message box? 
    <input name="messagewidth" type="text" id="messagewidth" size="6" value="<?php echo $messagewidth; ?>" maxlength="3" />
  </p>
  <p>What number of lines should be the height of message box?
    <input name="messageheight" type="text" id="messageheight" value="<?php echo $messageheight; ?>" size="6" maxlength="3" />
  </p>
  <p>Please specify the total characters it should accept
    <input name="messagelength" type="text" id="messagelength" value="<?php echo $messagelength; ?>" size="6" maxlength="4" />
</p>
  <p>What should be the defalt value in the Message Box?
    <input name="messagedefalt" type="text" id="messagedefalt" value="<?php echo $messagedefalt; ?>" size="30" maxlength="50" />
  </p>
  <hr />
  <p>Name the submit button
    <input name="submitname" type="text" id="submitname" value="<?php echo $submitbuttonname; ?>" />
  </p>
  <p>Please enter your own Email Address
    <input name="sendto" type="text" id="sendto" size="50" value="<?php echo $sendto; ?>" />
  </p>
  <p>
    <input type="submit" name="Submit" value="Submit" />
  </p>
  <input name="form_type" type="hidden" value="contactus" />
  <input name="showresult" type="hidden" value="yes" />
</form>
  <hr />
<?php
if($showresult==1)
{
echo "The HTML code of your form should be: (copy it as it is including php code) <br /> ";
?>
<textarea name="message" cols="80" rows="20" id="message">
<?php
echo '

&lt;form id=&quot;contactform&quot; name=&quot;contactform&quot; method=&quot;POST&quot; action=&quot;&quot;&gt;
&lt;table width=&quot;500&quot; border=&quot;0&quot; cellspacing=&quot;0&quot; cellpadding=&quot;0&quot;&gt;
&lt;tr&gt;';
 if( $namebox =='yes')
 {
echo '&lt;td&gt;'.$namelable.':&lt;/td&gt;
&lt;td&gt;&lt;input name=&quot;name&quot; type=&quot;text&quot; id=&quot;name&quot; value=&quot;' . $namedefalt . '&quot;  size=&quot;' . $namewidth . '&quot; maxlength=&quot;' . $namelength . '&quot; /&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;';}


if($emailbox=='yes')
{
echo '&lt;td&gt;'.$emaillable.':&lt;/td&gt;
&lt;td&gt;&lt;input name=&quot;email&quot; type=&quot;text&quot; id=&quot;email&quot; value=&quot;' . $emaildefalt . '&quot; size=&quot;' . $emailwidth . '&quot; maxlength=&quot;' . $emaillength . '&quot; /&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;';}


if($subjectbox == 'yes')
{
echo '&lt;td&gt;Subject:&lt;/td&gt;
&lt;td&gt;&lt;input name=&quot;subject&quot; type=&quot;text&quot; id=&quot;subject&quot; value=&quot;' . $subjectdefalt . '&quot; size=&quot;' . $subjectwidth . '&quot; maxlength=&quot;' . $subjectlength . '&quot; /&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;';}

echo '&lt;td&gt;Message:&lt;/td&gt;
&lt;td&gt;&lt;textarea name=&quot;message&quot; cols=&quot;'. $messagewidth .'&quot; rows=&quot;'. $messageheigth . '&quot; id=&quot;message&quot;&gt;enter your message here&lt;/textarea&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&amp;nbsp;&lt;/td&gt;
&lt;td&gt;&lt;input type=&quot;submit&quot; name=&quot;Submit&quot; value=&quot;Submit&quot; /&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/table&gt;
&lt;/form&gt;';
}


echo "\n\n\n\n\n\n<!--The PHP Code starts from here: -->
";
echo '
<?php
$name=$_POST[\'name\'];
$email=$_POST[\'email\'];
$subject=$_POST[\'subject\'];
$message=$_POST[\'message\'];
$message="Title: $subject \n\n Name: $name \n\nE-mail Address: $email\n\n Message:\n $messagedefalt";
mail($sendto,"Contact Us Form Entry $subject",$message,"From: $email\n") or die(\'Message Could not be sent\');
echo \'Your Message has been sent.\');
?>

'

?></textarea>


jmlworld
imagefree wrote:
Friends its my first project in PHP and i have made a tool to generate a custom "Contact us" or "Tell A Friend" Form that an end user can easily modify.
Please test it and tell me if any problem is there?

http://ads-extension.uni.cc/test/form_maker.php


Till now just Contact Us form is available and Tell A Friend form is a little complex so i will code it after a get direction from all of you.

Thanks and Bye


Nice invention Image Free, and thanx for your big work. I went over there to test your codes, and i got the following results:

A) Contact form:
Your contact form is really very nice, and I found of the way it generates the user input to produce the enduser preferred style. there are only two holes in your contact form script, and I classified them as the following:
I. Form validation: For your customers security your generated code needs to be included with some form validation script. PHP with Javascript is good, otherwise run PHP Code to validate the form inputs, e.g. to check if enduser's for is really secure enough.
II. User friendly: I'm sorry but your form is not familiar with all the users. Don't expect that all the boys and gurls are computer savvy. For example , see this copy from your snipet:

Quote:
<form id="contactform" name="contactform" method="POST" action="">


Since many users have a knowledge with HTML only, they will decide to set the action="" page and if they put the wrong page their form will burn away. So I recommend you either terminate the action="" or set it to [PHP_SELF] variable or ask the user wich page is the form to be redirected...


B) TAF (Tell to a friend):

I dunno, but I cannot figure out this page, it displays a blank page so i cannot test your code.

Cheers,

JMLWorld Very Happy

NB: Sorry for my English..
imagefree
Actually action="" means the current page, or may be i should add the feature too to let user input the processing page.


The main problem with the form is the security. I know the security is lacking but i dont know how to secure a Contact us form. Is security for this particular form all about just checking the input for html elements? or some more aspects are too be included. Please if you help me regarding this, i will be able to make a perfect script for form validation.


So far as Tell a Friend form is concerned, i dind not get much time to start and complete it. But i will definitely work on it.

Thanks for your suggestions and Please help me for Security issue.
woodenbrick
You can use this code to check that a valid email address has been submitted (I don't remember who wrote it but its very good).

Quote:
Code:
<?php
function valid_email($email) {
  // First, we check that there's one @ symbol, and that the lengths are right
  if (!ereg("^[^@]{1,64}@[^@]{1,255}$", $email)) {
    // Email invalid because wrong number of characters in one section, or wrong number of @ symbols.
    return false;
  }
  // Split it into sections to make life easier
  $email_array = explode("@", $email);
  $local_array = explode(".", $email_array[0]);
  for ($i = 0; $i < sizeof($local_array); $i++) {
     if (!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-]
     [A-Za-z0-9!#$%&'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$", $local_array[$i])) {
      return false;
    }
  } 
  if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) { // Check if domain is IP. If not, it should be valid domain name
    $domain_array = explode(".", $email_array[1]);
    if (sizeof($domain_array) < 2) {
        return false; // Not enough parts to domain
    }
    for ($i = 0; $i < sizeof($domain_array); $i++) {
      if (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$", $domain_array[$i])) {
        return false;
      }
    }
  }
  return true;
}
?>


Also for the enduser form, make sure you check that the form has actually been submitted before trying to send use the mail().

Another thing, if this is for people who don't know php, they may not know how to save a file with a php extension (I know I didn't when I started, they kept saving as .txt files).
jmlworld
imagefree wrote:
Actually action="" means the current page, or may be i should add the feature too to let user input the processing page.


The main problem with the form is the security. I know the security is lacking but i dont know how to secure a Contact us form. Is security for this particular form all about just checking the input for html elements? or some more aspects are too be included. Please if you help me regarding this, i will be able to make a perfect script for form validation.


So far as Tell a Friend form is concerned, i dind not get much time to start and complete it. But i will definitely work on it.

Thanks for your suggestions and Please help me for Security issue.


U R Welcome ImageFree.

While talking about security I take it into two parts:
Part I Un authorized email injections: When your customer successfully generate a [Contact Me] form, your customer’s customers may contain malicious users who can put this code into the message section:
Code:
<script language=”javascript”>
while(true)
{
   window.open("http://www.melicioussoftwarewebsite.tld");
}
</script>


If the contact-mail-form owner uses simple e-mail servers --or just a message log in his website, an endless popup messages will start to fill the whole PC and will jam the CPU instructions.

You can prevent this by adding some PHP script into the generator, so ll the tags will be displayed as text e.g.
Code:
$field_var    = htmlspecialchars($field_var);


$field_var: I mean you can assign htmlspecialchars() function to every input field by calling her variable e.g. $email = htmlspecialchars($email); $subject = htmlspecialchars($subject); $message = htmlspecialchars($message); etc.

So no worry about any script to excute unauthorized codes. And all the user inputs including any malicious code will be changed to normal html e.g. “<” will be “&lt;”. Cool


Part II e-mail validation: Is the from email in a correct format? U must assure this by adding such codes like this into the PHP code:

Code:
if(!isEmail($email))
   {
      echo = 'Email address is not in correct format';
   }

The above code assures if the from e-mail is in correct format, else if this check is not present in the code contact form owners will receive messages From email is unknown. It is possible in old versions of PHP like PHP3.

You can validate all the fields using PHP
Code:
if… else
.

Using form validation Javascript is nice, because it is more responsive than PHP script. You can use Javascript form validation scripts from ths web site: http://www.dynamicdrive.com

You can help me correct it if there is any error in my explanation.

For ImageFree, Please PM me If you need any help from me.
Related topics
How To : Secure Your PHP Website
Running a "Hello World" php script
Please help with php-quick question
PHP Test File
PHP Problem
Beta testers wanted *Update bug fixed*
How to test PHP
Text Based Game - Using PHP
Requesting Beta Testers for RPG in development
Frihost Blogs Beta launched!
PHP logging class
Hello Kitty Online closed beta comes
Mini fighter 2nd Close Beta Test Now Underway
Global Variable not working. Please test.
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.