Here is my contact form and you can see it here at benlevywebdesign.com at the bottom of the page.
<form id="form1" action="<?php echo $_SERVER['PHP_SELF']; ?>" enctype="text/plain" method="get">
<fieldset>
<p class="form">
<label for="name">Name</label>
<input type="text" name="name" id="name" size="30" />
</p>
<p class="form">
<label for="email">Email</label>
<input type="text" name="email" id="email" size="30" />
</p>
<p class="form">
<label for="web">Website</label>
<input type="text" name="web" id="web" size="30" />
</p>
</fieldset>
<fieldset>
<p class="form">
<label for="message">Message</label>
<textarea name="message" id="message" cols="30" rows="10"></textarea>
</p>
</fieldset>
<p class="submit"><button name="submit" type="submit">Send</button></p>
</form>`
and here is the php code I am trying to switch from get to post. I don't know that much php
<?php
if(isset($_GET['submit'])){
$to = "benlevygraphics@gmail.com";
$headers = "From: " . $_GET['email'];
$subject = "Ben, you have been contacted by...";
$body = "Name: " . $_GET['name'] . "\nEmail: " . $_GET['email'] . "\nWebsite: " . $_GET['web'] . "\nMessage: " . $_GET['message'];
if(mail($to, $subject, $body, $headers)){
echo("<p>Your message has been sent!</p>");
}
else{
echo("<p>Message delivery failed...</p>");
}
}
?>
First, get rid of your
enctype
attribute. You are setting it to text/plain
about which the specification says:Payloads using the text/plain format are intended to be human readable. They are not reliably interpretable by computer
Second, set
method
to "POST"
Third, in the PHP use
$_POST
not $_GET
Fourth, don't output content from
$_POST/GET/SERVER/ETC
into an HTML document without first encoding it with htmlspecialchars
. Otherwise you have a huge XSS security vulnerability.
0 comments:
Post a Comment