$_POST doesn't seem to work

Question

I'm creating an e-mail system, so I made this little test tidbit and it works.....a bit?

<html>
    <head><title>EMail Test</title></head>

    <body>
<input type="text" name="email">

EMail (required)

<br><br>

<textarea name="comment" rows="5" cols="40"></textarea> what's your problem?
<br><br>
<form method="POST" action=''>
<input type="submit" name="button1"  value="Submit">
</form>

<?php

if (isset($_POST['button1'])) { 

    $msg=$_POST['email']." asks: ".$_POST['comment'];

    echo $msg;
    $email=$_POST['email'];
    $SupportNinga="Typhoone01@gmail.com";

    $mail=mail($SupportNinga,"Question from ".$email,$msg);
    echo "Emailing...";
    if($mail) {
        echo"E-mail sent sucessfully";
    }
}  
?>

</body>

</html>

This was put into an online host and didn't seem to work.

It sent the e-mail, but it simply said "Question from-asks:". I can tell it's not properly reading the $_POST.

Help is appriciated. :P

Answer 1

Firstly, this part of your code is outside your form.

<textarea name="comment" rows="5" cols="40"></textarea> what's your problem?

As is <input type="text" name="email">

Place all form elements inside <form></form> tags.

• Reference: http://php.net/manual/en/tutorial.forms.php

Your mail() parameters are also off.

Read the manual http://php.net/manual/en/function.mail.php

Use error reporting.

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

Sidenote: Displaying errors should only be done in staging, and never production.

---

You should also check for empty()'ness on your email input.

• http://php.net/manual/en/function.empty.php

Also using FILTER_VALIDATE_EMAIL against it:

• http://php.net/manual/en/filter.examples.validation.php

---

HTML sticklers:

In regards to using <html> it's best to declare a doctype, such as <!DOCTYPE html>.

Firefox for one, will throw a (red) warning in HTML source, upon placing your mouse over <html>.

Such as:

Start tag seen without seeing a doctype first. Expected "<!DOCTYPE html>".

• <form method="POST" action=''> be consistent and use all double quotes.

• Seperate your PHP from HTML. Place your PHP above your HTML if you're not going to be echoing anything special besides your "success on mail" message.

---

Prevent data resubmissions:

You should be redirecting to a new page using a header, and using sessions/tokens to prevent people from resubmitting the same data if the user refreshes that page.

References:

• http://php.net/manual/en/function.header.php
• How to make a redirect in PHP?
• How to prevent form resubmission when page is refreshed via PHP
• http://www.phpro.org/tutorials/Preventing-Multiple-Submits.html

XSS injection:

$msg=$_POST['email']." asks: ".$_POST['comment'];

You should first declare your variables assigned from your POST arrays, then concatenate those variables. You stand at getting an XSS injection here.

References:

• XSS (Cross Site Scripting) Prevention Cheat Sheet
• How to prevent cross site scripting
• How to sanitze user input in PHP before mailing?

---

User sign-up via email footnote:

"I'm creating an e-mail system".

It seems you're new to working with emailing, and here are a few pointers for you.

You need to make sure that you include an unsubscribe method in each mailing.

There are laws about this, and is beyond the scope of this question.

Canada for one and being my country, has strict anti-spam laws, as do other countries.

• http://fightspam.gc.ca/

So, make sure that the people who sign up, know what they're getting themselves into and have an double opt-in method for verification.

Otherwise, you will get blacklisted.