0

I'm trying to get the 'select option' to post to my email, the other input fields do post but not the select it's driving me nuts. Please advice. Also any additional advice on sql injection prevention methods would be much appreciated.

HTML

 <form action="contactform.php" method="post" >
<input type="text" name="name" placeholder="*Full Name">
<input type="text" name="email" placeholder="*Email">
<input type="tel" name="telephone"placeholder="*Telephone">
<input type="text" name="comments"class="feedback-input"id="comments"placeholder="*How can I help?">
 <select name="selectoption">
    <option value="first">First</option>
    <option value="second">Second</option>
    <option value="third">Third</option>
  </select>
<input type="text" name="code" placeholder="1+2 =" />
<input type="submit"value="Send"class="button">
</form>



PHP
<?php

if(isset($_POST['email'])) {


if (strtolower($_POST['code']) != '3') {die('Wrong access code');}


    $email_to = "";

    $email_subject = "contact form submission";

    $name = $_POST['name']; // required

    $email_from = $_POST['email']; // required

    $telephone = $_POST['telephone']; // not required


    $comments = $_POST['comments']; // required

    $selectoption = $_POST['selectoption']; // required



    function clean_string($string) {

      $bad = array("content-type","bcc:","to:","cc:","href");

      return str_replace($bad,"",$string);

    }

    $email_message .= "Name: ".clean_string($name)."\n";

    $email_message .= "Email: ".clean_string($email_from)."\n";

    $email_message .= "Telephone: ".clean_string($telephone)."\n";


    $email_message .= "Comments: ".clean_string($comments)."\n";

    $email_message .= "Selectoption: ".clean_string($selectoption)."\n";




// create email headers

$headers = 'From: '.$email_from."\r\n".

'Reply-To: '.$email_from."\r\n" .

'X-Mailer: PHP/' . phpversion();

@mail($email_to, $email_subject, $email_message, $headers);  

?>






Thank you for contacting us. We will be in touch with you very soon.
<a href="#">return to website</a>


<?php

}

?>



thanks very much
Dan
Dave
  • 1
  • Your first instance of `$email_message` is in concatenating. You should begin with `$email_message = "";` not `$email_message .= "";` – Adam Joseph Looze Feb 14 '16 at 05:44
  • Also a tip. In your clean string function. You are just comparing the array itself. You should run a loop in that function to loop through each comparison. – Adam Joseph Looze Feb 14 '16 at 05:46
  • You need more sanitation in your $_POST variables. I wrote you this quick function for future reference. `function protect($p) { $p = stripslashes($p); $p = strip_tags($p); $p = preg_replace("[^A-Za-z0-9]", "", trim(trim($p,"'"),'"')); return $p; }` – Adam Joseph Looze Feb 14 '16 at 05:49
  • Any sql query?? to advice on sql injection prevention methods . – Sanzeeb Aryal Feb 14 '16 at 07:31

1 Answers1

0
<select name="selectoption">
    <option value="first">First</option>
    <option value="second">Second</option>
    <option value="third">Third</option>
 </select>

You can get selected valueby below code:-

$selectOption = $_POST['selectoption'];

Use isset to check value is exist or not.

$name = isset($_POST['name']) ? $_POST['name'] : '';  

$email_from = isset($_POST['email']) ? $_POST['email'] : ''; 

$telephone = isset($_POST['telephone']) ? $_POST['telephone'] : '';    

$comments = isset($_POST['comments']) ? $_POST['comments'] : ''; 

$selectoption = isset($_POST['selectoption']) ? $_POST['selectoption'] : '';

For SQL Injection Prevention Techniques,

Refer this link.

Hope it will help you :)

Community
  • 1
  • 1
Ravi Hirani
  • 6,511
  • 1
  • 27
  • 42