0

Very new to PHP, making a web form that posts its contents to a PHP file. PHP file needs to bundle the data into an email to myself as I am not confident enough to send the data directly into our system. I uploaded a test PHP file to the server to test and over the weekend I have received a number of blank emails sent by the file, I assume this means someone is accessing the file without completing the form.

  1. Am I using the correct if statement to prevent the code running when someone navigates to my php file?
  2. How can I make the .php inaccessible to anyone but the webform?

  3. Have I made any glaring errors?

    <?php 
if($_SERVER["REQUEST_METHOD"] == "POST") {
$emailbody = 'Name: '.$_POST['m_title'].' '.$_POST['m_firstname'].' '.$_POST['m_surname']."\n"
            .'Email: '.$_POST['m_email']."\n"
            .'Phone: '.$_POST['m_phone']."\n"
            .'D.O.B: '.$_POST['m_dob_day'].' '.$_POST['m_dob_month'].' '.$_POST['m_dob_year']."\n"          
            .'Postcode: '.$_POST['m_postcode']."\n"
            .'Lenders: '.$_POST['m_bank1'].','.$_POST['m_bank2'].','.$_POST['m_bank3'].','.$_POST['m_bank4'].','.$_POST['m_bank5'].','.$_POST['m_bank6'].','.$_POST['m_bank7'].','.$_POST['m_bank8'];
mail('**removed**', 'Web Lead', $emailbody);
header('Location: https://www.**removed**' true, 301);
}
exit();

    ?>

Niall
  • 27
  • 9
  • What is the meaning of the `true` keyword, in your call to `header`? (it seems like a typo/copy-paste error) – Gabriel Aug 29 '18 at 10:48
  • @Gabriel it replaces previously set header. It's default behaviour. I guess this was done because 3 arg was required by OP but I don't know why ;) – Robert Aug 29 '18 at 10:52
  • quite right, copy and paste error. Thank you. – Niall Aug 29 '18 at 10:54
  • @Robert : I was rather referring to the invalid syntax (missing a comma somewhere, assuming OP really wanted to pass 3 args :) ) – Gabriel Aug 29 '18 at 10:57

3 Answers3

0

Am I using the correct if statement to prevent the code running when someone navigates to my php file?

Not quite, if someone access the file with POST request with blank form fields it'll send you an email without the variables specified in post like m_title m_email etc.

How can I make the .php inaccessible to anyone but the webform?

You can add CSRF token to the form

Have I made any glaring errors?

No validation, no escaping may lead to potential security vulnerabilities. 301 makes no sense too unless you really want to redirect user everytime he accesses the page with the form to the specified url.

Robert
  • 19,800
  • 5
  • 55
  • 85
  • So for me to be receiving a blank email at 2:30 AM on a Sunday means someone has modified a copy of the webform? I shall look into implementing a token. Validation is something I shall have to research also, thank you – Niall Aug 29 '18 at 10:57
0

You can prevent users to navigate to the file by using frontend and backend validations.

  • [Frontend] Using required for the required web form fields[HTML].
  • [Backend] sending mail only when $POST['required_field'] != NULL.
Helder Sepulveda
  • 15,500
  • 4
  • 29
  • 56
Tharun Vempati
  • 37
  • 8
0

Please ensure all required data's are coming from request.

<?php 
if($_SERVER["REQUEST_METHOD"] =="POST") { 
    If(isset($_POST['m_firstname']) && $_POST['m_firstname']!=''){
        If(isset($_POST['m_title']) &&$_POST['m_title']!=''){
            //likewise check for required data are coming from request.
            $emailbody = 'Name: '. $_POST['m_title'].' '.$_POST['m_firstname'].' '.$_POST['m_surname']."\n" .'Email: '.$_POST['m_email']."\n" .'Phone: '.$_POST['m_phone']."\n" .'D.O.B: '.$_POST['m_dob_day'].' '.$_POST['m_dob_month'].' '.$_POST['m_dob_year']."\n" .'Postcode: '.$_POST['m_postcode']."\n" .'Lenders: '.$_POST['m_bank1'].','.$_POST['m_bank2'].','.$_POST['m_bank3'].','.$_POST['m_bank4'].','.$_POST['m_bank5'].','.$_POST['m_bank6'].','.$_POST['m_bank7'].','.$_POST['m_bank8']; mail('**removed**', 'Web Lead', $emailbody); header('Location: https://www.**removed**' true, 301);
        }else{
            Echo 'title required';
        }
    }else{
        Echo 'name required';
    }
 } exit();

This will help you from stopping in necessary mail operations.

Otherwise, Check for submit button is clicked

<?php
If(isset($_POST['submit'])){
    // put mail function here
}

I hope this will help you :)

sathya seelan
  • 184
  • 10