Simple Php script needed

[hoops]

Hello,

I need a simple php script that will send me the users name and email.

I have a newsletter graphic with a submit button all ready to go.

Any help would be appreciated.

 

[Whogister]

Here is a quick script, hope it helps...

<?PHP if(!$submitted) { ?>

<form method="post" action="<?PHP echo $self?>">
<input type="hidden" name="submitted" value="1">
Name: <input type="text" name="name" size="15"><BR>
Email:<input type="text" name="email" size="15"><BR>
<input type="submit" value="GO">
</form>

<?PHP } else {
// Make sure all fields are used
if(!$name){ die("Please give us your name"); }
if(!$email){ die("Please enter your email"); }

// It's all good now send an email to the admin with the data
mail ( "[email protected]", "Submitted Data", "Name: $name\nEmail: $email", "From: $email" )
?>

Thank You!

<?PHP } ?>

 

[qbert220]

The code above has a couple of faults.

Firstly, it exposes your site to mailform abuse. A spammer could use the form to send spam emails through your site. They could do this by putting a CR/LF in the "from" field, allowing them to specify their own additional mail headers (e.g to, cc, bcc), then a double CR/LF and their spam message. To protect against this, add the following:

if (preg_match('#[\\x0d\\x0a]#', $_REQUEST['email'])) { die('Please go away'); }

Secondly it relies on register globals. This has been deprecated in the latest PHP 5, and will not work on PHP 6. Use superglobals ($_REQUEST or $_POST) instead.

 

[CrackFeed.Com]

You need to validate the form data before doing anything with it. THis is an example, it has worked for me for a loooong time.

$var = vdata($_POST['var']);

Here is vdata, adapt to your need. Mine is actually bigger, but you do not need all of what I have for just this:

if (!function_exists('clean')) {

	function clean($value) {

		// I clean the string up when my function is called.

	$search = array('javascript:',  

	                'document.location', 

	                'vbscript:', 

	                '<script', 

	                'rename table', 

	                'insert into', 

	                'language="javascript"',

	                'text/javascript',

	                'BCC:',

	                'CC:',

	                '?php'); 

		$value = str_replace($search, '_', $value); 

		$value = mysql_real_escape_string(htmlspecialchars(strip_tags($value)));

		return $value;

	}

}

if (!function_exists('vdata')) {

	function vdata($value) {

		if (get_magic_quotes_gpc()) {

			//if the dope has magic quotes on, strip them

			$value = stripslashes($value);

		}

		if (!is_numeric($value) || $value[0] == '0') {

			// now do the cleaning

			$value = clean($value);

		}

		return $value;

	}

}

 

[hoops]

Thanks I'll give it a try.