Comments on: Form to email code for WordPress http://www.jasoose.com/2005/12/14/form-to-email-code-for-wordpress/ Normal is a variable. Bitching is a constant. Sun, 20 May 2012 05:36:42 +0000 http://wordpress.org/?v=2.0.4 by: Tom Weishaar http://www.jasoose.com/2005/12/14/form-to-email-code-for-wordpress/#comment-2672 Wed, 07 Jan 2009 15:43:27 +0000 http://www.jasoose.com/2005/12/14/form-to-email-code-for-wordpress/#comment-2672 Judy - See step 8 above and look for the line: < ?php if (""==$_POST['cm_email']) { ?> This is looking to see if there's a return email address available. If there is, the code assumes there's something to pass on via email, which it does, and it puts up the Thank You page. If there's not, the code assumes it should return the blank form and not send an email. If the form is completely filled out except for the return email address, it will return the form. If the form is completely blank except for the return email address, it will send an email and return the Thank You page. While it's possible to test to see exactly which fields are blank and to return error messages - and I've written forms that do that in the past - my current thinking is that it's overkill. Real people just don't send blank forms enough to make the extra complexity worth it. Tom Judy - See step 8 above and look for the line:

< ?php if (""==$_POST['cm_email']) { ?>

This is looking to see if there's a return email address available. If there is, the code assumes there's something to pass on via email, which it does, and it puts up the Thank You page. If there's not, the code assumes it should return the blank form and not send an email.

If the form is completely filled out except for the return email address, it will return the form. If the form is completely blank except for the return email address, it will send an email and return the Thank You page.

While it's possible to test to see exactly which fields are blank and to return error messages - and I've written forms that do that in the past - my current thinking is that it's overkill. Real people just don't send blank forms enough to make the extra complexity worth it.

Tom

]]> by: judy mackenzie http://www.jasoose.com/2005/12/14/form-to-email-code-for-wordpress/#comment-2640 Thu, 01 Jan 2009 06:47:56 +0000 http://www.jasoose.com/2005/12/14/form-to-email-code-for-wordpress/#comment-2640 Thanks for these directions. I am currently building a website for a friend,and your .php info is very helpful. However I cannot get the contact form to give an error message if a blank form is sent. Can you please check out the source code and tell me where I have gone wrong? Is probably something simple but I can't see it! Judy Thanks for these directions. I am currently building a website for a friend,and your .php info is very helpful. However I cannot get the contact form to give an error message if a blank form is sent. Can you please check out the source code and tell me where I have gone wrong? Is probably something simple but I can't see it!

Judy

]]> by: Tom Weishaar http://www.jasoose.com/2005/12/14/form-to-email-code-for-wordpress/#comment-13 Fri, 10 Feb 2006 04:42:03 +0000 http://www.jasoose.com/2005/12/14/form-to-email-code-for-wordpress/#comment-13 Someone out there seems to think the above code is susceptible to an email insertion attack. At least they keep trying the trick on my contact page, filling my mailbox with emails that have email commands in the subject line. On the assumption that this attack must work on some systems, or they wouldn't be wasting their time, I recommend changing the following lines: <pre> $cm_subject="WebPost - ".$_POST['cm_subject']; $cm_message="From: ".$_POST['cm_name']." at ".$_POST['cm_email']."\n\n"; </pre> to: <pre> $cm_subject="WebPost"; $cm_message="From: ".$_POST['cm_name']." at ".$_POST['cm_email']."\n"; $cm_message.="Subject: ".$_POST['cm_subject']."\n\n"; </pre> Someone out there seems to think the above code is susceptible to an email insertion attack.

At least they keep trying the trick on my contact page, filling my mailbox with emails that have email commands in the subject line.

On the assumption that this attack must work on some systems, or they wouldn't be wasting their time, I recommend changing the following lines:

$cm_subject="WebPost - ".$_POST['cm_subject'];
$cm_message="From: ".$_POST['cm_name']." at ".$_POST['cm_email']."nn";

to:

$cm_subject="WebPost";
$cm_message="From: ".$_POST['cm_name']." at ".$_POST['cm_email']."n";
$cm_message.="Subject: ".$_POST['cm_subject']."nn";
]]>