How do I pass form data between pages and have it email me the results?
November 30, 2009 11:06 PM   Subscribe

Help me learn to code a form that passes multiple fields across several pages and ultimately emails me the results.

For purposes of this question, lets say I have a website with three pages.

* Page 1 has a form with a drop-down to select what industry someone is in.

* Page 2 should list the selection that was made on page one, and possibly change some of the other form fields on the page as a result of what was selected on page one

* Page 3 summarizes all of the selections that were made and requests the submitters email address. Upon submission, all of the data is emailed in a cleanly formatted text email to with the from address also being is the site where this form will be located. Additionally, I would like to pass through the referrer string from Page 1 so I can see where the lead came from (for example, if they came from google this would give me the keyword and other data).

Right now I have a simple one-page form on my site and I use the free service from a site called to email the form to me but there MUST be a way to just have it handled all from my site and not need a third party.

I know a decent amount of HTML/CSS to the point where I can code a nicely designed site and I'm just getting started with PHP. I'd say I know enough to do includes and have some sense of what is going on in the code with limited ability to hack it but I don't yet have an understanding of how to implement global GET and POST commands (which I have a hunch is what is involved in passing the data between pages according to the initial research I've done).

I'm eager to learn the required coding skills to be able to do this myself but I'm not quite sure where to start as there are several components to this I've identified. I would appreciate suggestions, links, guides, tutorials, and anything else that can help me figure out:

1. How to properly build the form so I can pass form field inputs between several pages during a session

2. How to properly capture the referrer string when the user submits the form on the first page to move on to the next step (I assume this would then be stored as a hidden field input)

3. How to simply set things up so I can manage the emailing of all this form data on my own. I've seen various PHP scripts out there that claim to do this but they are a bit intimidating as I'm not quite sure what is involved in making this work. Ie. could I set it to send from any email address I want or does it have to be from the same domain as the site is hosted on and do I need to do anything to email settings with the site, etc. Right now these scripts are essentially a black box to me and I want a better understanding of how they function

I figured the best approach after getting answers here would be to build a simple bare bones test site with this functionality and then try to implement it on my live site so I look forward to your answers and I am happy to clarify any of this further. Please note, I am not looking for you to code this for me...I honestly want to learn how to do everything that is involved in this as I am very much a "teach me to fish" type of person and while I don't know a ton of PHP yet, I tend to pick up fairly quickly on how to code specific things and hack snippets together even if I don't know a ton about the language.

Also, my preference for this is to keep it doable while utilizing XAMPP so that means PHP (MySQL if necessary) and CSS/html. Thanks AskMeFi!
posted by Elminster24 to Computers & Internet (12 answers total) 2 users marked this as a favorite
There's a number of issues here and I'm not going to address them all but just to start with I suggest you look at this PHP manual page. Make use of the examples shown at the bottom of the page to write yourself a very simply PHP script which sends an email to you. See if you receive it.

This will provide you with some of the skills you need for your entire project and also ensure that your current hoster allows you to send emails.

I'm sure others will chime in with other information
posted by southof40 at 11:42 PM on November 30, 2009

Hmmm, after reviewing that (and only understanding some of it) would I be correct that the method of how I utilize PHP to actually send the email is highly dependent on what MTA available on my hosting account? Please bear in mind that I have only an extremely basic understanding of what an MTA is and how it relates to this.

FWIW I have a standard Dreamhost shared hosting account.
posted by Elminster24 at 12:08 AM on December 1, 2009

For a quick introduction to $_GET, $_POST and setting up a form, take a look at this PHP Manual Page.

See if you can build a form and a PHP action page (the page in the form's action attribute) where the action page displays the info you entered on the form page.

Once you have that working, you'll need to build a form on your action page. One easy way to carry the data forward from the form page is to use hidden fields. So, use what you learned in the PHP Manual Page I linked to to grab the data entered on the first form page and insert it into a hidden field in the form on your first action page.

That should be a start, at least.
posted by syzygy at 12:10 AM on December 1, 2009

Are you doing this for work? If you have never done this before then get someone in to do it, it'll be cheaper and they will deal with xss and validation for you.
posted by devnull at 1:42 AM on December 1, 2009

You should read up on sessions.

As for sending mail, its fairly trivial, you just need the appropriate mail server details.
posted by wongcorgi at 2:15 AM on December 1, 2009

Thanks for the links so far guys, this is great reading material.

A couple things...

I figured it required use of GET and POST, thanks for the link. I had no idea this PHP Manual covered everything in such detail--this is fantastic.

I am doing this for a new business website of mine I am launching and while I know it would probably be inexpensive and quicker to outsource it, I have been wanting to learn more PHP and I figure this is a good next step for doing so. Again, I want to "learn to fish" so to speak.

Are sessions required to do what I want to do? Or is it just a way to pass the data through while not requiring it to be passed in the forwarding URL like it would be with GET and POST?
posted by Elminster24 at 10:16 AM on December 1, 2009

I don't yet have an understanding of how to implement global GET and POST commands (which I have a hunch is what is involved in passing the data between pages according to the initial research I've done).

Sorta kinda.

GET and POST are two different approaches for handling form data: GET stuffs it into the URL for the next page, while POST handles the form data separately from the rest of the page. yes I am wildly oversimplifying this but it is ok do not panic.

The advantage of GET is that you can access the data on the clientside using javascript if need be, strictly speaking don't have to have any serverside code, and if a user bookmarks a page in the middle of the process, state will be maintained (since it's all in the URL.) The advantage of POST is that the data doesn't have to be stuffed into the URL, which has a limited length. In practice, GET is really only useful if you have only one or two form fields to cope with; most of the time you want to be using POST.

So: your page one contains a form using a POST method, a select box with your industry selection, and a hidden input into which you will put the page referrer URL (using javascript). This form points to PHP script one, which will read those two pieces of form data, generate HTML for page two, which contains another POST form pointing to PHP script number two. Any fields you want to maintain into further steps, which is so far all of them, the PHP script should stuff into hidden inputs in that form. Repeat as needed, until your last form points to a final PHP script which actually sends the mail.

You don't need to do any serverside state maintenance or have any sort of database, since all the data you're passing along from previous steps is contained in hidden inputs to be passed on to the next step.

There are, of course, far more elegant approaches than what I've described here -- PHP sessions actually do most of this work for you, in fact -- but this is easy to conceptualize and will work; for your first time out and as a learning experience it may be the way to go.

One warning about that last step, though: for any script which sends email, it is very very easy to screw up in ways that will let the bad guys use your script as a gateway for spamming people. For that final step you are almost certainly better off using a prebuilt script that will have been tested for this, rather than coding from scratch, even if it's still a black box to you. Alternatively, you could have your script save the data on the server rather than emailing it -- this could be a flat-text log file if you don't want to deal with a database.
posted by ook at 10:47 AM on December 1, 2009

For your point number 2 about capturing the original referer: you can access that in php via $_SERVER['HTTP_REFERER'] which you could then encode in a hidden form variable so that it gets propagated to the next steps. However, this technique leaves you vulnerable to user tampering because you have no way of validating that what you receive in the posted form data was not changed in some way. There are countless ways a user can do this, e.g. editing the page source through Firebug or simply posting directly with something like curl. In this case you may not care about the integrity of this data, but in other cases you do, and the way to fix it is to use php's session feature. Instead of propagating the value itself, you store the value server-side in the session store and instead propagate a session ID. The user can still send any session ID they want but the chances of them being able to pick a valid one at random are remote. (Sometimes you have to augment this logic further because you don't want malicious users from tampering with other users sessions if they learn their session ID, such as what can happen if you maintain the session ID in a GET parameter and the user publicly posts a link that contains their session id.)
posted by Rhomboid at 12:48 PM on December 1, 2009

And I have to mention that the issue of validating the referer data is rather benign as referer data is user-supplied; a malicious user could fake it at the first step anyway. But in general I just want to make sure that it's understood that propagating things through hidden form fields should not be relied on for anything for which user tampering could be ruinous.

Also, there's a very significant problem that you have to be aware of any time you take user data from a POST or GET and then use that to generate HTML, such as what you'd do at step 2 having received the industry type from the previous step. You have to make sure that you don't allow any cross-site scripting exploits. For example, if you blindly trust that the user picked one of the values in the drop-down, a malicious user could POST a form with a bogus selection of "<script>document.write('your page is owned');Heavy Mining". If you then turn around and use that value to generate HTML for your next step, you've just embedded a script tag from the user in your page, which is all kinds of dangerous.
posted by Rhomboid at 12:56 PM on December 1, 2009

Thanks for the great additional info ook and Rhomboid. Good points on the potential security holes with the referrer string and the POST/GET commands. I am expecting primarily business folk on this site as it is a company website offering business services, so I guess I'm less concerned about them spoofing their referrer info on a lead-capture form (if they go to the trouble to do this I probably don't want them as a customer anyway), but I definitely still see the concern with the cross-site scripting exploit.

Is there an easy way to prevent that sort of exploit? Is that the sort of thing that is prevented by using sessions as ook mentioned?
posted by Elminster24 at 10:53 PM on December 1, 2009

Is there an easy way to prevent that sort of exploit?

Not really. Sessions would mean you don't have to manually pass the data on to each step, but since the user input that data in the first place you still have to check it.

Any time you're accepting user input, you have to consider it tainted and do some filtering on it before using that data to generate a page or an email. For example, if they're entering text, make sure it only contains alphanumeric characters before doing anything with it. If you know there are only five possible valid values for field X, you should check on the server to make sure that what the client has sent you is one of those five values. (Be as strict as possible about what you accept: don't filter out bad characters; filter in the good ones, if you see what I mean.)

It's not difficult to do this, just laborious and persnickety, which is why so many sites are vulnerable to this type of attack.
posted by ook at 5:41 AM on December 2, 2009

Interesting. I get what you mean about how to filter them. Basically when possible only allow exact selections and when not possible, make sure i'm filtering out characters that shouldn't apply to that field.
posted by Elminster24 at 4:43 PM on December 2, 2009

« Older You only need to stare at a piece of blank paper...   |   Google Earth looks great. The menu text, not so... Newer »
This thread is closed to new comments.