Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trial
Colin van Wyk
8,258 PointsDo you still have to escape output if nothing is posted back to the browser?
If all my variables (input by the user) are to be sent to me via email, and not redisplayed, then nothing has been output back to the browser, right? Therefore there is no $_POST and therefore no htmlspecialchars() to be used?
<?php
//Import the PHPMailer class into the global namespace
use PHPMailer\PHPMailer\PHPMailer;
require 'vendor/phpmailer/src/PHPMailer.php';
require 'vendor/phpmailer/src/Exception.php';
require 'vendor/phpmailer/src/SMTP.php';
$name = trim(filter_input(INPUT_POST,"name",FILTER_SANITIZE_STRING));
$email = trim(filter_input(INPUT_POST,"email",FILTER_SANITIZE_EMAIL));
$designOption = trim(filter_input(INPUT_POST,"designOption",FILTER_SANITIZE_STRING));
$userPrep = trim(filter_input(INPUT_POST,"userPrep",FILTER_SANITIZE_STRING));
$userSpecified = trim(filter_input(INPUT_POST,"userSpecified",FILTER_SANITIZE_SPECIAL_CHARS));
$error_message = header("location:error.php");
if ($name == "" || $email == "") {
$error_message;
exit;
}
if ($_POST["address"] != "") {
$error_message;
exit;
}
if (!PHPMailer::validateAddress($email)) {
$error_message;
exit;
}
//echo "<pre>";
$email_body = "";
$email_body .= "Name: " . htmlspecialchars($name) . "\n";
$email_body .= "Email Address: " . $email . "\n";
$email_body .= "Design Option: " . $designOption . "\n";
$email_body .= "User Preparedness: " . $userPrep . "\n";
$email_body .= "User Comments: " . $userSpecified . "\n";
//echo $email_body;
//echo "</pre>";
$mail = new PHPMailer;
// $mail->isSMTP();
// $mail->Host = 'localhost';
// $mail->Port = 2500;
// $mail->CharSet = 'utf-8';
//It's important not to use the submitter's address as the from address as it's forgery,
//which will cause your messages to fail SPF checks.
//Use an address in your own domain as the from address, put the submitter's address in a reply-to
$mail->setFrom('order@example.com', $name);
$mail->addReplyTo($email, $name);
$mail->addAddress('quote@example.com', 'Colin');
$mail->Subject = 'Quote Request from ' . $name;
$mail->Body = $email_body;
if (!$mail->send()) {
echo "Mailer Error: " . $mail->ErrorInfo;
}
header("location:thanks.php");
?>
Is my form secure as per the coding above?
Or is the htmlspecialchars() inserts as per the below required?
<?php
//Import the PHPMailer class into the global namespace
use PHPMailer\PHPMailer\PHPMailer;
require 'vendor/phpmailer/src/PHPMailer.php';
require 'vendor/phpmailer/src/Exception.php';
require 'vendor/phpmailer/src/SMTP.php';
$name = trim(filter_input(INPUT_POST,"name",FILTER_SANITIZE_STRING));
$email = trim(filter_input(INPUT_POST,"email",FILTER_SANITIZE_EMAIL));
$designOption = trim(filter_input(INPUT_POST,"designOption",FILTER_SANITIZE_STRING));
$userPrep = trim(filter_input(INPUT_POST,"userPrep",FILTER_SANITIZE_STRING));
$userSpecified = trim(filter_input(INPUT_POST,"userSpecified",FILTER_SANITIZE_SPECIAL_CHARS));
$error_message = header("location:error.php");
if ($name == "" || $email == "") {
$error_message;
exit;
}
if ($_POST["address"] != "") {
$error_message;
exit;
}
if (!PHPMailer::validateAddress($email)) {
$error_message;
exit;
}
//echo "<pre>";
$email_body = "";
$email_body .= "Name: " . htmlspecialchars($name) . "\n";
$email_body .= "Email Address: " . htmlspecialchars($email) . "\n";
$email_body .= "Design Option: " . htmlspecialchars($designOption) . "\n";
$email_body .= "User Preparedness: " . htmlspecialchars($userPrep) . "\n";
$email_body .= "User Comments: " . htmlspecialchars($userSpecified) . "\n";
//echo $email_body;
//echo "</pre>";
$mail = new PHPMailer;
// $mail->isSMTP();
// $mail->Host = 'localhost';
// $mail->Port = 2500;
// $mail->CharSet = 'utf-8';
//It's important not to use the submitter's address as the from address as it's forgery,
//which will cause your messages to fail SPF checks.
//Use an address in your own domain as the from address, put the submitter's address in a reply-to
$mail->setFrom('order@example.com', htmlspecialchars($name));
$mail->addReplyTo(htmlspecialchars($email), htmlspecialchars($name));
$mail->addAddress('quote@example.com', 'Colin');
$mail->Subject = 'Quote Request from ' . htmlspecialchars($name);
$mail->Body = htmlspecialchars($email_body);
if (!$mail->send()) {
echo "Mailer Error: " . $mail->ErrorInfo;
}
header("location:thanks.php");
?>