Amit Kollol Dey Amit Kollol Dey - 1 month ago 8
PHP Question

PHP contact form sending email every time the page is refreshed

PHP contact form sends email every time the page is refreshed. If user sends his message once and refreshes again, the same message is sent again. This happens every time the page is refreshed.

Here is my code form the form:

if (isset($_POST['submit'])) {
if ($_POST['email'] == '' || $_FILES['file_upload'] == '' || $_POST["fname"] == '' || $_POST["lname"] == '' || $_POST["message"] == '') {
echo '<p class="red-info">Please Fill All The Fields</p>';

} else {

$from_email = $_POST['email']; //from mail, it is mandatory with some hosts
$recipient_email = 'myemail@gmail.com'; //recipient email (most cases it is your personal email)

//Capture POST data from HTML form and Sanitize them,
$sender_fname = filter_var($_POST["fname"], FILTER_SANITIZE_STRING); //sender name
$sender_lname = filter_var($_POST["fname"], FILTER_SANITIZE_STRING); //sender name
$sender_phone_1 = filter_var($_POST["phone_1"], FILTER_SANITIZE_STRING); //sender name
$sender_phone_2 = filter_var($_POST["phone_2"], FILTER_SANITIZE_STRING); //sender name
$sender_phone_3 = filter_var($_POST["phone_3"], FILTER_SANITIZE_STRING); //sender name
$sender_phone = $sender_phone_1 . ' ' . $sender_phone_2 . ' ' . $sender_phone_3; //sender name
$reply_to_email = filter_var($_POST["email"], FILTER_SANITIZE_STRING); //sender email used in "reply-to" header
$subject = 'Contact Form'; //get subject from HTML form
$message = filter_var($_POST["message"], FILTER_SANITIZE_STRING); //message

/* //don't forget to validate empty fields
if(strlen($sender_name)<1){
die('Name is too short or empty!');
}
*/

//Get uploaded file data
$file_tmp_name = $_FILES['file_upload']['tmp_name'];
$file_name = $_FILES['file_upload']['name'];
$file_size = $_FILES['file_upload']['size'];
$file_type = $_FILES['file_upload']['type'];
$file_error = $_FILES['file_upload']['error'];

if ($file_error > 0) {
die('Upload error or No files uploaded');
}
//read from the uploaded file & base64_encode content for the mail
$handle = fopen($file_tmp_name, "r");
$content = fread($handle, $file_size);
fclose($handle);
$encoded_content = chunk_split(base64_encode($content));

$boundary = md5("sanwebe");
//header
$headers = "MIME-Version: 1.0\r\n";
$headers .= "From:" . $from_email . "\r\n";
$headers .= "Reply-To: " . $reply_to_email . "" . "\r\n";
$headers .= "Content-Type: multipart/mixed; boundary = $boundary\r\n\r\n";

//plain text
$body = "--$boundary\r\n";
$body .= "Content-Type: text/plain; charset=ISO-8859-1\r\n";
$body .= "Content-Transfer-Encoding: base64\r\n\r\n";
$body .= "<br />First Name:" . $sender_fname;
$body .= "<br />Last Name:" . $sender_lname;
$body .= "<br />Phone:" . $sender_phone;
$body .= "<br />Message:";
$body .= chunk_split(base64_encode($message));

//attachment
$body .= "--$boundary\r\n";
$body .= "Content-Type: $file_type; name=" . $file_name . "\r\n";
$body .= "Content-Disposition: attachment; filename=" . $file_name . "\r\n";
$body .= "Content-Transfer-Encoding: base64\r\n";
$body .= "X-Attachment-Id: " . rand(1000, 99999) . "\r\n\r\n";
$body .= $encoded_content;

$sentMail = mail($recipient_email, $subject, $body, $headers);
if (isset($sentMail)) //output success or failure messages
{
echo '<p class="green-info">Your Email Has Been Submitted!We will contact soon.</p>';
echo "<script>document.contact.reset();</script>";
header("location: contect.php");
} else {
die('Could not send mail! Please check your PHP mail configuration.');
}
}
}

Answer Source

$sender_lname = filter_var($_POST["fname"], FILTER_SANITIZE_STRING); Should be, $sender_lname = filter_var($_POST["lname"], FILTER_SANITIZE_STRING);

If you are refreshing a browser, they tend to cache the last POST request. You may be asked if you want to re-submit form data. Try adding a hidden field with a hash value for a token.

<input type="hidden" name="token" value="someHashValue">

Implement sessions to compare the submitted token against the one stored in $_SESSION.

session_start();
session_regenerate_id(); //Used properly, helps deter session fixation;
$_SESSION['token'] = "someHashValue"; //Must be unique for each page load.

Use a good hashing function to create the token. I would steer clear of md5 and sha1.

Basically...

if($_SESSION['token'] === $_POST['token'])
{
    //Good. You want to filter, validate, and check this early on.
    //Whatever you do, just be consistent.
}

Also, be wary of using the file name ($file_name = $_FILES['file_upload']['name'];) supplied by the browser in your code. Most would say find a way not to use it, but if you do, you still need to filter and validate it in some way. Re-naming the file might be appropriate. Checking the file size is a good idea, too. Don't rely too heavily on the php.ini on the file size bit. If file type matters, you can even try to inspect the file before accepting it.

Lastly, when you get there, if you are going to use PHP filter functions, it may be a good idea to use filter_input_array() with INPUT_POST for your POST data. For the $_FILES superglobal, I made a separate routine just for validating it (but, you cannot use filter_input_array() for that). Good luck! You are on your way!