I am new to PHP and obviously new to these forums so I just want to thank you all ahead of time for any info you can provide.

I currently have a HTML form that passes the data to a PHP script that mails the values to an email address. All is wonderful except after the form is processed I would like to have the user go to a "thankyou.html" site instead of seeing the currently very plain and boring HTMLBLOCK that is printed out after the form is emailed. There is far to much CSS to copy it all into the HTMLBLOCK (assuming you even can). I have tried using the header(location: "www.xyz.com"...) but as others have posted you can't because the header cannot be modified at that point. So is there any easy way to redirect users to another .html page or am I stuck with what I currently have?

Thanks!


Not sure it will help but here is my current PHP mailer code:

PHP Code:

<?php
$person = $_REQUEST["form_person"];
$phone = $_REQUEST["form_phone"];
$prayer = $_REQUEST["form_prayer"];


if(isset($prayer))  {
    mail('info@mywebsite.net', 'Prayer Request from Website', "Name: $person\nPhone: $phone\nPrayer Request: $prayer");
print <<<HTMLBLOCK
<html>
<head><title>Thank You!</title>
<style type="text/css">
li {
list-style-type: none;
}
</style>
</head>
<body>
<ul>
<li>Thank you for your prayer request.</li>
<li><a href="index.html">Return Home</a></li>
</ul>
</body>
</html>
HTMLBLOCK;
} else {
echo ("There has been a problem.");
}
?>

PHP Code:

<?php
$person = $_REQUEST["form_person"];
$phone = $_REQUEST["form_phone"];
$prayer = $_REQUEST["form_prayer"];


if(isset($prayer))  {
    mail('info@mywebsite.net', 'Prayer Request from Website', "Name: $person\nPhone: $phone\nPrayer Request: $prayer");

header("Location: ./thankyou.html");

} else {
echo ("There has been a problem.");
}
?>

Ok I swear I tried that, but got an error.... Crazy... Thanks for the help!

Because it is inside a loop, it will work. I do use it myself in some cases.

Also NEVER EVER EVER use $_REQUEST[] it leaves you open for hacks...

Always use either $_GET or $_POST in this case its $_POST and always clean the entries.


Dan

Thanks dan, but I am not sure what you mean "clean the entries". I will change _request to _post, as I do not want my client open for hacks.

Again I am new at this, and appreciate any help. I am a novice when it comes to programming and they do not really teach hacking in my local college so knowing how to guard against it is difficult to learn.... Thanks again!

Ok Sorry i should have explained.

"Cleaning" is basically checking inputs for possible hack attempts this includes SQL injections and email injectons.

So to protect against SQL injections u use the mysql_real_escape_string() function (look it up at PHP.net for more info)

With SQL injection you can do things like login without authority,
Like a completely un protected login you could enter

say admin for user and

fake_pass' OR user='admin for the password and the SQL sees that the user is admin and would allow admin access.

Which is bad...

And email injection for a unprotected form a hacker could send spam emails through your server meaning it looks like its you. You get black listed etc etc..

I only read about this a few days ago, so i wont post anything about how to protect becuas ei dont want to get it wrong

Dan
Hope this helps.
TP apprieciated

I made the changes to the script so now it uses post and not request. Thanks for that tip.

As for the rest, I have zero experience guarding against or even understanding what or how people can use a form for ill intent. As of now, this is a pretty basic form mailer script (so SQL really does not come into play) however other email attacks are troubling. Do you have any information about how to protect against them? I did a quick search of the net and most are pay services or software that protects you.

Sorry, I am just a noob when it comes to hacking and other black hat activities out there, any help is appreciated.

I really dont want to go into detail incase i mess up,

but basically they inset extra header info into mail through the fields (like CC so it gets sent to tons of people...

use the special field in your php file e.g.:
$SPECIAL_FIELDS = array(
"good_url", // URL to go to on success
"good_template",// template file to display on success
and put the extra tag in the form page for e.g:
<input type="hidden" name="good_url" value="http://www.yourdomain.com/directory/thankyou-page.html" />

OR

If you dont want to change your php file just put redirect code inside a html tag and redirect it to your thank you page.