Gang;
First off let me say I know near nothing about PHP. What I do know is
I need what it does for me.

Some time ago I purchased a little program called PHP Form Wizard to
create scripts to handle my online forms of which it does fine for me
with one exception. One of the tasks it performs is that it emails the
form input data to a specified addy which works well. What it doesn't
do, and I have not figured out how to do is to get it to also do a Bcc
to another addy. I would very much like to be able to insert a line of
code to achieve this if possible. Below you will see an example of the
code the PHP Form Wizard program creates. What code and where should
it be inserted to add Bcc addy to this form processing script? I would
be most grateful if one of you would step up and give me a hand with
this. Thanking you in advance for any and info you might provide.
Please bear in mind that I am way below the Newbie ranks when it comes
to PHP so simplicity is mucho appreciated.
Tha RagMan

<?php
# ----------------------------------------------------
# -----
# ----- This script was generated by PHP-Form Wizard 1.2.5 on 9/8/2007
at 4:29:26 PM
# -----
# ----- http://www.tools4php.com
# -----
# ----------------------------------------------------


// Receiving variables
@$Name = addslashes($_POST['Name']);
@$Email = addslashes($_POST['Email']);
@$Comments = addslashes($_POST['Comments']);

// Validation
if (strlen($Name) == 0 )
{
header("Location: error.html");
exit;
}

if (strlen($Email) == 0 )
{
header("Location: error.html");
exit;
}

if (strlen($Comments) == 0 )
{
header("Location: error.html");
exit;
}

//Sending Email to form owner
$pfw_header = "From: $Email\n"
. "Reply-To: $Email\n";
$pfw_subject = "Dean Spears Contact Form Results Data";
$pfw_email_to = "me@myemailaddy.com";
$pfw_message = "Name: $Name\n"
.. "Email: $Email\n"
.. "Comments: $Comments\n";
@mail($pfw_email_to, $pfw_subject ,$pfw_message ,$pfw_header ) ;

//saving record in a text file
$pfw_file_name = "contact.txt";
$pfw_first_raw = "Name,Email,Comments\n";
$pfw_values = "$Name,$Email,".str_replace ("\r\n","<BR>",$Comments
)."\n";
$pfw_is_first_row = false;
if(!file_exists($pfw_file_name))
{
$pfw_is_first_row = true ;
}
if (!$pfw_handle = fopen($pfw_file_name, 'a+')) {
die("Cannot open file ($pfw_file_name)");
exit;
}
if ($pfw_is_first_row)
{
if (fwrite($pfw_handle, $pfw_first_raw ) === FALSE) {
die("Cannot write to file ($pfw_filename)");
exit;
}
}
if (fwrite($pfw_handle, $pfw_values) === FALSE) {
die("Cannot write to file ($pfw_filename)");
exit;
}
fclose($pfw_handle);

header("Location: thanku.html");

?>

On Sep 11, 1:23 pm, Tha RagMan <wmercier.nos...@shelby.net> wrote:
> Gang;
> First off let me say I know near nothing about PHP. What I do know is
> I need what it does for me.
>
> Some time ago I purchased a little program called PHP Form Wizard to
> create scripts to handle my online forms of which it does fine for me
> with one exception. One of the tasks it performs is that it emails the
> form input data to a specified addy which works well. What it doesn't
> do, and I have not figured out how to do is to get it to also do a Bcc
> to another addy. I would very much like to be able to insert a line of
> code to achieve this if possible. Below you will see an example of the
> code the PHP Form Wizard program creates. What code and where should
> it be inserted to add Bcc addy to this form processing script? I would
> be most grateful if one of you would step up and give me a hand with
> this. Thanking you in advance for any and info you might provide.
> Please bear in mind that I am way below the Newbie ranks when it comes
> to PHP so simplicity is mucho appreciated.
> Tha RagMan
>
> <?php
> # ----------------------------------------------------
> # -----
> # ----- This script was generated by PHP-Form Wizard 1.2.5 on 9/8/2007
> at 4:29:26 PM
> # -----
> # -----http://www.tools4php.com
> # -----
> # ----------------------------------------------------
>
> // Receiving variables
> @$Name = addslashes($_POST['Name']);
> @$Email = addslashes($_POST['Email']);
> @$Comments = addslashes($_POST['Comments']);
>
> // Validation
> if (strlen($Name) == 0 )
> {
> header("Location: error.html");
> exit;
>
> }
>
> if (strlen($Email) == 0 )
> {
> header("Location: error.html");
> exit;
>
> }
>
> if (strlen($Comments) == 0 )
> {
> header("Location: error.html");
> exit;
>
> }
>
> //Sending Email to form owner
> $pfw_header = "From: $Email\n"
> . "Reply-To: $Email\n";
> $pfw_subject = "Dean Spears Contact Form Results Data";
> $pfw_email_to = "m...@myemailaddy.com";
> $pfw_message = "Name: $Name\n"
> . "Email: $Email\n"
> . "Comments: $Comments\n";
> @mail($pfw_email_to, $pfw_subject ,$pfw_message ,$pfw_header ) ;
>
> //saving record in a text file
> $pfw_file_name = "contact.txt";
> $pfw_first_raw = "Name,Email,Comments\n";
> $pfw_values = "$Name,$Email,".str_replace ("\r\n","<BR>",$Comments
> )."\n";
> $pfw_is_first_row = false;
> if(!file_exists($pfw_file_name))
> {
> $pfw_is_first_row = true ;}
>
> if (!$pfw_handle = fopen($pfw_file_name, 'a+')) {
> die("Cannot open file ($pfw_file_name)");
> exit;}
>
> if ($pfw_is_first_row)
> {
> if (fwrite($pfw_handle, $pfw_first_raw ) === FALSE) {
> die("Cannot write to file ($pfw_filename)");
> exit;
> }}
>
> if (fwrite($pfw_handle, $pfw_values) === FALSE) {
> die("Cannot write to file ($pfw_filename)");
> exit;}
>
> fclose($pfw_handle);
>
> header("Location: thanku.html");
>
> ?>


Where it says:

$pfw_header = "From: $Email\n"
. "Reply-To: $Email\n";

Make it say:

$pfw_header = "From: $Email\n"
. "Reply-To: $Email\n"
. "Bcc: address_where_the@bcc.should.go\n";

I will point out that it should be \r\n between each of those headers
(I left it as \n for consistency), and also that this script can
easily be used by spammers to send mail wherever they like.

On Tue, 11 Sep 2007 17:42:34 -0000, ZeldorBlat <zeldorblat@gmail.com>
wrote:
>this script can easily be used by spammers to send mail wherever they like.

ZeldorBlat;
My sincere thanks and appreciation for your info and and above
caution. I followed your instructions and the script worked perfectly.
To that extent I am delighted. You have raised a concern though
concerning the Script being vunerable to Spammers. Is there any easy
fix to avoid this, as I certainly don't need anyone creating spam
problems for me. I utilize these scripts in probably 20 forms and this
is a real concern. Is there another program simular to what I am
currently using that will spit out scripts that are secure to avoid
this worry or possibly some code that would handle the security issue?
I moved from *.cgi formmail for this very reason and now it seems I am
right back where I started.

Many thanks again for your and assistance. I am truly grateful.
Tha RagMan

On Sep 11, 2:56 pm, Tha RagMan <wmercier.nos...@shelby.net> wrote:
> On Tue, 11 Sep 2007 17:42:34 -0000, ZeldorBlat <zeldorb...@gmail.com>
> wrote:
>
> >this script can easily be used by spammers to send mail wherever they like.
>
> ZeldorBlat;
> My sincere thanks and appreciation for your info and and above
> caution. I followed your instructions and the script worked perfectly.
> To that extent I am delighted. You have raised a concern though
> concerning the Script being vunerable to Spammers. Is there any easy
> fix to avoid this, as I certainly don't need anyone creating spam
> problems for me. I utilize these scripts in probably 20 forms and this
> is a real concern. Is there another program simular to what I am
> currently using that will spit out scripts that are secure to avoid
> this worry or possibly some code that would handle the security issue?
> I moved from *.cgi formmail for this very reason and now it seems I am
> right back where I started.
>
> Many thanks again for your and assistance. I am truly grateful.
> Tha RagMan

I'm not sure why they use addslashes() here:

@$Name = addslashes($_POST['Name']);
@$Email = addslashes($_POST['Email']);
@$Comments = addslashes($_POST['Comments']);

since the data isn't going to a database that uses slashes to escape
things. Even if it was going to a database, there are better ways to
do that.

To prevent spammers from hijacking your form you just want to make
sure that anything going into the headers doesn't have a \n or \r in
it. In your case you want to check the value of $email, since that's
mainly what you're putting into headers. All you really need to do is
replace:

@$Email = addslashes($_POST['Email']);

with

@$Email = str_replace(array("\r", "\n"), ' ', $_POST['Email']);

That will simply replace any instances of \r or \n with a space and
prevent header injection.

On Tue, 11 Sep 2007 15:20:06 -0700, ZeldorBlat <zeldorblat@gmail.com>
wrote:
>I'm not sure why they use addslashes() here:
>
>@$Name = addslashes($_POST['Name']);
>@$Email = addslashes($_POST['Email']);
>@$Comments = addslashes($_POST['Comments']);

ZeldorBlat;
Thanks so much once again for your information and .

The little program I use to create these scripts also give the option
to send the parsed data to a database so this may be the reasoning
behind the addslashes() here: being included if that is in fact why
they might be placed within the script in the first place.

I took your advice and made the change from
@$Email = addslashes($_POST['Email']); to your suggestion of
@$Email = str_replace(array("\r", "\n"), ' ', $_POST['Email']);
I then ran a little test to ensure that all worked as it should and it
did including the Bcc.

I am much in your debt for all the advice and you have offered. I
sincerely thank you for your assistance.
Tha RagMan