This question already has an answer here:
I'm trying to write a simple e-mail form for my website using html and php. Unfortunately if I upload all the files to my webserver and click the submit button the .php script won't be executed but downloaded. I know there are quite similar questions on the internet but they didn't solve my problem. So here's my html:
<!DOCTYPE html>
<title>Feedback Form</title>
<h1>Feedback Form</h1>
<form method="post" action="send_mail.php">
<p>
<label>First Name
<input type="text" name="first_name" required>
</label>
</p>
<p>
<label>Email
<input type="email" name="email_address">
</label>
</p>
<p>
<label>Comments
<textarea name="comments" maxlength="500"></textarea>
</label>
</p>
<p><button>Submit the form</button></p>
</form>
Here comes my .php file:
<?php
$webmaster_email = "user@t-online.de";
$feedback_page = "feedback_form.html";
$error_page = "error_message.html";
$thankyou_page = "thank_you.html";
$email_address = $_REQUEST['email_address'] ;
$comments = $_REQUEST['comments'] ;
$first_name = $_REQUEST['first_name'] ;
$msg =
"First Name: " . $first_name . "\r\n" .
"Email: " . $email_address . "\r\n" .
"Comments: " . $comments ;
function isInjected($str) {
$injections = array('(\n+)',
'(\r+)',
'(\t+)',
'(%0A+)',
'(%0D+)',
'(%08+)',
'(%09+)'
);
$inject = join('|', $injections);
$inject = "/$inject/i";
if(preg_match($inject,$str)) {
return true;
}
else {
return false;
}
}
if (!isset($_REQUEST['email_address'])) {
header( "Location: $feedback_page" );
}elseif (empty($first_name) || empty($email_address)) {
header( "Location: $error_page" );
}elseif ( isInjected($email_address) || isInjected($first_name) || isInjected($comments) ) {
header( "Location: $error_page" );
}else {
mail( "$webmaster_email", "Feedback Form Results", $msg );
header( "Location: $thankyou_page" );
}
?>
1.: I've tested this on chrome and the TOR-Browser
2.: Previous articles said that a error containing php file would be downloaded by browsers. I've checked the code multiple times but I haven't found any errors.