I had been using a sendmail.php script for several years that worked fine. I have a guest book page on my site that contains seven fields including radio buttons, text boxes and drop down menu choices. When the user clicks the submit button, a redirect displays a confirmation page that uses the php code at the end of this message to send the contents to me.

I recently moved my web site to GoDaddy. When I first uploaded the guest book page and the php sendmail file, it worked fine. The next day it did not work correctly. It now only send me the field names and not the contents. Here is the php code from the confirmation page:

<?
mail("myname@myserver.com", "Guestbook Form Results New",
"Comment: $comment\nNegative: $negative\nOpinion: $opinion\nSkillls: $skills \nName: $name \nE-mail Address: $email \nSite: $site", "From: $Email");
?>

I would appreciate any assistance.

Where do those variables get set? Is it possible that your script is depending on register_globals being turned on, but that it is not on your new host? (The current "best practice" is to no longer have register_globals enabled due to the possibility of security holes in poorly written scripts.)

My host installed a php.ini file in my home directory. Here is the code in that file:

register_globals = off
allow_url_fopen = off

expose_php = Off
max_input_time = 60
variables_order = "EGPCS"
extension_dir = ./
upload_tmp_dir = /tmp
precision = 12
SMTP = relay-hosting.secureserver.net
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="

[Zend]
zend_extension=/usr/local/zo/ZendExtensionManager.so
zend_extension=/usr/local/zo/4_3/ZendOptimizer.so

You could try turning on register_globals to see if that makes a difference. If it does, you could then consider editing the script so that it does not depend on it, basically by initializing all your variables from the form values via the $_POST array (assuming your form used the post method), e.g.:

$comment = $_POST['comment'];
$opinion = $_POST['opinion'];
// etc.
//

Also for your consideration: do the form values get "sanitized" in any way before you use them in the mail() function? If not, then your form is wide open to hijacking by spammers.

Thanks, NogDog. I turned on register_global, and all of the fields and results were sent properly. I neglected to mention in my original message that I am not an experienced php programmer. I know enough to be able to copy/paste, and (apparently) create problems. :-) I think I do understand basic concepts.

That being said, I tried your suggestion of using an array, which I had previously attempted after many hours of php research on the Internet, with no success. I keep getting error messages. Here is the change I have made:

<?
mail("myname@myserver.com", "Guestbook Form Results New");
$comment = $_POST['comment'];
$Negative = $_POST['neagtive'];
$Opinion = $_POST['opinion'];
$Skllls = $_POST['skills'];
$Name = $_POST['name'];
$Email = $_POST['email'];
$Site = $_POST['site'];
?>

What's next?

The code setting each of the variables from the $_POST values would come first, then you would do the mail() command as you had in your original code (with the same variables as before).

Everything now works correctly. Prior to posting my first message, I spent a great deal of time reading php tutorials to solve my problem. None of them explained the importance of placing the "post" variables before the mail code. They explained various functions in "chunks," without ever showing them together with the proper syntax. Thanks for the simple explanation.

I have two final questions. You asked in a prior reply if I "sanitized" my code. Do you mean in my html code within my guest book form or in the php sendmail file? I do require completion of six of the fields in the guest book form, including proper email format. I don't do anything special in the sendmail file. If I need to do something additional in the sendmail file, what would that be?

Any values that will be used in the mail headers can be used to "hijack" your mailer if someone is allowed to post whatever values they want. As an example, the value used in the subject ends up being sent as part of the mail headers. A spammer could come up with a script to send a form submission to your page that has a value for the subject that includes the header element separator, then additional headers that he wants to use followed by a message body. Suddenly instead of sending email where you expect it to go, it is sending whatever message the spammer wants to send to wherever he wants it to go. In your original example, it looks like the only parameter you use in a potentially hijackable manner is the $Email, which is used for the "From:" header.

A simple way to avoid this sort of attack is to disallow newlines or carriage returns in any value you use in the mail command other than the actual message contents (the 3rd parameter to mail). So while you are validating each field (other than the message body), you could also validate that it does not contain those characters, e.g.:

if(preg_match('[\r\n]', $_POST['Email']))
{
// not allowed, so display error and do not send mail
}
// do the same thing for any values used in the additional headers