Im building a contact form for my wordpress theme. I want the ability to enter a receiver adress from the backend. At the moment I am passing the variable with a hidden input field.
<input type="text" class="hidden" name="receiver" value="<?php get_option('admin_email') ?>"/>
I read that I shouln't do this, because its insecure. But how would I do it then?
Edit: Here is my process.php. I tried to get the admin email but that breaks it somehow.
<?php if( isset($_POST) ){
//form validation vars
$formok = true;
$errors = array();
//sumbission data
$ipaddress = $_SERVER['REMOTE_ADDR'];
$date = date('d.m.Y');
$time = date('H:i');
//form data
$name = $_POST['name'];
$email = $_POST['email'];
$website = $_POST['website'];
$budget = $_POST['budget'];
$message = $_POST['message'];
$receiver = $_POST['receiver'];
$sender = get_option('admin_email');
if(empty($name)){
$formok = false;
$errors[] = "Sie haben keinen Namen angegeben.";
}
if(empty($email)){
$formok = false;
$errors[] = "Sie haben keine Emailadresse angegeben.";
//validate email address
}elseif(!filter_var($email, FILTER_VALIDATE_EMAIL)){
$formok = false;
$errors[] = "Sie haben keine gültige Emailadresse angegeben.";
}
if(empty($message)){
$formok = false;
$errors[] = "Das Nachrichtenfeld ist leer.";
}
elseif(strlen($message) < 20){
$formok = false;
$errors[] = "Ihre Nachricht muss mindestens 20 Zeichen enthalten.";
}
if($formok){
$headers = "From: {$email}" . "
";
$headers .= 'Content-type: text/html; charset=UTF-8' . "
";
$emailbody = "<p><strong>Name: </strong> {$name} </p>
<p><strong>Website: </strong> {$website} </p>
<p><strong>Nachricht: </strong> {$message} </p>
<p>Diese Nachricht wurde am {$date} um {$time} über {$sender} gesendet.</p>";
if($receiver){
mail($receiver,"Anfrage ".$name,$emailbody,$headers);
}
else{
mail('test@test.com',"Error",$emailbody,$headers);
}
}
//what we need to return back to our form
$returndata = array(
'posted_form_data' => array(
'name' => $name,
'email' => $email,
'website' => $website,
'budget' => $budget,
'message' => $message
),
'form_ok' => $formok,
'errors' => $errors
);
//if this is not an ajax request
if(empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) !== 'xmlhttprequest'){
//set session variables
session_start();
$_SESSION['cf_returndata'] = $returndata;
//redirect back to form
header('location: ' . $_SERVER['HTTP_REFERER']);
}
}
Since you know the receiver address - you shouldn't pass it. When the form is submitted - you can use the backend PHP script to send it without exposing it to the user at all!
Use sessions. When the user submits send the data to the following SQL query that will parse all your data
Put your form processing code inside a Wordpress page template, then you can use get_option('admin_email') in the backend form code and never have to expose it on a public web page.