<form method="post" action="<?php print $_SERVER['PHP_SELF"]; ?>">

Looks pretty harmless doesn’t it, but it is a pretty dangerous shortcut to use. Imagin I get a user to visit the page the form is on by following this link, maybe hiding it in a short url:

http://example.com/formpage.php?"><script>alert(document.cookie);</script>

where I’ve added some html into the url which contains a script tag.

I could use this method to grab all your cookies and log in as you, or send ajax requests back to the site on your behalf. All very frightening. The quick solution is to turn html characters into their harmless entities using the php function htmlspecialchars. So the code would be

<form method="post" action="<?php print htmlspecialchars($_SERVER['PHP_SELF']); ?>">

But wait! The best way to submit to the same page with a form is to use and empty action attribute. It’s valid and it works.

<form method="post" action="">

Don’t believe me? Go tell Jesse. He also wrote about empty action attributes.

The first step for me was to set up a new subdomain in cPanel (a control panel my affordable host includes). This allows me to only send (or pipe) specific email to the script and means I can run a catch-all wildcard forwarder on all emails to that subdomain.

In cPanel I created the subdomain in the normal way. Then I navigated to ‘Email Management Tools -> Default E-mail account’, chose the new subdomain from the dropdown list, clicked ‘Advanced Options’ and selected the radio button for ‘Pipe to a Program’.
In the textbox I added the name of the file that would be used to process the emails. In my case catcher.php which I had already created in the root of my site (not in public_html).

Cpanel is clever enough to add your sites root folder to the name you specify, so will be altered to something like ‘/home/youraccount/catcher.php’

The next step was to prepare catcher.php to deal with the emails being piped to it. Open the file and change the contents to something along the lines of:

#!/usr/bin/php -q
<?php
 
// read from stdin
$fd = fopen("php://stdin", "r");
$email = "";
while (!feof($fd))
{
	$email .= fread($fd, 1024);
}
fclose($fd);
 
 
mail('you@yoursite.com','From my email pipe!','"' . $email . '"');
 
?>

The first line of the script is very important and will tell the email pipe to use php. If your php install is not found at the location show, change it so it is. The -q part tells the pipe not to bounce an email back to the sender. A good thing as we can do that manually in the script.

Make sure you change the permissions of the script to be executable by the email pipe. chmod 755 should do fine.

The script itself will grab the emails contents using fopen on php://stdin which is where the email is temporarily stored. You can then manipulate it using such functions as preg_match to grab the parts you want.

The beauty of this method is it will catch all email to that subdomain, so you can create addresses which include the users id and a hash which can be temporary:

1294710241-w98fqwfhi3ho2ih3f@emailin.mysite.com

which you can use to ensure you only act on emails from the intended user.

Note: If you are using -q but still getting bounces, be sure the script is not outputting any data. That means once you have tested it, no print, no echo, no var_dump. When you run the script directly you should see a blank screen and the source code should be empty.

Finally I have found one that I almost agree with completely. My only wobble is regarding the suggestion not to use getters and setters in classes.

PHP Coding standards

The PHP Coding Standard is with permission based on Todd Hoff’s C++ Coding Standard.
Rewritten for PHP by Fredrik Kristiansen / DB Medialab, Oslo 2000-2003.