File: /home/theadvocacyservicecenter/public_html/sendmail.php
<?php
// Debug mode (disable in production)
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);
use PHPMailer\PHPMailer\PHPMailer;
use PHPMailer\PHPMailer\Exception;
require 'vendor/autoload.php';
header('Content-Type: application/json');
// --- Helper sanitize function ---
function sanitize($data) {
return htmlspecialchars(strip_tags(trim($data)));
}
try {
session_start();
// --- Rate limit: 1 submission every 10s ---
if (isset($_SESSION['last_submit']) && time() - $_SESSION['last_submit'] < 10) {
throw new Exception("Too many submissions. Please wait a few seconds.");
}
$_SESSION['last_submit'] = time();
// --- Honeypot check ---
if (!empty($_POST['website'])) { // "website" field should be hidden in your form
throw new Exception("Spam detected.");
}
// --- Required fields ---
$required_fields = [
'firstname', 'lastname', 'phone', 'email',
'month', 'day', 'year', 'address',
'zip', 'city', 'state', 'updates'
];
foreach ($required_fields as $field) {
if (empty($_POST[$field])) {
throw new Exception('Missing required field: ' . $field);
}
}
// --- Sanitize inputs ---
$firstname = sanitize($_POST['firstname']);
$lastname = sanitize($_POST['lastname']);
$phone = preg_replace("/[^0-9]/", "", $_POST['phone']); // keep digits only
$email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);
if (!$email) throw new Exception("Invalid email address.");
$dob = sanitize($_POST['month']) . '/' . sanitize($_POST['day']) . '/' . sanitize($_POST['year']);
$address = sanitize($_POST['address']);
$zip = preg_replace("/[^0-9]/", "", $_POST['zip']); // numeric only
$city = sanitize($_POST['city']);
$state = sanitize($_POST['state']);
// Contact methods (checkbox array)
$contact_methods = isset($_POST['channels'])
? implode(', ', array_map('sanitize', $_POST['channels']))
: 'None selected';
// Radio button
$updates = sanitize($_POST['updates']);
// --- Additional server-side validation ---
if (strlen($firstname) < 2 || strlen($lastname) < 2) {
throw new Exception("Invalid name.");
}
if (strlen($phone) != 10) {
throw new Exception("Phone number must be 10 digits.");
}
if (strlen($zip) != 5) {
throw new Exception("ZIP code must be 5 digits.");
}
if (strlen($city) < 2 || strlen($state) < 2) {
throw new Exception("Invalid city or state.");
}
// --- Build email content ---
$subject = "New Submission from $firstname $lastname";
$body = "
You received a new form submission:
Name: $firstname $lastname
Phone: $phone
Email: $email
Date of Birth: $dob
Address:
$address
$city, $state $zip
Preferred Contact Methods: $contact_methods
Wants Updates: $updates
";
// --- PHPMailer setup ---
$mail = new PHPMailer(true);
$mail->isSMTP();
$mail->Host = 'smtp.gmail.com';
$mail->SMTPAuth = true;
$mail->Username = '[email protected]'; // your GSuite email
$mail->Password = 'sdwcqdmoagrtdmdl'; // App password, **no spaces**
$mail->SMTPSecure = PHPMailer::ENCRYPTION_STARTTLS;
$mail->Port = 587;
// Recipients
$mail->setFrom('[email protected]', 'The Advocacy Service Center');
$mail->addAddress('[email protected]'); // Replace with your recipient
// Content
$mail->isHTML(false);
$mail->Subject = $subject;
$mail->Body = $body;
$mail->send();
echo json_encode(['status' => 'success', 'message' => 'Form submitted successfully.']);
} catch (Exception $e) {
http_response_code(500);
echo json_encode(['status' => 'error', 'message' => $e->getMessage()]);
}