Re: help protecting form to email from spammers
- From: totalstranger <totalstranger@xxxxxxxxxxxxx>
- Date: Tue, 29 Aug 2006 05:49:57 -0400
On or about 8/29/2006 1:14 AM, it came to pass that onembk wrote:
On 2006-08-28 17:07:49 -0600, jwhitley31NOSPAM@xxxxxxxx (J W) said:Here's the script I use to validate email addresses. Got it originally someplace on the web and added code to do a dns check.
Hello,
I am kind of a newb to php and could use some help. I have made a form to email php page that uses the mail function to send me the results of a form. The php portion looks like this:
<?PHP
if ($submit) {
$Address = !empty($Address) ? $Address : 'NA';
$Address2 = !empty($Address2) ? $Address2 : 'NA';
$City = !empty($City) ? $City : 'NA';
$State = !empty($State) ? $State : 'NA';
$Country = !empty($Country) ? $Country : 'NA';
$Postal = !empty($Postal) ? $Postal : 'NA';
$Phone = !empty($Phone) ? $Phone : 'NA';
$Company = !empty($Company) ? $Company : 'NA';
$EmailNot = !empty($EmailNot) ? $EmailNot : 'NO';
$today = date("m/d/y"); mail("me@xxxxxxxxxxxx",
"Info on $Regarding",
"A User has submitted a Contact form on Mydomain.com
on $today
================================================
Name: $FName $LName
Email: $Email
Address: $Address
$Address2
$City
$State
$Country
$Postal
Phone: $Phone
Company: $Company
Message: $Comment
Referer: $Referer
Opt-Out: $EmailNot",
"From: $FName $LName <$Email>");
header ("location: thanks.html");
} // end if they hit "Submit"
?>
Later on the page is the form itself (edited for brevity):
<form name="contactinfo" method="post">
(various input areas)
</form>
I know that as is this page isn't secure from a spammer exploiting it for their own purposes. Can someone help me clean it up to protect against that kind of thing? I believe the input data has to be validated / scrubbed or something? I've been googling and while I understand the concept I'm not quite getting how to do it within the framework of what I have already created,
Thanks much.
You will need to verify that a hacker hasn't injected extra lines into your To/CC/BCC/From/Subject fields. Looking at your code above I'd be most concerned about the $Regarding variable as it could be used for this. Here is a simple example:
if (stristr($Regarding, '\n') !== false || stristr($Regarding, '\r') !== false || stristr($Regarding, "\n") !== false || stristr($Regarding, "\r") !== false || stristr($Regarding, '%0A') !== false) {die("hacker");}
Note '\r' is the string \r while "\r" is a carriage return, "\n" means newline and '%0A' aslo creates a newline. If $Regarding was equal to "spam subject%0ABcc: someoneselse@xxxxxxxxxxxxxxxxx" I could send someoneelse@xxxxxxxxxxxxxxxxx some spam since everything after 'spam subject' is on a separate line. Email protocols would see this as a separate email header. This applies to any field a user has access to other than the actual body of the email.
See http://www.w3schools.com/php/php_secure_mail.asp The example there nicer than mine.
<?php
function IsEmailSyntaxValid($addr)
{
list($local, $domain) = explode("@", $addr);
$pattern_local = '^([0-9a-z]*([-|_]?[0-9a-z]+)*)(([-|_]?)\.([-|_]?)[0-9a-z]*([-|_]?[0-9a-z]+)+)*([-|_]?)$';
$pattern_domain = '^([0-9a-z]+([-]?[0-9a-z]+)*)(([-]?)\.([-]?)[0-9a-z]*([-]?[0-9a-z]+)+)*\.[a-z]{2,4}$';
$match_local = eregi($pattern_local, $local);
$match_domain = eregi($pattern_domain, $domain);
if ($match_local && $match_domain && checkdnsrr($domain, 'MX'))
return true;
else
return false;
}
?>
.
- References:
- help protecting form to email from spammers
- From: J W
- Re: help protecting form to email from spammers
- From: onembk
- help protecting form to email from spammers
- Prev by Date: Re: why does this not work?
- Next by Date: Re: please explane cookies.
- Previous by thread: Re: help protecting form to email from spammers
- Next by thread: problem with dynamic populating checkbox
- Index(es):
Relevant Pages
|
