Ok boys and girls, please don't laugh at my feeble code but here's my attempt at preventing the email injection spam. I've cobbled together bits of code that others have written without adding a captcha to the form.
Would this work? If it does, I hope some of you might find it helpful.
/* HTTP_REFERER checks it's from my contact form */
if($_SERVER['HTTP_REFERER'] != "MYWEBSITE/MYFORM.php")
{die("fail one");}
/* function to clean user input */
function clean($data)
{
return htmlspecialchars(addslashes($data));
}
/* prevents email from my domain's email address */
if (strstr($email, '@') == '@MYWEBSITE') {exit('fail two');}
/* eregi validates email address */
if(eregi("^[A-Z0-9._-]+@[A-Z0-9._-]{2,}\.[A-Z]{2,4}$", $email))
{echo "";}
else {die("fail three");}
if (!isset ($_POST['firstname']))
{echo "";}
else
{
$firstname= clean($_POST['firstname']);
$email= clean($_POST['email']);
$comments=stripslashes($_POST['comments']);
$to="WEBMASTERS EMAIL";
$message="First Name: $firstname\n
Email: $email\n
Enquiry: $comments\n\n";
/* next bit has \r\n\r\n to prevent headers injection */
if(mail($to,"secure form test",$message,"From: $email\r\n\r\n")) {
echo "Thank you";
} else {
echo "There was a problem sending the mail.";
}}
