Hi all, I am looking for a realitvely quick way to prevent my contact forms from being exploited by spammers. I have come across 2 ideas, but wonder which is best, and if in fact either are enough. Here is what I have, any suggestions are appreciated.

#1. placed at the top of the form validation:

if (isset($_POST['submit'])) {

$kill_injection = $_POST['name'];

if (eregi("\r",$kill_injection) || eregi("\n",$kill_injection)) {
die('<h3>Please do not spam our forms.</h3>');
}

#2. Surrounds the mail function:

	$crack=eregi("(\r|\n)(to:|from:|cc:|bcc:)",$comments);
	if (!$crack) {
	mail("$Mymail", "$subject", "$comments", "$headers");
	}

    Or insert a blank line or some letterhead-type thing at the top of email messages to separate the content (fake headers and all) from its headers. Certainly the first one is silly unless you don't want users to have paragraphs in their form.

      Im back (ISP was dead 2 days). The first example was from this article:
      http://securephp.damonkohler.com/index.php/Email_Injection

      It is supposed to prevent spammers from injecting headers over your own by filtering the form inputs. But I guess they were suggesting that you filter each and every form item (not what I want).

      It seems that protecting the mail() funtion is the simplest, but does example #2 actually work? As I am not a spammer, I don't actually know just how to test the results.

      I wonder, is it enough to prevent people from injecting carriage returns to any input item other than the mail body and does example 2 actually perform this adequately.

      Thanks!

        Realizing I'd rather stop processing the mail if injection is detected (rather than receiving mail with broken headers), I hope that something like this will work (placed right at the top of the validation script):

        $protect_input = array($POST['name'], $POST['contact'], $POST['email'], $POST['subject']);
        $detect_abuse = eregi("(\r|\n|Content-Type)(To😐From😐CC😐BCCπŸ™‚",$protect_input);
        if ($detect_abuse) {
        die('<h1>Please do not spam our forms.</h1>');
        }

        Have I written this correctly (I'm not so good with arrays)?
        Will this in fact kill injection attempts if each header-related field input is included in the protect_input array?

        Thanks!

          2 months later

          so does this last example work? i'm in the same boat, i'm desperate to find a solution. seems there are many suggestions, but no definitive solution??

            Write a Reply...