Help preventing injection and self run... EMAIL FORM

viaveloz

Hello again great users of this forums!

I use a premade flash movie that sends data to php using post. It checks for @ and . missing but allows ' @ . ' for example.

What I wanna do is only protect the php against running from it self generating a email each time we reload a page (for example the page is mydomain.net/contact.html sending data to mydomain/contact.php if I or anyone else calls the php directly it generates an email...) how can I prevent this if I can't edit the flash? can I do it only in the php file? so that even if someone discover the name of the php file it must not run if anything is posted...

Here's the code (and also: is it secured against injection?):

<?php

$wname = $HTTP_POST_VARS['Name'];
$wemail = $HTTP_POST_VARS['Mail'];
$wmessage = $HTTP_POST_VARS['Message'];
$wassunto = $HTTP_POST_VARS['Ass'];
$ip = $_SERVER['REMOTE_ADDR'];

$wname = str_replace("<?","ERRO",$name);
$wname = str_replace("?>","ERRO",$name);
$wname = str_replace("<","ERRO",$name);
$wname = str_replace("&","ERRO",$name);
$wemail = str_replace("<?","ERRO", $wemail);
$wemail = str_replace("?>","ERRO", $wemail);
$wemail = str_replace("&","ERRO", $wemail);
$wemail = str_replace("<","ERRO", $wemail);
$wmessage = str_replace("<?","ERRO", $wmessage);
$wmessage = str_replace("?>","ERRO", $wmessage);
$wmessage = str_replace("&","ERRO", $wmessage);
$wmessage = str_replace("<","ERRO", $wmessage);
$wassunto = str_replace("<?","ERRO", $wassunto);
$wassunto = str_replace("?>","ERRO", $wassunto);
$wassunto = str_replace("&&","ERRO", $wassunto);
$wassunto = str_replace("<","ERRO", $wassunto);

$message = stripslashes($wmessage);

$sendTo1 = "email_no1@mydomain.net";
$sendTo2 = "email_no2@mydomain.net";
$sendTo3 = "email_no3@mydomain.net";
$sendTo4 = "email_no4@mydomain.net";
$subject = $wassunto;

$msg_body = "Name: $wname";
$msg_body .= " E-Mail: $wemail";
$msg_body .= " IP: $ip\n";
$msg_body .= "Subject: $wassunto\n";
$msg_body .= "Form from website emailed to: $sendTo1\n\n";
$msg_body .= "Commentss: $message\n";

$header_info = "From: ".$wname." <".$wemail.">\r\n\r\n";

mail($sendTo1, $subject, $msg_body, $header_info);
mail($sendTo3, $subject, $msg_body, $header_info);

?>

Can someone help me.

Thank you all in advance,

Regards,

Carlos

nick1presta

Um, htmlspecialchars will replace half of your string replacements. You basically want to validate user input, sanitize it and check for "MIME-Version: ", "\r", "\r\n", "\n".

bpat1434

well, a quick "isset($_POST['some_unknown_key'])" will check to see if the Posted variable "some_unknown_key" is posted. You put that in an If statement, so that if it's there, it runs, otherwise, it won't.

So in simplistic form it would be:

<?php
if(isset($_POST['submit']))
{
  // Submit button was pressed,
  // Process form and send email
}
else
{
  // Submit button was not pressed
  // Possible spam attempt, who knows...
}

You can also do visual validation. I'm working on an article for that right now, but should have it submitted later today (Jan 23) and it should be posted within the week. Keep your eye out for it....

viaveloz

Hello again and thank you for replying! 🙂

The if(isset($_POST['some variable'])) did work preventing the script from running it self but now the question is:

In the form if submited only "@." or "space@space.space" (or with how many spaces we want) it will submit the message. Since I can't modify the form is there anyway I can check in the php file for spaces in the email field:

Now my php file looks somethink like this:

<?php

if(isset($_POST['Ass']))

{

$wname = $HTTP_POST_VARS['Name'];
$wemail = $HTTP_POST_VARS['Mail'];
$wmessage = $HTTP_POST_VARS['Message'];
$wassunto = $HTTP_POST_VARS['Ass'];
$ip = $_SERVER['REMOTE_ADDR'];

$wname = str_replace("<?","ERRO",$name);
$wname = str_replace("?>","ERRO",$name);
$wname = str_replace("<","ERRO",$name);
$wname = str_replace("&","ERRO",$name);
$wemail = str_replace("<?","ERRO", $wemail);
$wemail = str_replace("?>","ERRO", $wemail);
$wemail = str_replace("&","ERRO", $wemail);
$wemail = str_replace("<","ERRO", $wemail);
$wmessage = str_replace("<?","ERRO", $wmessage);
$wmessage = str_replace("?>","ERRO", $wmessage);
$wmessage = str_replace("&","ERRO", $wmessage);
$wmessage = str_replace("<","ERRO", $wmessage);
$wassunto = str_replace("<?","ERRO", $wassunto);
$wassunto = str_replace("?>","ERRO", $wassunto);
$wassunto = str_replace("&&","ERRO", $wassunto);
$wassunto = str_replace("<","ERRO", $wassunto);

$message = stripslashes($wmessage);

$sendTo1 = "email_no1@mydomain.net";
$sendTo2 = "email_no2@mydomain.net";
$sendTo3 = "email_no3@mydomain.net";
$sendTo4 = "email_no4@mydomain.net";
$subject = $wassunto;

$msg_body = "Name: $wname";
$msg_body .= " E-Mail: $wemail";
$msg_body .= " IP: $ip\n";
$msg_body .= "Subject: $wassunto\n";
$msg_body .= "Form from website emailed to: $sendTo1\n\n";
$msg_body .= "Commentss: $message\n";

$header_info = "From: ".$wname." <".$wemail.">\r\n\r\n";

mail($sendTo1, $subject, $msg_body, $header_info);
mail($sendTo3, $subject, $msg_body, $header_info);

} else {

exit();
}

?>

bpat1434

Email validation? I'd suggest you search the forums, it's been answered. Or read the user notes for [man]eregi/man as it's answered there too...

unisabilly

try

$temp_address = str_replace(' ','',$email_address);  // remove empty spaces
if ($temp_address == "@.")
{
   error code here....
}
else
{
  continue here .......
}

stupid way, but it might work ~
btw. as bpat1434 said eregi might be the best solution ~
and good luck ~