Secure PHP Feedback Form Problem

jacquesy

I'm using the below code to create a simple and secure feedback form for my website. Everything is perfect apart from the checking of the $crack variable for the address field (in red below).

When the user types is any of the blocked content (such as bcc: / cc🙂 into the body textfield the form still works and doesn't stop the process like it should - can anybody see what I am doing wrong?

Thanks!!!

CODE.................

<?php

$to='name@domain.com';
$messageSubject='PHP Feedback Form Test';
$confirmationSubject='Your email was sent';
$confirmationBody="Well done!!!!";
$email='';
$body='';
$displayForm=true;
if ($POST){
$email=stripslashes($POST['email']);
$body=stripslashes($POST['body']);
// validate e-mail address
$valid=eregi('^{([0-9a-z]+[-.}+&])*[0-9a-z]+@([-0-9a-z]+[.])+[a-z]{2,6}$',$email);
$crack=eregi("(\r|\n)(to😐from😐cc😐bcc🙂",$body);
if ($email && $body && $valid && !$crack){
if (mail($to,$messageSubject,$body,'From: '.$email."\r\n")
&& mail($email,$confirmationSubject,$confirmationBody.$body,'From: '.$to."\r\n")){
$displayForm=false;
?>

<p>
Your message was successfully sent.
In addition, a confirmation copy was sent to your e-mail address.
Your message is shown below.
</p>
<?php
echo '<p>'.htmlspecialchars($body).'</p>';
}else{ // the messages could not be sent
?>
<p>
Something went wrong when the server tried to send your message.
This is usually due to a server error, and is probably not your fault.
We apologise for any inconvenience caused.
</p>
<?php
}
}else if ($crack){ // cracking attempt
?>
<p><strong>
Your message contained e-mail headers within the message body.
This seems to be a cracking attempt and the message has not been sent.
</strong></p>
<?php
}else{ // form not complete
?>
<p><strong>
Your message could not be sent.
You must include both a valid e-mail address and a message.
</strong></p>
<?php
}
}
if ($displayForm){
?>

<form action="feedback.php" method="post">
<table>
<tr>
<td class="label"><label for="email">Your e-mail address</label></td>
<td>
<input type="text" name="email" id="email" value="<?php echo htmlspecialchars($email); ?>" size="30">
(a confirmation e-mail will be sent to this address)
</td>
</tr>
<tr>
<td class="label"><label for="body">Your message</label></td>
<td><textarea name="body" id="body" cols="70" rows="5"><?php echo htmlspecialchars($body); ?></textarea></td>
</tr>
<tr><td id="submit" colspan="2"><button type="submit">Send message</button></td></tr>
</table>
</form>
<?php
}
?>

Rodney_H_

I think THIS is what you are after, or something like it??:

<?php
$form = '<form action="test.php" method="post">
<p><input type="text" name="email" size="25" /> Email</p>
<p><textarea name="body" rows="10" cols="50"></textarea> Body</p>
<input type="submit" name="submit" value="Send" />
</form>' . "\n";

// if the form was submitted:
if(isset($_POST['email'])  &&  isset($_POST['body']))
{
	// hide form:
	$displayForm = false;

// if magic quotes, srip slashes:
if(get_magic_quotes_gpc() == 1)
{
	$email = stripslashes($_POST['email']);
	$body = stripslashes($_POST['body']);
}
else {
	$email = $_POST['email'];
	$body = $_POST['body'];
}

// validate e-mail address
if(!eregi('^([0-9a-z]+[-._+&])*[0-9a-z]+@([-0-9a-z]+[.])+[a-z]{2,6}$',$email))
{
	echo 'Your email address appears to be invalid';
	$displayForm = true;
	echo $form;
}

// validate body:
elseif(eregi("(to:)|(from:)|(cc:)|(bcc:)",$body))
{
	echo 'Hack attempt?';
	$displayForm = true;
	echo $form;
}

else {
	// email
	$to = 'name@domain.com';
	$headers = 'From: name@domain.com' . "\r\n";
	$messageSubject = 'PHP Feedback Form Test';
	$confirmationSubject = 'Your email was sent';
	$confirmationBody = "Well done!!!!";
	$send = @mail($to,$messageSubject,$body,'From: '.$email."\r\n");
	$send2 = @mail($email,$confirmationSubject,$confirmationBody.$body, $headers);
	echo 'Thanks. Your message was sent';
}
}

// else display form:
else {
	$displayForm = true;
	echo $form;
}
?>

That being said, I am not certain that checking the BODY for those characters will prevent spam or do what you wish it to do.

My thinking is based on the idea that TO:,BCC:, CC:, settings must be established as an email parameter, usually the headers. If you use those in the "body" or message of the email, it will NOT affect the recipients of the email.

Anyway, I hope that helps...

jacquesy

Thanks very much Rodney, this works perfectly!