secure forms - my bloody form got spammed!

checksvm

Hi.
Just got news from my ISP that my forms have been taken offline after being exploited - apparently lots of spam flooded thru them.

I need to fix them up asap (and I thought they were secure!) with the strip_tags sanitation.

This is basically what I have:

<?php

$fullname = htmlspecialchars( strip_tags( $fullname ) );
$email = htmlspecialchars( strip_tags( $email ) );

if(get_magic_quotes_gpc()){
$fullname=stripslashes($POST['fullname']);
$email=stripslashes($POST['email']);
}else{
$fullname=$POST['fullname'];
$email=$POST['email'];
}

$myname .= "Name of Person";
$myemail .= "email@email.com";

$message .= "Full name: $fullname\r\n";
$message .= "Email: $email\r\n\r\n";

$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/plain; charset=iso-8859-1\r\n";
$headers .= "From: ".$fullname." <".$email.">\r\n";
$headers .= "X-Priority: 1\r\n";
$headers .= "X-MSMail-Priority: High\r\n";
$headers .= "X-Mailer: sendmail";

mail(
"$myemail",
"Contact",
"$message",
"$headers");

header( "Location: http://www.email.com/thanks.htm" );

I guess the above doesn't prevent x-site scripting.

Would adding this at the top help:

if (strpos($SERVER['HTTP_REFERER'], $SERVER['HTTP_HOST'])>7 ||
!strpos($SERVER['HTTP_REFERER'], $SERVER['HTTP_HOST']))
die("Bad referer");

Can someone please help me to make this code air tight?

please!
thanks.

checksvm

I guess I could cure E-Mail Injections with:

// sanitize //
if (!ereg ('^{[a-z0-9_.-]+'.'@'.'([a-z0-9-]+.)+'.'[a-z]{2,4}$',} $email)) {echo "Please enter a valid email...
 <a href='javascript:history.back()'><< go back</a>"; exit;
}

Any thoughts?

checksvm

ok, I have progressed (I think). The code below is now (in theory) a lot safer with regards email injection since the function should take care of sanitation.
There is one problem: If I try and enter some spam, for example: [email]someone@example.com%0Abcc:anotherperson@example.com[/email] into the email field - the form kind of breaks down and there's a 404 error. Hmm. weird all this function should do is strip the crap out and procede with the mailing.
If I enter: someone@example.com no problems - we go straight through, email is delivered and I am re-directed correctly.

This is what I have now:

<?php

if (strpos($SERVER['HTTP_REFERER'], $SERVER['HTTP_HOST'])>7 ||
!strpos($SERVER['HTTP_REFERER'], $SERVER['HTTP_HOST']))
die("Bad referer");

//clean input in case of header injection attempts!
function clean_input($value, $check_all_patterns = true)
{
$patterns[0] = '/content-type:/';
$patterns[1] = '/to:/';
$patterns[2] = '/cc:/';
$patterns[3] = '/bcc:/';
if ($check_all_patterns)
{
$patterns[4] = '/\r/';
$patterns[5] = '/\n/';
$patterns[6] = '/%0a/';
$patterns[7] = '/%0d/';
}
return preg_replace($patterns, "", strtolower($value));
}

$fullname = htmlspecialchars( strip_tags( $fullname ) );
$email = htmlspecialchars( strip_tags( $email ) );

if(get_magic_quotes_gpc()){
$fullname=stripslashes($POST['fullname']);
$email=stripslashes($POST['email']);
}else{
$fullname = clean_input($POST['fullname']);
$email = clean_input($POST['email'], false);
}

// sanitize //
if (!ereg ('^{[a-z0-9_.-]+'.'@'.'([a-z0-9-]+.)+'.'[a-z]{2,6}$',} $email)) {echo "Please enter a valid email...
 <a href='javascript:history.back()'><< go back</a>"; exit;
}

// Do something useful with the data collected...

$myname .= "Random Name";
$myemail .= "random@email.com";

$message .= "Full name: $fullname\r\n";
$message .= "Email: $email\r\n\r\n";

$headers2 .= "MIME-Version: 1.0\r\n";
$headers2 .= "Content-type: text/plain; charset=iso-8859-1\r\n";
$headers2 .= "From: ".$fullname." <".$email.">\r\n";
$headers2 .= "X-Priority: 1\r\n";
$headers2 .= "X-MSMail-Priority: High\r\n";
$headers2 .= "X-Mailer: sendmail";

mail(
"$myemail",
"Comments",
"$message",
"$headers2");

header( "Location: http://www.somewhere.com/thanks.htm" );

Any ideas about improving this code or indeed insight into why I'm getting this 404 when I try and spam it?

Thanks.