[RESOLVED] Is my form Secure against spam attack??

cesar110

Please if somebody can review my code and tell me if this my form below would be robots/SPAM attack free. The form is very basic, it has 4 fields, saves the value if there is an error and sends it. Of couse, it check that all fields are enter, email address has the right format, verify email has to match email, and I want to delete any extra headers, lines, etc. thanks.

$block = "<div align=\"center\">Please fill out the form </div>";
$block .= "
<form action=\"$_SERVER[PHP_SELF]\" method=\"post\">
<table width=\"500\" align=\"center\">
	<tr>
		<td>&nbsp;

	</td>
</tr>
<tr>
	<td>
		<p>Name:</p>
	</td>
	<td>
		<input type=\"text\" name=\"name\" value=\"$_POST[name]\">
	</td>
</tr>
<tr>
	<td>
		<p>Email:</p>
	</td>
	<td>
		<input type=\"text\" name=\"email\" value=\"$_POST[email]\">
	</td>
</tr>
<tr>
	<td>
		<p>Verify Email:</p>
	</td>
	<td>
		<input type=\"text\" name=\"email2\" value=\"$_POST[email2]\">
	</td>
</tr>
<tr>
	<td>
		<p>Comments:</p>
	</td>
	<td>
		<textarea name=\"comments\" rows=\"10\" cols=\"25\" value=\"$_POST[comments]\" WRAP=virtual >$_POST[comments]</textarea>
	</td>
</tr>
<td>
	<td>&nbsp;</td>
</td>
<tr>
	<td>&nbsp;

	</td>
	<td>
	<div align=\"right\">
	<input type=\"hidden\" name=\"op\" value=\"ds\">
	<input type=\"submit\" name=\"submit\" value=\"Submit\"></div>
	</td>
</tr>
</table>
</form>";

$name = $_POST[name];
$email = trim($_POST[email]);
$email2 = trim($_POST[email2]);
$comments = $_POST[comments];

if ($_POST[op] != "ds")
{
	echo "$block";
}

else if ($_POST[op] == "ds")

{

	/********************************
	Check for wrong referer and exit
	*********************************/

	if (($_SERVER['HTTP_REFERER'] != 'http://www.mydomain.com/mycontactform.php') and ($_SERVER['HTTP_REFERER'] != 'http://www.mydomain.com/mycontactform.php' ))
	{ 
    echo $_SERVER['HTTP_REFERER']; 
    echo 'This is SPAM!'; 
    die; 
	}

	/***************************
	Validate name
	****************************/
		if (empty($name))

			  {$send = "no"; echo "Please enter your Name <br/>";}

		else { $send = "yes"; }

	/****************************
	Validate Email address $email
	*****************************/

		//Verify email is not blank 
		if(empty($email))

			{ $send = "no"; echo "Please enter email Address <br/>";  }

		//Verify email has correct format 
		else if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)) 

			{$send = "no"; echo "Your Email does not have the correct format <br/>"; }

		//Match both email addresses 
		else if ($email != $email2)

			{$send = "no"; echo 'The Email and Verify email address you enter no not match <br/>'; }

		//Remove any newlines from input email address 
		else if($email)

				{preg_match("/(%0A|%0D|\\n+|\\r+)/i", $email) == 0;}

		else if($email)
		// Remove any email headers from  mail form input
				{preg_match("/(content-type:|to:|cc:|bcc:)/i", $email) == 0;}

	/***************************
	Validate Commetns
	****************************/

		if (empty($comments))

			{ $send = "no"; echo "Please explain the problem you are facing <br/>";}

			else if($comments)

			{ preg_match("/(content-type:|to:|cc:|bcc:)/i", $comments) == 0; $send = "yes";}

}

// Display form if there are errors
if ($send == "no")

	{  echo "$block"; }

// Lets send the form
if ($send == "yes")

{
		$msg = "Your request has been submitted.  Thanks!\n";
		$msg .= "Name:	$name\n";
		$msg .= "Email:	$email\n";
		$msg .= "comments:	$comments\n";

		$toaddress = "toMe@myEmail.com";
		$subject = "To Webmaster";

		$mailheaders = "From:". $email;
		$mailheaders .= "Reply to:".$email;

		mail($toaddress, $subject, $msg, $mailheaders);

		$block = "Your email has been sent.  Thank you! \n";
		$block .= "Name: $name <br/>"."Email: $email <br/>"."Comments: $comments <br/>"; 
		echo "$block";
}

NogDog

Please make use of the

 tag[/url] around your code sample if you would really like us to read it.

cesar110

Sorry for that....here are the tags.


$block = "<div align=\"center\">Please fill out the form </div>";
$block .= "
<form action=\"$_SERVER[PHP_SELF]\" method=\"post\">
<table width=\"500\" align=\"center\">
<tr>
<td>&nbsp;

</td>
</tr>
<tr>
<td>
<p>Name:</p>
</td>
<td>
<input type=\"text\" name=\"name\" value=\"$_POST[name]\">
</td>
</tr>
<tr>
<td>
<p>Email:</p>
</td>
<td>
<input type=\"text\" name=\"email\" value=\"$_POST[email]\">
</td>
</tr>
<tr>
<td>
<p>Verify Email:</p>
</td>
<td>
<input type=\"text\" name=\"email2\" value=\"$_POST[email2]\">
</td>
</tr>
<tr>
<td>
<p>Comments:</p>
</td>
<td>
<textarea name=\"comments\" rows=\"10\" cols=\"25\" value=\"$_POST[comments]\" WRAP=virtual >$_POST[comments]</textarea>
</td>
</tr>
<td>
<td>&nbsp;</td>
</td>
<tr>
<td>&nbsp;

</td>
<td>
<div align=\"right\">
<input type=\"hidden\" name=\"op\" value=\"ds\">
<input type=\"submit\" name=\"submit\" value=\"Submit\"></div>
</td>
</tr>
</table>
</form>";

$name = $_POST[name];
$email = trim($_POST[email]);
$email2 = trim($_POST[email2]);
$comments = $_POST[comments];

if ($_POST[op] != "ds")
{
echo "$block";
}

else if ($_POST[op] == "ds")

{

/********************************
Check for wrong referer and exit
*********************************/

if (($_SERVER['HTTP_REFERER'] != 'http://www.mydomain.com/mycontactform.php') and ($_SERVER['HTTP_REFERER'] != 'http://www.mydomain.com/mycontactform.php' ))
{
echo $_SERVER['HTTP_REFERER'];
echo 'This is SPAM!';
die;
}

/***************************
Validate name
****************************/
if (empty($name))

{$send = "no"; echo "Please enter your Name <br/>";}

else { $send = "yes"; }

/****************************
Validate Email address $email
*****************************/

//Verify email is not blank
if(empty($email))

{ $send = "no"; echo "Please enter email Address <br/>"; }

//Verify email has correct format
else if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email))

{$send = "no"; echo "Your Email does not have the correct format <br/>"; }

//Match both email addresses
else if ($email != $email2)

{$send = "no"; echo 'The Email and Verify email address you enter no not match <br/>'; }

//Remove any newlines from input email address
else if($email)

{preg_match("/(%0A|%0D|\\n+|\\r+)/i", $email) == 0;}

else if($email)
// Remove any email headers from mail form input
{preg_match("/(content-type:|to:|cc:|bcc/i", $email) == 0;}

/***************************
Validate Commetns
****************************/

if (empty($comments))

{ $send = "no"; echo "Please explain the problem you are facing <br/>";}

else if($comments)

{ preg_match("/(content-type:|to:|cc:|bcc/i", $comments) == 0; $send = "yes";}

}

// Display form if there are errors
if ($send == "no")

{ echo "$block"; }

// Lets send the form
if ($send == "yes")

{
$msg = "Your request has been submitted. Thanks!\n";
$msg .= "Name: $name\n";
$msg .= "Email: $email\n";
$msg .= "comments: $comments\n";

$toaddress = "toMe@myEmail.com";
$subject = "To Webmaster";

$mailheaders = "From:". $email;
$mailheaders .= "Reply to:".$email;

mail($toaddress, $subject, $msg, $mailheaders);

$block = "Your email has been sent. Thank you! \n";
$block .= "Name: $name <br/>"."Email: $email <br/>"."Comments: $comments <br/>";
echo "$block";
}

Piranha

That was not what NogDog asked you to do. Look at the link he provided instead and you will find out. And please edit the first post to add it, no need to post again.

suntra

if (($_SERVER['HTTP_REFERER'] != 'http://www.mydomain.com/mycontactform.php') and ($_SERVER['HTTP_REFERER'] != 'http://www.mydomain.com/mycontactform.php' ))
{
echo $_SERVER['HTTP_REFERER'];
echo 'This is SPAM!';
die;
}

Never rely on HTTP_REFERER since it is possible for Mr/Mrs Everyone to disable it !

Also, I would personally change the field names to make them less obvious... email, robots will say... email address ! Instead, I don't know, use brocoli 😛

cesar110

Thank you suntra,

So do you think I should delete the HTTP_REFERER part? what would happen if Mr/Mrs Everyone disable it? The form will not be sent out, or even if the HTTP_REFERE does not match, they will be able to send the form?

suntra

Of course the form will still be sent. Some people disable the sending of HTTP_REFERER for privacy reasons ! Everything in the browser goes as usual, except that it doesn't send the HTTP_REFERER header to the Webserver.

dougal85

Your code has a few abnormalities, may not necessarily effect the security but they might well be considered bad practice. And also make it very hard to read 😉


$name = $_POST[name];

// $_POST values should be in quotes

$name = $_POST['name'];


if (($_SERVER['HTTP_REFERER'] != 'http://www.mydomain.com/mycontactform.php') and ($_SERVER['HTTP_REFERER'] != 'http://www.mydomain.com/mycontactform.php' ))

// I might be tired but that looks like you are doing that twice.
// kind of like saying if 1 is not 2 and 1 is not 2

if ($_SERVER['HTTP_REFERER'] != 'http://www.mydomain.com/mycontactform.php')


$send = "no";

// why not use a boolean?

$send = false;

// then you can do simple things like

if($send)

// rather than

if($send == "yes")


//Remove any newlines from input email address
else if($email)

{preg_match("/(%0A|%0D|\\n+|\\r+)/i", $email) == 0;}

else if($email)
// Remove any email headers from mail form input
{preg_match("/(content-type:|to:|cc:|bcc/i", $email) == 0;}

// You have some strange email checking at the end, there is no way the code will reach both of these, since they have the same entry requirement the first will be executed. Also, "else if($email)" says is $email true? and a string always converts to true unless its empty.

Hope that helps somehow or other 😛

cesar110

Thank you very much, for your input. Obviously it shows i am new in php. I will review and make the changes that you guys suggested. thanks, again.