Struggling to understand ...

smirkingdude

Hello! 🙂 I'm new to PHP. I'm trying to understand why my PHP file sends me to error page even though I entered my email address. I wonder how to fix this and make PHP file work?

My PHP file is a mixture of copy & pastes from this page, this other page along with my newbie PHP attempts.

Here's the XHTML form code:

<form method="post" action="sendmail.php" class="contactform">
		<ol>
		  <li>
		  	<label for="name">Name<em class="required">*</em></label>
		 	<input type="text" name="name" id="name" />
		  </li>
		  <li>
		  	<label for="address1">Address 1<em class="required">*</em></label>
			<input type="text" name="address1" id="address1" />
		  </li>
		  <li>
		  	<label for="address2">Address 2</label>
			<input type="text" name="address2" id="address2" />
		  </li>
		  <li>
		  	<label for="city">City<em class="required">*</em></label>
		 	<input type="text" name="city" id="city" />
		  </li>
		  <li>
		  	<label for="state">State<em class="required">*</em></label>
			<input type="text" name="state" id="state" />
		  </li>
		  <li>
		  	<label for="zipcode">Zip Code<em class="required">*</em></label>
			<input type="text" name="zipcode" id="zipcode" />
		  </li>
		  <li>
		  	<label for="phone">Phone Number<em class="required">*</em></label>
			<input type="text" name="phone" id="phone" />
		  </li>
		  <li>
		  	<label for="email">Email Address</label>
			<input type="text" name="email" id="email" />
		  </li>
		  <li>Please enter the code below into the text box.<br />
		    <img src="CaptchaSecurityImages.php" alt="code for security purpose" /><em class="required">*</em>
		    <input type="text" name="security_code" id="security_code" />
		  </li>
		  <li>
		  	<label for="message">Message<em class="required">*</em></label><br />
			<textarea name="message" id="message" rows="15" cols="50"></textarea><br />
		    <input type="submit" name="submit" value="Submit" id="submit" />
		    <input type="reset" name="reset" value="Reset" id="reset" />
		  </li>
		</ol>
		</form>

here's the PHP file in its entirety:

<?php

  session_start();
   if(($_SESSION['security_code'] == $_POST['security_code']) && (!empty($_SESSION['security_code'])) ) {
      // Insert your code for processing the form here, e.g emailing the submission, entering it into a database. 

  $name = $_GET['name'];
  $address1 = $_GET['address1'];
  $address2 = $_GET['address2'];
  $city = $_GET['city'];
  $state = $_GET['state'];
  $zipcode = $_GET['zipcode'];
  $phone = $_GET['phone'];
  $email = $_GET['email'];
  $message = $_GET['message'];

function is_valid_email($email) {
  return preg_match('#^[a-z0-9.!\#$%&\'*+-/=?^_`{|}~]+@([0-9.]+|([^\s]+\.+[a-z]{2,6}))$#si', $email);
}

function contains_bad_str($str_to_test) {
  $bad_strings = array(
                "content-type:"
                ,"mime-version:"
                ,"multipart/mixed"
		,"Content-Transfer-Encoding:"
                ,"bcc:"
		,"cc:"
		,"to:"
  );

  foreach($bad_strings as $bad_string) {
    if(eregi($bad_string, strtolower($str_to_test))) {
      echo "mail not being sent.";
      exit;
    }
  }
}

function contains_newlines($str_to_test) {
   if(preg_match("/(%0A|%0D|\\n+|\\r+)/i", $str_to_test) != 0) {
     echo "mail not being sent.";
     exit;
   }
} 

if($_SERVER['REQUEST_METHOD'] != "POST"){
   echo("Unauthorized attempt to access page.");
   exit;
}

if (!is_valid_email($email)) {
  header( "Cache-Control: no-cache" );
  header( "Location: http://www.wordandworshipchurch.org/error.html" );
  exit;
}

contains_bad_str($name);
contains_bad_str($address1);
contains_bad_str($address2);
contains_bad_str($city);
contains_bad_str($state);
contains_bad_str($zipcode);
contains_bad_str($phone);
contains_bad_str($email);
contains_bad_str($message);

contains_newlines($name);
contains_newlines($address1);
contains_newlines($address2);
contains_newlines($city);
contains_newlines($state);
contains_newlines($zipcode);
contains_newlines($phone);
contains_newlines($email);
contains_newlines($message);

  if (!isset($_GET['name'],$_GET['address1'],$_GET['address2'],$_GET['city'],$_GET['state'],$_GET['zipcode'],$_GET['phone'],$_GET['email'],$_GET['message'])) {
  	header( "Cache-Control: no-cache" );
    header( "Location: http://www.wordandworshipchurch.org/contactus.html" );
  }
  elseif (empty($name) || empty($address1) || empty($city) || empty($state) || empty($zipcode) || empty($phone) || empty($email) || empty($message)) {
  	header( "Cache-Control: no-cache" );
    header( "Location: http://www.wordandworshipchurch.org/error.html" );
  }
  else {
    mail( "(my email address here)", "Contact Form Results",
      " Name: $name \n Address 1: $address1 \n Address 2: $address2 \n City: $city \n State: $state \n Zip Code: $zipcode \n Phone: $phone \n Email: $email \n Message: $message"); 
	header( "Cache-Control: no-cache" ); 
    header( "Location: http://www.wordandworshipchurch.org/thankyou.html" );

  }

  unset($_SESSION['security_code']);
   } else {
      // Insert your code for showing an error message here
	  header( "Cache-Control: no-cache" );
      header( "Location: http://www.wordandworshipchurch.org/error.html" );
   }
?>

Obviously, I'm new to adding security to online form. Plenty of room for learning PHP & improvement 🙂 Suggestions & advices will be appreciated 🙂

dagon

lets start at the beginning, your 2nd page above is called "sendmail.php" is in the same dir as the page the form is on and your server runs php?

Boyd

Book Bloodhound
Can't find that book? I can!
http://www.bookbloodhound.com

dagon

never mind i see the problem - you have:

$name = $_GET['name'];

when you want

$name = $_POST['name'];

replace all your $GET with $POST, as your form is using the post action.

Boyd.

--
Book Bloodhound
Can't find that book? I can!
http://www.bookbloodhound.com

smirkingdude

Dagon, yes both files are in same directory. is this bad for PHP security? :bemused:

dagon wrote:
lets start at the beginning, your 2nd page above is called "sendmail.php" is in the same dir as the page the form is on and your server runs php?

Boyd

Book Bloodhound

edit by admin: no commercial links permitted on the forum, thank you

smirkingdude

Dagon,

Thanks for your advice. 🙂 I've changed those $GET's into $POST's.

I was testing the PHP script.... when I entered with "content-type:" line and was sent to a page with an echo of "mail not being sent." I looked at the URL...it showed the URL address of the PHP script. I'm not sure if this may be an exploit (showing spammers the URL address of the PHP script and take advantage of it)?

Is there a way to secure this while either sending an echo or taking to an error page? if yes, how?

I know this is the beginning of my journey in PHP & PHP security. 🙂

dagon

smirkingdude wrote:
Dagon,

...it showed the URL address of the PHP script. I'm not sure if this may be an exploit (showing spammers the URL address of the PHP script and take advantage of it)?

That's fine, its how its always done.

smirkingdude

Parse error: syntax error, unexpected '{', expecting '(' on line 97 😕

here's the code beginning line 97:

else if {(!in_array($ip,$banned_ip)) {
    mail( "jgalofre96@hotmail.com", "Contact Form Results",
      " Name: $name \n Address 1: $address1 \n Address 2: $address2 \n City: $city \n State: $state \n Zip Code: $zipcode \n Phone: $phone \n Email: $email \n Message: $message \n IP Address: $ip"); 
	header( "Cache-Control: no-cache" ); 
    header( "Location: http://www.wordandworshipchurch.org/thankyou.html" );
	} 
  }

Okay... what to do? Not sure which "{" to replace on line 97. Would you kindly enlighten me with your PHP wisdom/advice? 🙂

dagon

else if (!in_array($ip,$banned_ip)) {

smirkingdude

Dagon,

when I entered properly on the online form, it tells me "mail not being sent".
I looked at the PHP code. I dont see why I get ended up with that message. I don't enter any words listed as part of the "bad string" array.

here's the whole code:

<?php

  session_start();
   if(($_SESSION['security_code'] == $_POST['security_code']) && (!empty($_SESSION['security_code'])) ) {
      // Insert your code for processing the form here, e.g emailing the submission, entering it into a database. 

  $name = $_POST['name'];
  $address1 = $_POST['address1'];
  $address2 = $_POST['address2'];
  $city = $_POST['city'];
  $state = $_POST['state'];
  $zipcode = $_POST['zipcode'];
  $phone = $_POST['phone'];
  $email = $_POST['email'];
  $message = $_POST['message'];
  $ip = $_SERVER['X_FORWARDED_FOR'] ? $_SERVER['X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
  $banned_ip = array('195.99.99.99','137.11.11.11');

function is_valid_email($email) {
  return preg_match('#^[a-z0-9.!\#$%&\'*+-/=?^_`{|}~]+@([0-9.]+|([^\s]+\.+[a-z]{2,6}))$#si', $email);
}

function contains_bad_str($str_to_test) {
  $bad_strings = array(
                "content-type:"
                ,"mime-version:"
                ,"multipart/mixed"
				,"Content-Transfer-Encoding:"
                ,"bcc:"
				,"cc:"
				,"to:"
				,"fopen"
				,"i="
				,"$"
				,"upload"
				,"file_get_contents"
				,"fwrite"
				,"fclose"
				,"unlink"
				,"delete"
  );

  foreach($bad_strings as $bad_string) {
    if(eregi($bad_string, strtolower($str_to_test))) {
      echo "mail not being sent.";
      exit;
    }
  }
}

function contains_newlines($str_to_test) {
   if(preg_match("/(%0A|%0D|\\n+|\\r+)/i", $str_to_test) != 0) {
     echo "mail not being sent.";
     exit;
   }
} 

if($_SERVER['REQUEST_METHOD'] != "POST"){
   echo("Unauthorized attempt to access page.");
   exit;
}

if (!is_valid_email($email)) {
  header( "Cache-Control: no-cache" );
  header( "Location: http://www.wordandworshipchurch.org/error.html" );
  exit;
}

contains_bad_str($name);
contains_bad_str($address1);
contains_bad_str($address2);
contains_bad_str($city);
contains_bad_str($state);
contains_bad_str($zipcode);
contains_bad_str($phone);
contains_bad_str($email);
contains_bad_str($message);

contains_newlines($name);
contains_newlines($address1);
contains_newlines($address2);
contains_newlines($city);
contains_newlines($state);
contains_newlines($zipcode);
contains_newlines($phone);
contains_newlines($email);
contains_newlines($message);

  if (!isset($_POST['name'],$_POST['address1'],$_POST['address2'],$_POST['city'],$_POST['state'],$_POST['zipcode'],$_POST['phone'],$_POST['email'],$_POST['message'])) {
  	header( "Cache-Control: no-cache" );
    header( "Location: http://www.wordandworshipchurch.org/contactus.html" );
  }
  elseif (empty($name) || empty($address1) || empty($city) || empty($state) || empty($zipcode) || empty($phone) || empty($email) || empty($message)) {
  	header( "Cache-Control: no-cache" );
    header( "Location: http://www.wordandworshipchurch.org/error.html" );
  }
  else if (!in_array($ip,$banned_ip)) {
    mail( "jgalofre96@hotmail.com", "Contact Form Results",
      " Name: $name \n Address 1: $address1 \n Address 2: $address2 \n City: $city \n State: $state \n Zip Code: $zipcode \n Phone: $phone \n Email: $email \n Message: $message \n IP Address: $ip"); 
	header( "Cache-Control: no-cache" ); 
    header( "Location: http://www.wordandworshipchurch.org/thankyou.html" ); 
  }

  unset($_SESSION['security_code']);
   } else {
      // Insert your code for showing an error message here
	  header( "Cache-Control: no-cache" );
      header( "Location: http://www.wordandworshipchurch.org/error.html" );
   }
?>

also..is there any security hole(s) yet to be plugged in with this PHP code? if yes, how to plug in with PHP security?

dagon

you shouldn't be checking for new lines in $message, it may well have them.

you could remove the whole block starting with "contains_bad_str($name); " if you don't get any errors ad them back one at time testing it, same with bad word array remove all add them back one at a time.

smirkingdude

new lines check and bad words check comes from this article.

I've trimmed the bad string array down and tested it..it worked.

function contains_bad_str($str_to_test) {
  $bad_strings = array(
                "content-type:"
                ,"mime-version:"
                ,"multipart/mixed"
				,"Content-Transfer-Encoding:"
                ,"bcc:"
				,"cc:"
				,"to:"

  );

since $message may well contain new lines. how to close the exploitable hole on $message? (as I've taken away $message from new line check)

smirkingdude

So far... here's the latest "bad string check" which works fine... 🙂

// Bad String check
function contains_bad_str($str_to_test) {
  $bad_strings = array(
                              "content-type:"
                              ,"mime-version:"
                               ,"multipart/mixed"
		                ,"Content-Transfer-Encoding:"
                               ,"bcc:"
				,"cc:"
				,"to:"
				,"fopen"
				,"unlink"
				,"i="
				,"file_get_contents"
				,"rm *"
  );

any possible security hole with this bad string check?

smirkingdude

dagon wrote:

else if (!in_array($ip,$banned_ip)) {

Thanks for pointing out my syntax error 😃

smirkingdude

Dagon,

you still out there?

dagon

smirkingdude wrote:
Dagon,

you still out there?

yes.:eek:

smirkingdude

smirkingdude wrote:

So far... here's the latest "bad string check" which works fine... 🙂

// Bad String check
function contains_bad_str($str_to_test) {
  $bad_strings = array(
                              "content-type:"
                              ,"mime-version:"
                               ,"multipart/mixed"
		                ,"Content-Transfer-Encoding:"
                               ,"bcc:"
				,"cc:"
				,"to:"
				,"fopen"
				,"unlink"
				,"i="
				,"file_get_contents"
				,"rm *"
  );

any possible security hole with this bad string check?

I wonder..any security hole(s) with this "bad string check" ?

By the way, I wonder why this PHP script keeps sending me to a page with "mail not sent" statement even when I entered valid & real email addresses?!? 😕

here's the PHP code:

<?php

  session_start();
   if(($_SESSION['security_code'] == $_POST['security_code']) && (!empty($_SESSION['security_code'])) ) {
      // Insert your code for processing the form here, e.g emailing the submission, entering it into a database. 

  // Read the post variables, strip out hacking code, set internal form variables	  

  if (isset($_POST['name'])) $name=stripslashes(htmlspecialchars(strip_tags(trim($_POST['name']))));
  if (isset($_POST['address1'])) $address1=stripslashes(htmlspecialchars(strip_tags(trim($_POST['address1']))));
  if (isset($_POST['address2'])) $address2=stripslashes(htmlspecialchars(strip_tags(trim($_POST['address2']))));
  if (isset($_POST['city'])) $city=stripslashes(htmlspecialchars(strip_tags(trim($_POST['city']))));
  if (isset($_POST['state'])) $state=stripslashes(htmlspecialchars(strip_tags(trim($_POST['state']))));
  if (isset($_POST['zipcode'])) $zipcode=stripslashes(htmlspecialchars(strip_tags(trim($_POST['zipcode']))));
  if (isset($_POST['phone'])) $phone=stripslashes(htmlspecialchars(strip_tags(trim($_POST['phone']))));
  if (isset($_POST['email'])) $email=stripslashes(htmlspecialchars(strip_tags(trim($_POST['email']))));
  if (isset($_POST['message'])) $message=stripslashes(htmlspecialchars(strip_tags(trim($_POST['message']))));

  // Gets the ip address 
  $ip = $_SERVER['X_FORWARDED_FOR'] ? $_SERVER['X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];

  // this is the blacklist of banned ip addresses
  $banned_ip = array('195.99.99.99','137.11.11.11');

  //email blocker start - to block from emails. add more as shown with x's
  if ($email=="fake@fake.com" or $email=="addmore@here.com"){
        error("<p>Not Sent: You are not authorized.</p><p>xxxxxxxxxxx</p>");
    }

// Bad String check
function contains_bad_str($str_to_test) {
  $bad_strings = array(
                                "content-type:"
                                ,"mime-version:"
                                ,"multipart/mixed"
				,"Content-Transfer-Encoding:"
                                ,"bcc:"
				,"cc:"
				,"to:"
				,"fopen"
				,"unlink"
				,"i="
				,"file_get_contents"
				,"rm *"
				,"phpinfo"
				,"href"
  );

  foreach($bad_strings as $bad_string) {
    if(eregi($bad_string, strtolower($str_to_test))) {
      echo "mail not being sent.";
      exit;
    }
  }
}

// New lines check
function contains_newlines($str_to_test) {
   if(preg_match("/(%0A|%0D|\\n+|\\r+)/i", $str_to_test) != 0) {
     echo "mail not being sent.";
     exit;
   }
} 

contains_bad_str($name);
contains_bad_str($address1);
contains_bad_str($address2);
contains_bad_str($city);
contains_bad_str($state);
contains_bad_str($zipcode);
contains_bad_str($phone);
contains_bad_str($email);
contains_bad_str($message);

contains_newlines($name);
contains_newlines($address1);
contains_newlines($address2);
contains_newlines($city);
contains_newlines($state);
contains_newlines($zipcode);
contains_newlines($phone);
contains_newlines($email);

// Email validation
function is_valid_email($email) {
  return preg_match('#^[a-z0-9.!\#$%&\'*+-/=?^_`{|}~]+@([0-9.]+|([^\s]+\.+[a-z]{2,6}))$#si', $email);
}
if (!is_valid_email($email)) {
  header( "Cache-Control: no-cache" );
  header( "Location: http://www.wordandworshipchurch.org/error.html" );
  exit;
}

//Deny access if use any method other than POST
if($_SERVER['REQUEST_METHOD'] != "POST"){
   echo("Unauthorized attempt to access page.");
   exit;
}

  if (!isset($_POST['name'],$_POST['address1'],$_POST['address2'],$_POST['city'],$_POST['state'],$_POST['zipcode'],$_POST['phone'],$_POST['email'],$_POST['message'])) {
  	header( "Cache-Control: no-cache" );
    header( "Location: http://www.wordandworshipchurch.org/contactus.html" );
  }
  elseif (empty($name) || empty($address1) || empty($city) || empty($state) || empty($zipcode) || empty($phone) || empty($email) || empty($message)) {
  	header( "Cache-Control: no-cache" );
    header( "Location: http://www.wordandworshipchurch.org/error.html" );
  }
  else if (!in_array($ip,$banned_ip)) {
    mail( "jgalofre96@hotmail.com", "Contact Form Results",
      " Name: $name \n Address 1: $address1 \n Address 2: $address2 \n City: $city \n State: $state \n Zip Code: $zipcode \n Phone: $phone \n Email: $email \n IP Address: $ip \n Message: $message"); 
	header( "Cache-Control: no-cache" ); 
    header( "Location: http://www.wordandworshipchurch.org/thankyou.html" ); 
  }

  unset($_SESSION['security_code']);
   } else {
      // Insert your code for showing an error message here
	  header( "Cache-Control: no-cache" );
      header( "Location: http://www.wordandworshipchurch.org/error.html" );
   }
?>

Kindly point me in right direction, please?

Nile

Mail not sent or mail not being sent?

smirkingdude

Here's the PHP parts that may cause the "mail not being sent" statement:


// Bad String check
function contains_bad_str($str_to_test) {
  $bad_strings = array(
                                "content-type:"
                                ,"mime-version:"
                                ,"multipart/mixed"
				,"Content-Transfer-Encoding:"
                                ,"bcc:"
				,"cc:"
				,"to:"
				,"fopen"
				,"unlink"
				,"i="
				,"file_get_contents"
				,"rm *"
				,"phpinfo"
				,"href"
  );

  foreach($bad_strings as $bad_string) {
    if(eregi($bad_string, strtolower($str_to_test))) {
      echo "mail not being sent.";
      exit;
    }
  }
}

// New lines check
function contains_newlines($str_to_test) {
   if(preg_match("/(%0A|%0D|\\n+|\\r+)/i", $str_to_test) != 0) {
     echo "mail not being sent.";
     exit;
   }
} 

contains_bad_str($name);
contains_bad_str($address1);
contains_bad_str($address2);
contains_bad_str($city);
contains_bad_str($state);
contains_bad_str($zipcode);
contains_bad_str($phone);
contains_bad_str($email);
contains_bad_str($message);

contains_newlines($name);
contains_newlines($address1);
contains_newlines($address2);
contains_newlines($city);
contains_newlines($state);
contains_newlines($zipcode);
contains_newlines($phone);
contains_newlines($email);

Am I missing something? 😕

dagon

there is such a thing as overkill, by blocking so much you easily exclude legit emails, some times its best to block the least amount and live with the odd spam over losing wanted emails.

smirkingdude

Dagon,

Yeah but not wanting to get hacked. There's one saying often being said: Better be safe than be sorry.