Hacker proof form processor

mrgrammar

I'm trying to create a form processing script that is hacker/spammer proof. Below are the steps that I'm using. Please provide comments about how it might be hacked and how I can improve it.

At the beginning of the script,

$sendit=0;
$fakesend=0;
The recipient and subject line is specified in the script, not on the form.

The script checks the required fields to make sure that they are filled out. If a required field is not filled out, the user must go back and fill it in.
The script checks to make sure the form is POSTed.

if (strtoupper($_SERVER['REQUEST_METHOD']) != "POST") {
	$sendit = 1;
	$errormsg .= "Only POST method is allowed.<br>";
}

The script checks to make sure there was data in the form.

if (!strlen($HTTP_POST_VARS)) {
	$sendit = 1;
	$errormsg .= "No data was provided.<br>";
}

The script checks to make sure the submitter's email address is valid.

$pattern = "^([._a-z0-9-]+)@[a-z0-9-]+(\.[a-z0-9-]{2,})+$";
if(eregi($pattern,$_POST['Email'],$matches)){
	$sendit = 0;
}else{
	$sendit = 1;
	$errormsg .= "Email address you submitted is invalid.<br>";
}

The script checks each field's data against a known list of spam words (mostly drugs, casinos, etc.). If an input contains a word that is a spam word,
$fakesend = 1.
The form checks to see if /r, /n, MIME-Version, or the domain name of the site was used in the form inputs.

if (eregi("\r",$name) || eregi("\n",$name) || eregi("MIME-Version:",$name) || eregi($emailsuffix,$name)){
	$sendit = 1;
}

If $sendit = 1, the form displays an error to the user and what caused the error. If $sendit = 0, the script continues.
The message body is created.

$thebody .= htmlspecialchars(urldecode($key)).": ".htmlspecialchars(urldecode($value))."\n";

If $fakesend=1, the script sends the user to the thank you page without sending out an email. If $fakesend=0, the script sends the email to the recipient and sends the user to the thank you page.

$hd = "From: ".$esend1."\r\n";
$hd .= "Reply-To: ".$esend1."\r\n";
$hd .= "Return-Path: ".$esend1."\r\n";
$hd .= "CC: \r\n";
$hd .= "BCC: \r\n";

if($fakesend == 0){
	$emailsuccess = mail($erec1, $esub1, $ebod1, $hd);
}

header("Location: $thankpg");

jkurrle

You might want to consider also using strip_tags() and trim()

laserlight

I believe it should be safe to check for the existence of the relevant elements of $POST instead of using $REQUEST and then checking of the form was submitted via the post method. You should do this by using [man]isset[/man] or [man]empty/man, not by using strlen() unless you are also checking if a certain user input was of a required length. Using it on an array like $HTTP_POST_VARS is wrong, and using $HTTP_POST_VARS is wrong as now you should use $_POST.

The use of eregi() should be replaced by the use of [man]preg_match/man as the ereg functions are being phased out.

Now, with respect to the "hacker/spammer proof" thing: your idea is to pretend that you are sending out the email when you are not? From what I see, this will not prevent a spammer from continuing to spam with your form. The typical way to prevent that would be to use a CAPTCHA, though bots can be tailored to break some CAPTCHAs.

MarkR

You will definitely want to strip out unwanted line breaks from any email headers (e.g. subject, from) - personally I'd create a wrapper function which checks for unwanted line breaks and use that instead of mail() everywhere in your application.

As far as stopping spammers submitting your form - none of the above will have any effect to do that. Spammers write bots which submit any form they can find, frequently with junk / random / made-up values for the fields. Your validation will probably pass on them at least some of them - they're mostly fishing for vulnerable forms.

If you want robots not to submit your form, use a captcha. If it doesn't matter too much if robots submit your form, let them anyway but provide a way of easily cleaning up any junk created by them (and ensure that it can't be used to send email spam).

Mark