Hi,
After having my contact form hacked to send spam I have had a go and tried to write a php script using bits from different scripts etc. Just wondered if some of you more experienced with PHP (I've only been learning as I go)would take a look at it for me and tell me what you think please?
On the HTML form side I used Javascript to make sure certain fields are filled and a valid email address is entered before passing the info over to my php script
<?php
$spam = $_POST['info'];
// Check whether hidden field has been filled
if ($spam != "") {
// if so print error message and exit
echo "Suspected injection attempt - mail not being sent."; exit;
} else
// check to see whether name, enquiry details and email contain info in case javascript is off
if (empty($_POST['name']) || empty($_POST['enquiry_details']) || empty($_POST['email']) ) {
// here, they have not filled in either their name, email or enquiry details. Set an error.
header("Location: error.htm"); exit;
}
else
// Pick up the form data and assign it to variables
$title = $_POST['title'];
$name = $_POST['name'];
// check to see whether common injection terms are entered into certain fields
function contains_bad_str($str_to_test) {
$bad_strings = array(
"content-type:"
,"mime-version:"
,"multipart/mixed"
,"Content-Transfer-Encoding:"
,"bcc:"
,"cc:"
,"to:"
);
// if terms are present, set error and exit
foreach($bad_strings as $bad_string) {
if(eregi($bad_string, strtolower($str_to_test) )) {
echo "Suspected injection attempt - mail not being sent.";
exit;
}
}
}
// check for newlines
function contains_newlines($str_to_test) {
if(preg_match("/(%0A|%0D|\\n+|\\r+)/i", $str_to_test) != 0) {
echo "Suspected injection attempt - mail not being sent.";
exit;
}
}
contains_bad_str($title);
contains_bad_str($name);
contains_bad_str($email);
contains_bad_str($phone);
contains_bad_str($address);
contains_bad_str($heard_from);
contains_bad_str($heard_other);
contains_bad_str($style);
contains_bad_str($enquiry_details);
contains_newlines($title);
contains_newlines($name);
contains_newlines($email);
contains_newlines($phone);
contains_newlines($heard_from);
contains_newlines($heard_other);
$email = $_POST['email'];
/* If e-mail is not valid show error message */
if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/", $email))
{
header("Location: error.htm");
exit;
}
$phone = $_POST['phone'];
$address = $_POST['address'];
$heard_from = $_POST['heard_from'];
$heard_other = $_POST['heard_other'];
$style = $_POST['style'];
$enquiry_details = $_POST['enquiry_details'];
// Build the email (replace the address in the $to section with your own)
$to = 'me@example.com';
$subject = "Contact form enquiry";
$message = "Title:$title,
Name:$name,
Phone:$phone,
Address: $address,
Heard from: $heard_from,
Heard other: $heard_other,
Style: $style,
Enquiry details: $enquiry_details,";
$headers = "From: $email";
// Send the mail using PHPs mail() function
// succe=false or true; = return values from mail() function
$succe = mail($to, $subject, $message, $headers);
// Redirect
if($succe)
{
header("Location: confirmation.htm");
exit(); // redirect to confirmation page and end php
}
else
{
// end php, with a message of failure
exit("Sorry. Mail was not sent. Go Back, try again");
}
?>
The error page you get directed to just basically says click back on your browser and make sure you have entered your name, email and enquiry details (only using the error page incase people have Javascript switched off)
I've tested it locally and online (a spare domain I have), and everything seems to work (not sure how I check to see if the code stopping new lines works, any ideas?) - is there anything I need to add to the script? (I am planning on adding a Captcha to my form, but I thought I would make a start on the script first)
Thanks
JC
