Secure mail form (avoiding spammers)

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
guarriman
Forum Commoner
Posts: 44
Joined: Thu Nov 03, 2005 4:11 am

Secure mail form (avoiding spammers)

Post by guarriman »

Hi.

I want to create a simple web form in order to allow visitors to send me their comments via
email. I created this code:

Code: Select all

$to = "mybox@mydomain.com";
$subject = "Comments from the web";
$body = "Comments:\n";
$body = $body . "----------------------- \n";
$body = $body . $email . "\n";
$body = $body . "----------------------- \n";
$body = $body . $name . "\n";
$body = $body . "----------------------- \n";
$body = $body . $text . "\n";
$headers = "From: $email";
mail($to,$subject,$body,$headers);
'$email' is the email address of the visitor, '$name' is their name, and '$text'
is the contents of the comments.

But I found out that some spammers used this form to send spam. I didn't make any
filter of the contents, and I was suggested they were using script injection within
the form.

Do you know any more-secure web form for sending emails? Thank you very much.
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

well, on a side note, you dont need to use $body = $body . "whatever"; each time. just use $body .= "whatever";

anyway, you would have to make some sort of cookie that gets created on the users system when they send an email, put the current time in the cookie and look at it each time they send an email from your website, if something like 10 minutes hasnt gone by since the time in the cookie dont let them send the email.

ive never bothered integrating spam protection into my email forms but i reckon if i tried it i would probably do something like the above.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

with $email you're leaving a giant hole a spammer can exploit.. I'd suggest using an email address validation regex (Roja has posted his standards compliant one many times) at the very least to ensure that hasn't been tampered with..

I'd also suggest, at least for a while, to save the emails the script will send into a database so you can review how your script is being used..
Post Reply