Page 1 of 1

Secure mail form (avoiding spammers)

Posted: Mon Nov 07, 2005 4:39 am
by guarriman
Hi.

I want to create a simple web form in order to allow visitors to send me their comments via
email. I created this code:

Code: Select all

$to = "mybox@mydomain.com";
$subject = "Comments from the web";
$body = "Comments:\n";
$body = $body . "----------------------- \n";
$body = $body . $email . "\n";
$body = $body . "----------------------- \n";
$body = $body . $name . "\n";
$body = $body . "----------------------- \n";
$body = $body . $text . "\n";
$headers = "From: $email";
mail($to,$subject,$body,$headers);
'$email' is the email address of the visitor, '$name' is their name, and '$text'
is the contents of the comments.

But I found out that some spammers used this form to send spam. I didn't make any
filter of the contents, and I was suggested they were using script injection within
the form.

Do you know any more-secure web form for sending emails? Thank you very much.

Posted: Mon Nov 07, 2005 5:45 am
by jayshields
well, on a side note, you dont need to use $body = $body . "whatever"; each time. just use $body .= "whatever";

anyway, you would have to make some sort of cookie that gets created on the users system when they send an email, put the current time in the cookie and look at it each time they send an email from your website, if something like 10 minutes hasnt gone by since the time in the cookie dont let them send the email.

ive never bothered integrating spam protection into my email forms but i reckon if i tried it i would probably do something like the above.

Posted: Mon Nov 07, 2005 7:36 am
by feyd
with $email you're leaving a giant hole a spammer can exploit.. I'd suggest using an email address validation regex (Roja has posted his standards compliant one many times) at the very least to ensure that hasn't been tampered with..

I'd also suggest, at least for a while, to save the emails the script will send into a database so you can review how your script is being used..