PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Some people in this forum was nice enough to fix my script. I have contact form in flash and I used a php script to send. The individuals who helped indicated that may script may be vunerable to spam. I was hoping to validate in flash also.
Can anyone help me prevent this script from being spammed?
Check this thread viewtopic.php?t=42190 about email injection. My personal conclusion was 1) validate all data the best you can 2) as a defense in depth measure use the ctype_print() function to check for any newlines.
It's really worth it to study/learn more about input validation in general and the emailinjection specifically. Search for "input validation" on the security forum, check the regex tutorials in the regex forum, read some tutorials and articles about the subject (for example http://phpsec.org/projects/guide/, etc. Here's my attempt to "secure" your contact form:
<?php
if (isset($_POST['submit'])) {
$clean = array();
// validate email with basic pattern
// from PHP architect jan 2006
$email_pattern = '/^[^@\s<&>]+@([-a-z0-9]+\.)+[a-z]{2,}$/i';
if (preg_match($email_pattern, $_POST['email']))
{
$clean['email'] = $_POST['email'];
}
// validate strings
// from PHP architect september 2005
$string_pattern = '/^[-A-Z0-9\.\'"_ ]*$/i';
if (preg_match($string_pattern, $_POST['name']))
{
$clean['name'] = $_POST['name'];
}
/*
add validation for the other fields body and phone, like above ...
you can also check for input length of the fields
*/
// inspect the data specifically for newlines and carriage returns
// maybe too much according to some but as a defense in depth cannot harm
// http://forums.devnetwork.net/viewtopic.php?t=42190
if (ctype_print($clean['email']) && ctype_print($clean['name'] ))
{
/* The email seems valid and contains no newlines or carriage returns. */
echo 'All data is clean!!';
/* or to mail uncomment following
$sendTo = "mhaynes@blahblah.com";
$subject = "Website Reply";
$headers = "From: " . $clean['name'] ." <" . $clean['email'] .">\r\n";
$headers .= "Reply-To: " . $clean['email'] . "\r\n";
$headers .= "Return-path: " . $clean['email'] . "\r\n";
$message = $clean['body'] . "\r\n Phone: " . $clean['phone'];
mail($sendTo, $subject, $message, $headers);
*/
}
else
{
echo 'Bad data';
}
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Untitled</title>
</head>
<body>
<form action="contact.php" method="post">
Name: <input type="text" name="name" value="<?php echo (isset($_POST['name'])) ? htmlentities($_POST['name']) : ""; ?>"><BR>
Email: <input type="text" name="email" value="<?php echo (isset($_POST['email'])) ? htmlentities($_POST['email']) : ""; ?>"><BR>
Comments:<BR>
<textarea name="body"><?php echo (isset($_POST['body'])) ? htmlentities($_POST['body']) : ""; ?></textarea><BR>
<input type="submit" value="Submit" name="submit">
</form>
</body>
</html>
but please try to study the subject yourself. Nothing is as insecure as trusting some answer on some forum by someone who could have made a silly mistake ... (ahum, that's my disclaimer