Page 1 of 1

mail form validation (advice needed)

Posted: Sat Jun 23, 2007 2:22 am
by nita
Hi
I have small recomendation form, which is expected to collect name, e-mail, message, than sent e-mail and also update mysql database.
What is done ?
- when fields are empty - ok
- email validation - ok

what i want to do is to make sure that no one can use
my form to spam, and also i will not get spam too.

and to applay basic formating of e-mail and mysql input.

and last most important issue is my so called captcha.
As you will see in the script form is called serval times (if error). So when my form is displayed again, captcha image is not changing, is not refreshing each time form is called, but $thevalue is refreshing, and then $yourcode (re-type) is not equal to $thevalue1.

i need some advice on this topic ... please

thanks a lot in advance

nita

my code so far ..

Code: Select all

// PHP_SELF safely! 
$php_self = basename(htmlentities($_SERVER['PHP_SELF'])); 

//image 
$im = ImageCreate(60, 20);  //create image 
$white = ImageColorAllocate($im, 0,0, 0); 
$black = ImageColorAllocate($im, 120, 200, 68); 
$md5 = md5(microtime() * mktime()); 
$string = substr($md5,0,5); 
$verification = $string; 
$thevalue= $string; 
ImageFill($im, 0, 0, $black); 
ImageString($im, 4, 10, 3, $thevalue, $white); 
Imagejpeg($im, "inc/verify.jpeg"); 
ImageDestroy($im); 
//this is recommendation form 
$form .= " 
    <table width='100%'  border='0' cellspacing='0' cellpadding='10'> 
    <tr> 
    <td> 

    <form action='".$php_self."' method='post'> 
    <table width='444' align='left' class='info4'> 
    <tr> 
    <td valign='top' align='right'><b>Name:</b></td> 
    <td valign='top'> 
    <input name='name' size='30'> 
    </td> 
    </tr> 
    <tr> 
    <td valign='top' align='right'><b>E-mail:</b></td> 
    <td valign='top'> 
    <input name='email' size='30'> 
    </td> 
    </tr> 
    <tr> 
    <td valign='top' align='right'><b>Recomendation:</b></td> 
    <td valign='top'> 
    <textarea name='message' rows='10' cols='30'></textarea> 
    </td> 
    </tr> 
    <tr> 
    <td> 
    <img src='inc/verify.jpeg' border='0'> 
    <input type='hidden' value='".$thevalue."' name='thevalue1'> 
    </td> 
    <td> 
    <input type='text' name='yourcode' size='5' maxlength='5'> 
    </td> 
    </tr> 
    <td valign='top' align='right'></td> 
    <td valign='top' align='left'> 
    <input class='button1' type='submit' value='Send' name='submitreco'> 
    <input class='button1' type='reset' value='Reset' name='reset'> 
    </td> 

    </tr> 
    </table> 
    </form> 
    </td> 
    </tr> 
    </table><br>"; 


if (isset($_POST['submitreco'])) {


	$yourcode=$_POST['yourcode'];
	$thevalue1=$_POST['thevalue1'];
	$myemail = "aaa@bbb.com";
	$name = $_POST['name'];
	$email = $_POST['email'];
	$message = $_POST['message'];
	
	// check if any of the fields are empty
	if ($name=="" or $message=="" or $email=="") {
	echo "Please fill up all fields !";
	echo($form);
	}
	else
	{
	$messagehtml = str_replace("\r", '', $message);
	$thanks = "
	<span class='info2'>
	Thank you !. Your recomendation has sucessfuly been sent!<br>
	<br></span>";
	$subject = "New Movie Recomendation from '$name'";
	$headers = "From: kris@nita-on-line.com";

	$messagetoemail = "Hi Kris. You recived a new movie recomendation.
	Name: $name
	E-mail: $email
	Recomendation: $messagehtml
	";
   	
	function check_email($email) {  
	
	// check that there's one @ symbol, and that the lengths are right  
		if (!ereg("^[^@]{1,64}@[^@]{1,255}$", $email)) 
		{    
	   	return false;
		}  
	
	// Split it into sections to make life easier  
		$email_array = explode("@", $email);  
		$local_array = explode(".", $email_array[0]);  
		for ($i = 0; $i < sizeof($local_array); $i++)
		{     
			if (!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$", $local_array[$i])) 
			{      
			return false;    
			}  
		}    
		
		if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1]))
		{ 
	// Check if domain is IP. If not, it should be valid domain name    
		$domain_array = explode(".", $email_array[1]);    
			if (sizeof($domain_array) < 2) 
			{        
			return false; // Not enough parts to domain    
			}    
			for ($i = 0; $i < sizeof($domain_array); $i++) 
			{      
			if (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$", $domain_array[$i])) 
				{
				return false;      
				}    
			}  
		}  
	return true;
	}
	
	if (check_email($email)) 
		{
		if($yourcode == $thevalue1){ 
            echo "$thanks"; 
			mail($myemail, $subject, $messagetoemail, $headers);
			}
			
			else
			{
			
            echo "<span class='info2'>
			You verification code is not right. Please go back and try again.
			</span>"; 
            echo($form); 
        	} 	
   		}
   		else
		
		{
		echo "Make sure that you fill in your e-mail corectly !";
		echo($form);
		
		 
		}
	}
}
	
	

else{ 
   	echo($form); 
	} 



Posted: Sat Jun 23, 2007 6:42 am
by superdezign
Captchas are usually handled by outside classes that deal with generating the value, storing it, displaying it, and making it usable for you to check against.

As for everything else, it's just a matter of checking. We check ALL user-inputted data because you can NEVER assume that they will always follow the rules. Form validation is a simple as chain of conditions and regex matches. If any of the validation fails, don't accept the information an make them change it.

Posted: Sat Jun 23, 2007 5:07 pm
by nita
thx suberdesign
i made some serching on net about captcha, know more and working on it,

i would like to get some advice on some good standard spaming protection,
so no one can use my form to spam or spam me.
- genral protection
- no html input
- mysql injections

and im sure there is lots of other issueas to work on.

thanks a lot

nita

Posted: Sat Jun 23, 2007 5:16 pm
by superdezign
Yeah, you could ban HTML usage or you could leave it there (so the people who run the bots think you allow it) and whenever you get HTML tags, either write 'POSSIBLY SPAM' in the subject, or just don't send the mail.