I'm creating a Tell-a-Friend script from a php contact form I've used in the past. An important element of the form is that it checks the validity of the sender's email domain to reduce SPAM. I've used this form with great success in the past as a simple contact form, but the alterations I've made to change it to a Tell-a-Friend form have somehow ceased the validation of the sender's domain. If I use the following code with a fake email, the form still sends the message.
Would anyone have any ideas as to why this isn't working and how I could alter the code to prevent the email from sending if the email's domain does not exist? Thank you for any assistance.
-Deanna
My form code:
Code: Select all
<form name="tellafriend" action="http://www.mysite.com/tellafriend" method="post">
<table>
<tr>
<td>Your Name:</td>
<td><input size="30" name="name" type="text" maxlength="45"/></td>
</tr>
<tr>
<td>Your Email:</td>
<td><input size="30" name="email" type="text" maxlength="45"/></td>
</tr>
<tr>
<td>Friend's Email: </td>
<td><input size="30" name="friendemail" type="text" /></td>
</tr>
</table>
<p><input type="submit" name="Submit" value="Send Tour Link" /></p>
</form>Code: Select all
<?php
function myCheckDNSRR($hostName, $recType = '')
{
if(!empty($hostName)) {
if( $recType == '' ) $recType = "MX";
exec("nslookup -type=$recType $hostName", $result);
// check each line to find the one that starts with the host
// name. If it exists then the function succeeded.
foreach ($result as $line) {
if(eregi("^$hostName",$line)) {
return true;
}
}
// otherwise there was no mail handler for the domain
return false;
}
return false;
}
/**
* Check single-line inputs:
* Returns false if text contains newline character
*/
function has_no_newlines($text)
{
return preg_match("/(%0A|%0D|\\n+|\\r+)/i", $text) == 0;
}
/**
* Check multi-line inputs:
* Returns false if text contains newline followed by
* email-header specific string
*/
function has_no_emailheaders($text)
{
return preg_match("/(%0A|%0D|\\n+|\\r+)(content-type:|to:|cc:|bcc:)/i", $text) == 0;
}
//Required Fields:
if (!empty($_POST['name']) && !empty($_POST['email']) && !empty($_POST['friendemail'])) {
//This mail.php is Email Injection Safe, and attacks Spam
//$to = $_POST['to'];//
$name = $_POST['name'];
$email = $_POST['email'];
$friendemail = $_POST['friendemail'];
$agency = $_POST['agency'];
$tourlink = $_POST['tourlink'];
$returnlink = $_POST['returnlink'];
//Intercept illegal usage of this mail.php
//if (strcmp($to,$realTo) != 0) { die("Invalid To: Email Address"); }//
//Intercept possible injections
if (eregi("\r",$email) || eregi("\r",$email) || eregi(":",$email)) { die("Invalid From: Email Address (possible injection)"); }
if (!( has_no_newlines($email) && has_no_emailheaders($email) )) { die("Invalid From: Email Address (possible injection)"); }
//Block people using this Domain name as their email address
if (eregi("mysite.com",$email)) { die("Invalid From: Email Address (try using your own domain)"); }
//Block message containing http
if (eregi('http:', $name)) { die ("Links are not allowed to reduce SPAM. Please remove any links from your message and try again.");
}
//We can check if the domain is REAL
list($username, $maildomain) = split("@",$email);
if (PHP_OS == "WINNT")
{
if (!myCheckDNSRR($maildomain)) { die("<h2>Error: $maildomain is not a valid email.</h2>"); }
} else {
if (!checkdnsrr($maildomain, "MX")) { die("<h2>Error: $maildomain is not a valid email.</h2>"); }
}
$headers = "From: ".$email."\nReply-To: ".$email."\nReturn-Path: ".$email;
$subject = $name;
$message = $name;
$sent = mail($friendemail, $subject, $message, $headers);
if ($sent) {
header("Location: http://mysite.com");
exit;
}
else {
echo "<h2>Error: Your message was not sent.</h2>";
}
}
else {
echo "<h2>Oops!</h2><p>You haven't filled out all of the required fields.</p>";
}
?>