If you have a simple contact form where you don't really want people sending you html or links then try these forceful methods of rejecting input. Filter your input variables through a function that checks for injection attempts so your mail doesn't get hijacked.
Code: Select all
function InjectionAttempt($input) // this detects any injection characters
{
if (eregi("%0a", $input) ||
eregi("%0d", $input) ||
eregi("Content-Type:", $input) ||
eregi("bcc:", $input) ||
eregi("to:", $input) ||
eregi("cc:", $input))
{
return 1; // bastards
}
else
{
return 0;
}
}
function InjectionAttempt2($input) // use this for fields that contain return codes and line feeds
{
if (eregi("Content-Type:", $input) ||
eregi("bcc:", $input) ||
eregi("to:", $input) ||
eregi("cc:", $input))
{
return 1; // bastards
}
else
{
return 0;
}
}
Use injectionattempt2 for fields that contain return characters like a message body. Use injectionattempt for anything going into your header fields like email addresses, subject, etc. If either function returns 1, then generate an error message and reload the contact form.
Here are some example calls to the injectionattempt functions. Excuse the old school printf, you can change these to echo.
Code: Select all
if(InjectionAttempt($_POST["Username"]) ) {printf ("Problem with Name Field<br>"); errormsg(); return;}
if(InjectionAttempt($_POST["UserEmail"]) ) {printf ("Problem with your Email Field<br>"); errormsg(); return;}
if(InjectionAttempt2($_POST["Comments"]) ) {printf ("Problem with Comments<br>"); errormsg(); return;}
if(InjectionAttempt($_POST["Subject"]) ) {printf ("Problem with the Subject field<br>"); errormsg(); return,
The errormsg() routine just tells them what can not be entered (non-alpha numeric characters and to: bcc: cc: etc)
Next for spam that is sent directly to you, just scan the message for links and reject the message.
Code: Select all
if(stristr($comments,"http")!=FALSE) // does http appear in the text?
{
errormsg2(); // this is a spam attempt. Tell user no links allowed and reload form
return;
}
errormsg2() just does what the comments say.
Make sure your error messages are verbose, explaining to the user exactly what they did wrong in case it is a legitimate user who innocently entered to: in the subject or
http://visit.my.page in the message body.