Is this mail script secure?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
m85476585
Forum Newbie
Posts: 1
Joined: Sun Nov 12, 2006 10:03 pm

Is this mail script secure?

Post by m85476585 »

I created a script to send me email from the contact forms on my site, but I'm not sure how secure it is. I want to make sure that no one can break it through the regular forms, and that no one can POST to it directly. I learned PHP as I was writing this, so I'm sure it's not perfect. The date comes from javascript on the first page and is checked on comment.php. The hiddden field has CSS display:none, so users don't see it, but spammers do.

Code: Select all

<html>
<head>
<title>Mail Sent</title>
</head>
<body>
<?php 
$ref1 = $_SERVER['HTTP_REFERER'];
$date1 = gmdate("j");
if (!($ref1 == ("http://www.example.com/contact/comment.php?spammer=".$date1))){ 
	echo "expected: " . "http://www.matt13.com/contact/problem.php?spammer=".$date1;
	//echo "actual: " . $_SERVER['HTTP_REFERER'];
	die("error 1"); //bad referrer
}
$server_vars = array(referrer => $ref1, time => $_SERVER['REQUEST_TIME'], REMOTE_HOST => $_SERVER['REMOTE_ADDR']);
if ($_POST[website] != "website"){
	die("error 2"); //filled hidden field
}


$msg1="begin message\n" . "php-useragent=" . print_r(get_browser(null, true), TRUE) . print_r($_POST, TRUE) . print_r($server_vars, TRUE);
$subject1="Website Contact Email (php)";
$email1="mail@example.com";
   if (eregi("cc:",$msg1) || eregi("bcc:",$msg1) || eregi("to:",$msg1) || eregi("Content-Type:",$msg1)){  //possible spam attempts
     die("error 3"); //spammer
   }
mail($email1,$subject1,$msg1);
?>
Mail sent (hopefully).
</body>
</html>
Post Reply