Page 1 of 1

Is this mail script secure?

Posted: Sun Nov 12, 2006 10:19 pm
by m85476585
I created a script to send me email from the contact forms on my site, but I'm not sure how secure it is. I want to make sure that no one can break it through the regular forms, and that no one can POST to it directly. I learned PHP as I was writing this, so I'm sure it's not perfect. The date comes from javascript on the first page and is checked on comment.php. The hiddden field has CSS display:none, so users don't see it, but spammers do.

Code: Select all

<html>
<head>
<title>Mail Sent</title>
</head>
<body>
<?php 
$ref1 = $_SERVER['HTTP_REFERER'];
$date1 = gmdate("j");
if (!($ref1 == ("http://www.example.com/contact/comment.php?spammer=".$date1))){ 
	echo "expected: " . "http://www.matt13.com/contact/problem.php?spammer=".$date1;
	//echo "actual: " . $_SERVER['HTTP_REFERER'];
	die("error 1"); //bad referrer
}
$server_vars = array(referrer => $ref1, time => $_SERVER['REQUEST_TIME'], REMOTE_HOST => $_SERVER['REMOTE_ADDR']);
if ($_POST[website] != "website"){
	die("error 2"); //filled hidden field
}


$msg1="begin message\n" . "php-useragent=" . print_r(get_browser(null, true), TRUE) . print_r($_POST, TRUE) . print_r($server_vars, TRUE);
$subject1="Website Contact Email (php)";
$email1="mail@example.com";
   if (eregi("cc:",$msg1) || eregi("bcc:",$msg1) || eregi("to:",$msg1) || eregi("Content-Type:",$msg1)){  //possible spam attempts
     die("error 3"); //spammer
   }
mail($email1,$subject1,$msg1);
?>
Mail sent (hopefully).
</body>
</html>