Hi, Any help here appreciated! I'm no php expert (by any stretch of the imagination!) in fact all I've been able to do is to successfully modify aFormMail php script file for many years on a number of websites I administer. The sole function I use it for is a "Contact Me" form page for each site. Recently the owner of one of these sites asked me to include a Guest Book form for visitors as well as the Contact Me page. On this site I now have 2 aFormMail php script files - one for each of these pages (the visitor gets a different automated response depending on the form submitted). The problem is the Guest Book form's security has a hole in it and the email account setup to receive the responses is being inundated with spam. None of the Contact Me forms on this or any of the other sites experiences this issue. I've removed the Guest Book form pending a solution.
As far as I can see the structure of both scripts is identical apart from the automated response text and the recipient email address.
Is it because I have 2 scripts in the same folder? Have I made some other obvious blunder that I cannot see?
Thanks
Spence
[/url][/syntax]
Spam arriving via Guest Book
Moderator: General Moderators
-
SpenceBasics
- Forum Newbie
- Posts: 3
- Joined: Sat Apr 14, 2007 6:32 pm
-
SpenceBasics
- Forum Newbie
- Posts: 3
- Joined: Sat Apr 14, 2007 6:32 pm
-
SpenceBasics
- Forum Newbie
- Posts: 3
- Joined: Sat Apr 14, 2007 6:32 pm
feyd | Please use
feyd | Please use
Code: Select all
,Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Sorry but I really don't know enough about this stuff to supply the code other than the whole php file which is just a standard aFormMail script for CGI-Central, modified for my purposes. I did search the forum for something similar to my problem before I asked for help but didn't find anything - which isn't to say it isn't there!Code: Select all
// email for send submitted forms //////////////////////////////////////////
// if empty, use value from form ('send_to' field)
$send_to = "Terra Boya Arts - Australia <test@terraboyaarts.com>";
// set $send_cc address if you need copy of mail to other addresses
// for example: $send_cc = array('friend1@ccc.cc', 'friend2@ccc.cc');
//
$send_cc = array();
// Subject. if empty, use value from form ('subject' field)
$subject = "Terra Boya Arts - Guest Book Return";
// Allowed Referres. Should be empty or list of domains
$referrers = array();
// Attachments
$attachment_enabled = 0;
////// Database - write CSV file with data of submitted forms //////////////
$database_enabled = 0;
$database_file = '';
// Fields to collect
// $database_fields = '*' - mean all fields, as in form
// $database_fields = array('from', 'subject') - only 'from', 'subject' fields
$database_fields = '*';
////// Redirect user after submitting form
$redirect_url = 'http://www.terraboyaarts.com/Confirmation.htm';
////// Auto-Responder
////// You can substitute any of form fields in response by using
////// %field_name% in response text.
//////
$autoresponder_enabled = 1;
$autoresponder_from = $send_to;
$autoresponder_subject = "%subject% Terra Boya Arts - Guest Book Return";
$autoresponder_message = <<<MSG
Hello %Name%,
This is an automated response, please do not reply.
Thank you for filling in my Guest Book. If you asked me a question in the Message section I will respond to you shortly.
Regards,
Ivana
Terra Boya Arts - Australia
--
MSG;
/***************************************************************************/
function do_formmail(){
global $autoresponder_enabled, $database_enabled;
$form = get_form_data();
$errors = check_form($form);
if ($errors) {
display_errors($errors);
return;
}
send_mail($form);
if ($autoresponder_enabled)
auto_respond($form);
if ($database_enabled)
save_form($form);
redirect();
}
function redirect(){
global $redirect_url;
header("Location: $redirect_url");
exit();
}
function save_form($vars){
global $database_file, $database_fields;
$f = fopen($database_file, 'a');
if (!$f){
die("Cannot open db file for save");
}
foreach ($vars as $k=>$v) {
$vars[$k] = str_replace(array("|", "\r","\n"), array('_',' ',' '), $v);
}
if (is_array($database_fields)) {
$vars_orig = $vars;
$vars = array();
foreach ($database_fields as $k)
$vars[$k] = $vars_orig[$k];
}
$str = join('|', $vars);
fwrite($f, $str."\n");
fclose($f);
}
function auto_respond($vars){
global $autoresponder_from, $autoresponder_message, $autoresponder_subject;
/// replace all vars in message
$msg = $autoresponder_message;
preg_match_all('/%(.+?)%/', $msg, $out);
$s_vars = $out[1]; //field list to substitute
foreach ($s_vars as $k)
$msg = str_replace("%$k%", $vars[$k], $msg);
/// replace all vars in subject
$subj = $autoresponder_subject;
preg_match_all('/%(.+?)%/', $subj, $out);
$s_vars = $out[1]; //field list to substitute
foreach ($s_vars as $k)
$subj = str_replace("%$k%", $vars[$k], $subj);
//
$_send_to = "$vars[name_from] <".$vars[Email].">";
$_send_from = $autoresponder_from;
mail($_send_to, $subj, $msg, "From: $_send_from");
}
function _build_fields($vars){
$skip_fields = array(
'name_from',
'Email',
'email_to',
'name_to',
'subject');
// order by numeric begin, if it exists
$is_ordered = 0;
foreach ($vars as $k=>$v)
if (in_array($k, $skip_fields)) unset($vars[$k]);
$new_vars = array();
foreach ($vars as $k=>$v){
// remove _num, _reqnum, _req from end of field names
$k = preg_replace('/_(req|num|reqnum)$/', '', $k);
// check if the fields is ordered
if (preg_match('/^\d+[ \:_-]/', $k)) $is_ordered++;
//remove number from begin of fields
$k = preg_replace('/^\d+[ \:_-]/', '', $k);
$new_vars[$k] = $v;
}
$vars = $new_vars;
$max_length = 10; // max length of key field
foreach ($vars as $k=>$v) {
$klen = strlen($k);
if (($klen > $max_length) && ($klen < 40))
$max_length = $klen;
}
if ($is_ordered)
ksort($vars);
// make output text
$out = "";
foreach ($vars as $k=>$v){
$k = str_replace('_', ' ', $k);
$k = ucfirst($k);
$len_diff = $max_length - strlen($k);
if ($len_diff > 0)
$fill = str_repeat('.', $len_diff);
else
$fill = '';
$out .= $k."$fill...: $v\n";
}
return $out;
}
function send_mail($vars){
global $send_to, $send_cc;
global $subject;
global $attachment_enabled;
global $REMOTE_ADDR;
global $HTTP_POST_FILES;
$files = array(); //files (field names) to attach in mail
if (count($HTTP_POST_FILES) && $attachment_enabled){
$files = array_keys($HTTP_POST_FILES);
}
// build mail
$date_time = date('Y-m-d H:i:s');
$mime_delimiter = md5(time());
$fields = _build_fields($vars);
$mail = <<<EOF
This is a MIME-encapsulated message
--$mime_delimiter
Content-type: text/plain
Content-Transfer-Encoding: 8bit
Terra Boya Arts form submitted:
$fields
--------------------
REMOTE IP : $REMOTE_ADDR
EOF;
if (count($files)){
foreach ($files as $file){
$file_name = $HTTP_POST_FILES[$file]['name'];
$file_type = $HTTP_POST_FILES[$file]['type'];
$file_tmp_name = $HTTP_POST_FILES[$file]['tmp_name'];
$file_cnt = "";
$f=@fopen($file_tmp_name, "rb");
if (!$f)
continue;
while($f && !feof($f))
$file_cnt .= fread($f, 4096);
fclose($f);
if (!strlen($file_type)) $file_type="applicaton/octet-stream";
if ($file_type == 'application/x-msdownload')
$file_type = "applicaton/octet-stream";
$mail .= "\n--$mime_delimiter\n";
$mail .= "Content-type: $file_type\n";
$mail .= "Content-Disposition: attachment; filename=\"$file_name\"\n";
$mail .= "Content-Transfer-Encoding: base64\n\n";
$mail .= chunk_split(base64_encode($file_cnt));
}
}
$mail .= "\n--$mime_delimiter--";
//send to
$_send_to = $send_to ? $send_to : "$vars[name_to] <".$vars[email_to].">";
$_send_from = "$vars[name_from] <".$vars[Email].">";
$_subject = $subject ? $subject : $vars['subject'];
mail($_send_to, $_subject, $mail,
"Mime-Version: 1.0\r\nFrom: $_send_from\r\nContent-Type: multipart/mixed;\n boundary=\"$mime_delimiter\"\r\nContent-Disposition: inline");
foreach ($send_cc as $v){
mail($v, $_subject, $mail,
"Mime-Version: 1.0\r\nFrom: $_send_from\r\nContent-Type: multipart/mixed;\n boundary=\"$mime_delimiter\"\r\nContent-Disposition: inline");
}
}
function get_form_data(){
global $REQUEST_METHOD;
global $HTTP_POST_VARS;
global $HTTP_GET_VARS;
$vars = ($REQUEST_METHOD == 'GET') ? $HTTP_GET_VARS : $HTTP_POST_VARS;
//strip spaces from all fields
foreach ($vars as $k=>$v) $vars[$k] = trim($v);
return $vars;
}
function check_form($vars){
global $referrers;
global $send_to;
global $subject;
global $HTTP_REFERER;
$errors = array();
// check from email set
if (!strlen($vars['Email'])){
$errors[] = "<b>From Email address</b> empty";
} else if (!check_email($vars['Email'])){
$errors[] = "<b>From Email address</b> incorrect";
}
if (!strlen($send_to) && !strlen($vars['email_to'])){
$errors[] = "<b>To Email</b> address empty (possible configuration error)";
} else if (!strlen($send_to) && !check_email($vars['email_to'])){
//if to email specified in form, check it and display error
$errors[] = "<b>To Email address</b> incorrect";
}
if (!strlen($vars['subject']) && !strlen($subject)){
$errors[] = "<b>Subject</b> empty (possible configuration error)";
}
foreach ($vars as $k=>$v){
// check for required fields (end with _req)
if (preg_match('/^(.+?)_req$/i', $k, $m) && !strlen($v)){
$field_name = ucfirst($m[1]);
$errors[] = "Required field <b>$field_name</b> empty";
}
// check for number fields (end with _num)
if (preg_match('/^(.+?)_num$/i', $k, $m) && strlen($v) && !is_numeric($v)){
$field_name = ucfirst($m[1]);
$errors[] = "Field <b>$field_name</b> must contain only digits or be empty";
}
// check for number & required fields (end with _reqnum)
if (preg_match('/^(.+?)_reqnum$/i', $k, $m) && !is_numeric($v)){
$field_name = ucfirst($m[1]);
$errors[] = "Field <b>$field_name</b> must contain digits and only digits";
}
}
//check referrer
if (is_array($referrers) && count($referrers)){
$ref = parse_url($HTTP_REFERER);
$host = $ref['host'];
$host_found = 0;
foreach ($referrers as $r){
if (strstr($host, $r))
$host_found++;
}
if (!$host_found){
$errors[] = "Unknown Referrer: <b>$host</b>";
}
}
return $errors;
}
function display_errors($errors){
$errors = '<li>' . join('<li>', $errors);
print <<<EOF
<html>
<head><title>aFormMail error</title></head>
<body bgcolor=white>
<h3 align=center><font color=red>An Error Occured</font></h3>
<hr width=80%>
<table align=center><tr><td>
$errors
</td></tr></table>
<p align=center>
<a href="javascript: history.back(-1)">Return</a> and fix these errors
</p>
<hr width=80%>
<center>
<font size=4><b>Terra Boya Arts</b></font>
</center>
</body></html>
EOF;
}
/**
* Check email using regexes
* @param string email
* @return bool true if email valid, false if not
*/
function check_email($email) {
#characters allowed on name: 0-9a-Z-._ on host: 0-9a-Z-. on between: @
if (!preg_match('/^[0-9a-zA-Z\.\-\_]+\@[0-9a-zA-Z\.\-]+$/', $email))
return false;
#must start or end with alpha or num
if ( preg_match('/^[^0-9a-zA-Z]|[^0-9a-zA-Z]$/', $email))
return false;
#name must end with alpha or num
if (!preg_match('/([0-9a-zA-Z_]{1})\@./',$email) )
return false;
#host must start with alpha or num
if (!preg_match('/.\@([0-9a-zA-Z_]{1})/',$email) )
return false;
#pair .- or -. or -- or .. not allowed
if ( preg_match('/.\.\-.|.\-\..|.\.\..|.\-\-./',$email) )
return false;
#pair ._ or -_ or _. or _- or __ not allowed
if ( preg_match('/.\.\_.|.\-\_.|.\_\..|.\_\-.|.\_\_./',$email) )
return false;
#host must end with '.' plus 2-5 alpha for TopLevelDomain
if (!preg_match('/\.([a-zA-Z]{2,5})$/',$email) )
return false;
return true;
}
do_formmail();
?>feyd | Please use
Code: Select all
,Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]I've had the same problem.The problem is the Guest Book form's security has a hole in it and the email account setup to receive the responses is being inundated with spam.
You create a Form to send an email (such as a contact page) the our of nowhere that email address gets bombarded with spam. I still haven't found a way to keep this from happening. I've also searched but haven't found much on this at all.