Need help with my script's security
Posted: Thu Aug 02, 2007 5:31 am
Some time ago I almost lost my hosting account for "sending spam". I had to remove my Contact Us page to ensure this doesn't happen again. But my site isn't so good without any support to people visiting my site. So a few days I've been reading some security articles and have coded a new version of my Contact Us page. Here it is:
Some information:
$url and $url2 are same url's but one with www and one without www, in case user would be browsing my site with www in it or without it.
The question is, is this script secure? Can I put it on my host without any risk to loose it? Also, does it change anything if hacker gets the code? I'll be sharing my site script with other people who also want to have site like mine, so I don't know if one of those people might hack into my site and make me loose my hosting.
Thanks
Code: Select all
<?php
require("config.php");
if ($_POST['action'] == "send") {
if (strtolower($_SERVER['HTTP_REFERER']) != strtolower("$url/support.php") && strtolower($_SERVER['HTTP_REFERER']) != strtolower("$url2/support.php")) {
echo "Error: An unsuspected error has occured.<br>";
$error = true;
}
if (strlen($_POST['name']) > 20) {
echo "Error: Name is too long. 20 characters max.<br>";
$error = true;
}
if (strlen($_POST['email']) < 40) {
echo "Error: E-mail address is too long. 40 characters max.<br>";
$error = true;
}
$email_pattern = '/^[^@\s<&>]+@([-a-z0-9]+\.)+[a-z]{2,}$/i';
if (!preg_match($email_pattern, $_POST['email'])) {
echo "Error: E-mail address is not valid.<br>";
$error = true;
}
if (!$error) {
$name = htmlspecialchars(strip_tags($_POST['name']), ENT_QUOTES);
$email = strip_tags($_POST['email']);
$message = htmlspecialchars(strip_tags($_POST['message']), ENT_QUOTES);
$mail = mail($e_mail, "$pname Support Request", $message, "FROM: $email");
if ($mail) {
echo "<font color='green'><b>Your message has been successfuly sent. Thank You.</b></font><br><br>";
}
else {
echo "<font color='red'><b>There has been an error. Please send your message to <a href='mailto:$e_mail'>$e_mail</a>. Thank You.</b></font><br><br>";
}
$sent = true;
}
echo "<br>";
}
if (!$sent) {
?>
<form action="contact.php" method="post">
<input type="hidden" name="action" value="send" />
Name:<br>
<input type="text" name="name" maxlength="20"><br><br>
Your E-mail address:<br>
<input type="text" name="email" maxlength="40"><br><br>
Message:<br>
<textarea name="message" rows="6" cols="30"></textarea><br><br>
<input type="submit" name="submit" value="Send">
</form>$url and $url2 are same url's but one with www and one without www, in case user would be browsing my site with www in it or without it.
The question is, is this script secure? Can I put it on my host without any risk to loose it? Also, does it change anything if hacker gets the code? I'll be sharing my site script with other people who also want to have site like mine, so I don't know if one of those people might hack into my site and make me loose my hosting.
Thanks