Not sure if this is the right place to post but here goes!
After having my contact form hacked to send spam I have had a go and tried to write a php script using bits from different scripts etc. Just wondered if some of you more experienced with PHP (I've only been learning as I go)would take a look at it for me and tell me what you think please?
On the HTML form side I used Javascript to make sure certain fields are filled in and a valid email address is entered before passing the info over to my php script. On the HTML form page I have a hidden field (using CSS Display none) and if a bot fills this field in then the PHP script is set to recognize it as spam and it will not be sent(will this work?)
Code: Select all
<?php
$spam = $_POST['info'];
// Check whether hidden field has been filled
if ($spam != "") {
// if so print error message and exit
echo "Suspected injection attempt - mail not being sent."; exit;
} else
// check to see whether name, enquiry details and email contain info in case javascript is off
if (empty($_POST['name']) || empty($_POST['enquiry_details']) || empty($_POST['email']) ) {
// here, they have not filled in either their name, email or enquiry details. Set an error.
header("Location: error.htm"); exit;
}
else
// Pick up the form data and assign it to variables
$title = $_POST['title'];
$name = $_POST['name'];
// check to see whether common injection terms are entered into certain fields
function contains_bad_str($str_to_test) {
$bad_strings = array(
"content-type:"
,"mime-version:"
,"multipart/mixed"
,"Content-Transfer-Encoding:"
,"bcc:"
,"cc:"
,"to:"
);
// if terms are present, set error and exit
foreach($bad_strings as $bad_string) {
if(eregi($bad_string, strtolower($str_to_test) )) {
echo "Suspected injection attempt - mail not being sent.";
exit;
}
}
}
// check for newlines
function contains_newlines($str_to_test) {
if(preg_match("/(%0A|%0D|\\n+|\\r+)/i", $str_to_test) != 0) {
echo "Suspected injection attempt - mail not being sent.";
exit;
}
}
contains_bad_str($title);
contains_bad_str($name);
contains_bad_str($email);
contains_bad_str($phone);
contains_bad_str($address);
contains_bad_str($heard_from);
contains_bad_str($heard_other);
contains_bad_str($style);
contains_bad_str($enquiry_details);
contains_newlines($title);
contains_newlines($name);
contains_newlines($email);
contains_newlines($phone);
contains_newlines($heard_from);
contains_newlines($heard_other);
$email = $_POST['email'];
/* If e-mail is not valid show error message */
if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/", $email))
{
header("Location: error.htm");
exit;
}
$phone = $_POST['phone'];
$address = $_POST['address'];
$heard_from = $_POST['heard_from'];
$heard_other = $_POST['heard_other'];
$style = $_POST['style'];
$enquiry_details = $_POST['enquiry_details'];
// Build the email (replace the address in the $to section with your own)
$to = 'me@example.com';
$subject = "Contact form enquiry";
$message = "Title:$title,
Name:$name,
Phone:$phone,
Address: $address,
Heard from: $heard_from,
Heard other: $heard_other,
Style: $style,
Enquiry details: $enquiry_details,";
$headers = "From: $email";
// Send the mail using PHPs mail() function
// succe=false or true; = return values from mail() function
$succe = mail($to, $subject, $message, $headers);
// Redirect
if($succe)
{
header("Location: confirmation.htm");
exit(); // redirect to confirmation page and end php
}
else
{
// end php, with a message of failure
exit("Sorry. Mail was not sent. Go Back, try again");
}
?>I've tested it locally and online (a spare domain I have), and everything seems to work (not sure how I check to see if the code stopping new lines works, any ideas?) - is there anything I need to add to the script? (I am planning on adding a Captcha to my form, but I thought I would make a start on the script first)
Thanks
M