PHP mail script - Would you check a newbie please?

Coding Critique is the place to post source code for peer review by other members of DevNetwork. Any kind of code can be posted. Code posted does not have to be limited to PHP. All members are invited to contribute constructive criticism with the goal of improving the code. Posted code should include some background information about it and what areas you specifically would like help with.

Popular code excerpts may be moved to "Code Snippets" by the moderators.

Moderator: General Moderators

Post Reply
mogsy
Forum Newbie
Posts: 2
Joined: Sun Apr 27, 2008 4:40 am

PHP mail script - Would you check a newbie please?

Post by mogsy »

Hi,

Not sure if this is the right place to post but here goes!

After having my contact form hacked to send spam I have had a go and tried to write a php script using bits from different scripts etc. Just wondered if some of you more experienced with PHP (I've only been learning as I go)would take a look at it for me and tell me what you think please?

On the HTML form side I used Javascript to make sure certain fields are filled in and a valid email address is entered before passing the info over to my php script. On the HTML form page I have a hidden field (using CSS Display none) and if a bot fills this field in then the PHP script is set to recognize it as spam and it will not be sent(will this work?)

Code: Select all

<?php
 
$spam = $_POST['info'];
 
// Check whether hidden field has been filled
if ($spam != "") {
// if so print error message and exit
echo "Suspected injection attempt - mail not being sent."; exit;
} else
 
// check to see whether name, enquiry details and email contain info in case javascript is off
if (empty($_POST['name']) || empty($_POST['enquiry_details']) || empty($_POST['email']) ) {
   // here, they have not filled in either their name, email or enquiry details.  Set an error.
   header("Location: error.htm"); exit;
}
else
// Pick up the form data and assign it to variables
$title = $_POST['title'];
$name = $_POST['name'];
 
// check to see whether common injection terms are entered into certain fields
function contains_bad_str($str_to_test)   {
  $bad_strings = array(
                "content-type:"
                ,"mime-version:"
                ,"multipart/mixed"
        ,"Content-Transfer-Encoding:"
                ,"bcc:"
        ,"cc:"
        ,"to:"
  );
  // if terms are present, set error and exit
  foreach($bad_strings as $bad_string) {
    if(eregi($bad_string, strtolower($str_to_test) )) {
      echo "Suspected injection attempt - mail not being sent.";
      exit;
    }
  }
}
// check for newlines
function contains_newlines($str_to_test) {
   if(preg_match("/(%0A|%0D|\\n+|\\r+)/i", $str_to_test) != 0) {
     echo "Suspected injection attempt - mail not being sent.";
     exit;
   }
}
 
contains_bad_str($title);
contains_bad_str($name);
contains_bad_str($email);
contains_bad_str($phone);
contains_bad_str($address);
contains_bad_str($heard_from);
contains_bad_str($heard_other);
contains_bad_str($style);
contains_bad_str($enquiry_details);
 
contains_newlines($title);
contains_newlines($name);
contains_newlines($email);
contains_newlines($phone);
contains_newlines($heard_from);
contains_newlines($heard_other);
 
$email = $_POST['email'];
 
/* If e-mail is not valid show error message */
if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/", $email))
{
    header("Location: error.htm");
    exit;
}
 
$phone = $_POST['phone'];
$address = $_POST['address'];
$heard_from = $_POST['heard_from'];
$heard_other = $_POST['heard_other'];
$style = $_POST['style'];
$enquiry_details = $_POST['enquiry_details'];
 
// Build the email (replace the address in the $to section with your own)
$to = 'me@example.com';
$subject = "Contact form enquiry";
$message = "Title:$title,
 
Name:$name,
 
Phone:$phone,
 
Address: $address,
 
Heard from: $heard_from,
 
Heard other: $heard_other,
 
Style: $style,
 
Enquiry details: $enquiry_details,";
$headers = "From: $email";
 
// Send the mail using PHPs mail() function
// succe=false or true; = return values from mail() function
$succe = mail($to, $subject, $message, $headers);
 
// Redirect
if($succe)
{
    header("Location: confirmation.htm");
    exit(); // redirect to confirmation page and end php
}
else
{
    // end php, with a message of failure
    exit("Sorry. Mail was not sent. Go Back, try again");
}
?>
The error page you get directed to just basically says click back on your browser and make sure you have entered your name, email and enquiry details (only using the error page incase people have Javascript switched off)

I've tested it locally and online (a spare domain I have), and everything seems to work (not sure how I check to see if the code stopping new lines works, any ideas?) - is there anything I need to add to the script? (I am planning on adding a Captcha to my form, but I thought I would make a start on the script first)

Thanks
M
Post Reply