studentofstone

I'm using the following to clean up input from my contact form, but I got header injection attacked anyway. What am I doing wrong? $trail_section_mile = strip_tags(stripslashes($trail_section_mile)) //this is repeated for several other fields, then: $email_message .= "Trail Section Mile Markers: ".clean_string($trail_section_mile)."\n"; //this is repeated for several other fields, then: /* see isInjected function below */ function clean_string($string) { $bad = array("content-type","bcc:","to:","cc:","href","/n",""); return str_replace($bad,"",$string); } // send the mail

I would like to propose a toast to the crappiest post I have ever made. May there be none crappier.

this is the file the form data is posting to, this is the file that is giving me the error.

oh, I am an idiot. This is, the code I mis- posted is, maintainance.php

Warning: Cannot modify header information - headers already sent by (output started at /hermes/web04/b2179/moo.hankkaminsky/oht/oht/wp-content/plugins/maintainance.php:1) in /hermes/web04/b2179/moo.hankkaminsky/oht/oht/wp-content/plugins/maintainance.php on line 179

First apologies about not nesting. I typed instead of . Yes I read it but it doesn't make sense to me for my application of the header, or I am misunderstanding it. The code is sending the form data as an email. How would a meta tag work here to redirect? $headers = 'Subject : '.$about."/r/n" .'From: '.$email."\r\n" .'Reply-To: '.$email."\r\n" . 'X-Mailer: PHP/' . phpversion(); header("Location: oht/maintenance/maintenance-report/thank-you/"); //line 179 @mail($email_to, $email_subject, $email_message, $headers);

Cannot modify header information - headers already sent by (output started at ) on line 179 I labeled 179 its at the bottom. I understand this means its already generating the html but not how or where. A solution would of course be nice but if some one could tell me even how to figure it out it would be great. <?php if(isset($_POST['email'])) { // EDIT THE 2 LINES BELOW AS REQUIRED $email_to = "[email protected]"; $email_subject = "$mile"; function died($error) { // your error code can go here echo "We are very sorry, but there were error(s) found with the form you submitted. "; echo "These errors appear below.<br /><br />"; echo $error."<br /><br />"; echo "Please go back and fix these errors.<br /><br />"; die(); } /*"trail_section_mile", float dash "trail_section_name", #9()alphanumeric "name", "date"auto date "email",same "telephone" same "trail_condition" no validation just sanitize size limit "attention_area" no validation just sanitize size limit "under_20" no validation just sanitize size limit "_20_54" no validation just sanitize size limit "_55_over" no validation just sanitize size limit */ if(!isset($_POST['trail_section_mile']) ) { died('1'); } if(!isset($_POST['trail_section_name']) ) { died('2'); } if(!isset($_POST['name']) ) { died('3'); } if(!isset($_POST['email']) ) { died('4'); } if(!isset($_POST['telephone']) ) { died('5'); } if(!isset($_POST['trail_condition']) ) { died('6'); } if(!isset($_POST['attention_area']) ) { died('7'); } if(!isset($_POST['under_20']) ) { died('8'); } if(!isset($_POST['_20_54']) ) { died('9'); } if(!isset($_POST['_55_over']) ) { died('0'); } if(!isset($_POST['total_hours']) ) { died('011'); } //comments field is a honeypot require ('Validate.php'); $email = $_REQUEST['email']; $validate = new Validate(); if (!Validate::email($email, array('check_domain' => true, 'use_rfc822' =>true))) { echo "Invalid email"; } $trail_section_mile = $_POST['trail_section_mile']; // required $trail_section_name = $_POST['trail_section_name']; // required $name = $_POST['name']; // required $email = $_POST['email']; // required $telephone = $_POST['telephone']; // required $trail_condition = $_POST['trail_condition']; // required $attention_area = $_POST['attention_area']; // required $under_20 = $_POST['under_20']; $_20_54 = $_POST['_20_54']; $_55_over = $_POST['_55_over']; $_55_over = $_POST['total_hours']; // required if (preg_match('/[\d\D\b\B\s\S]/', $comments)) { echo "nope"; } if (!preg_match("/([\w\.\#\-\,]{1,30})+/", $trail_section_mile)) {echo "please enter the section mile markers again only numbers, decimals dashes and # are aloud"; } if (!preg_match("/[a-z'-]+/", $trail_section_name)) { echo "Try your last name again."; } if (!preg_match("/[a-z'-]+/", $name)) { echo "please re-type your address."; } if (!preg_match("/^\(?([0-9]{3})\)?[-. ]?([0-9]{3})[-. ]?([0-9]{4})$/i", $telephone)) { echo "Something is wrong with the phone number you intered. Please enter your area code first then ther rest of tyour number."; } if (( preg_match( "/[\r\n]/", $first_name ) || preg_match( "/[\r\n]/", $email ) || preg_match( "/[\r\n]/", $last_name) ) || preg_match( "/[\r\n]/", $state)) { echo "nope"; } $trail_section_mile = strip_tags($trail_section_mile); $trail_section_name = strip_tags($trail_section_name); $name =strip_tags($name); $email = strip_tags($email); $telephone = strip_tags($telephone); $trail_condition = strip_tags($trail_condition); $attention_area = strip_tags($attention_area); $under_20 = strip_tags($under_20); $_20_54 = strip_tags($_20_54); $_55_over = strip_tags($_55_over); $total_hours = strip_tags($total_hours); $trail_section_mile = htmlspecialchars($trail_section_mile); $trail_section_name = htmlspecialchars($trail_section_name); $name = htmlspecialchars($name); $email = htmlspecialchars($email); $telephone = htmlspecialchars($telephone); $trail_condition = htmlspecialchars($trail_condition); $attention_area = htmlspecialchars($attention_area); $under_20 = htmlspecialchars($under_20); $under_20 = htmlspecialchars($_20_54); $_55_over = htmlspecialchars($_55_over); $total_hours = htmlspecialchars($total_hours); $email_message = "Form details below.\n\n"; $email_message = date("m/d/Y") . "\n"; function clean_string($string) { $bad = array("content-type","bcc:","to:","cc:","href"); return str_replace($bad,"",$string); } $email_message .= "Trail Section Mile Markers: ".clean_string($trail_section_mile)."\n"; $email_message .= "Trail Section Name : ".clean_string($trail_section_name)."\n"; $email_message .= "Reported by: ".clean_string($name)."\n"; $email_message .= "Email Address: ".clean_string($email)."\n"; $email_message .= "Telephone Number: ".clean_string($telephone)."\n"; $email_message .= "General Trail Condition : ".clean_string($trail_condition)."\n"; $email_message .= "Mile #/Problem/Suggested Improvements: ".clean_string($attention_area)."\n"; $email_message .= "Volunteers Under Age 20 #Males/#Females/Ethnicity/Name: ".clean_string($under_20)."\n"; $email_message .= " Volunteers Ages 20 to 54 #Males/#Females/Ethnicity/Name: ".clean_string($_20_54)."\n"; $email_message .= "Volunteers Age 55+ #Males/#Females/Ethnicity/Name: ".clean_string($_55_over)."\n"; $email_message .= "Total Volunteer Hours: ".clean_string($total_hours)."\n"; $about ="Maintenance Report from" .$name. "/n"; // create email headers $headers = 'Subject : '.$about."/r/n" .'From: '.$email."\r\n" .'Reply-To: '.$email."\r\n" . 'X-Mailer: PHP/' . phpversion(); header("Location: oht/maintenance/maintenance-report/thank-you/"); //line 179 @mail($email_to, $email_subject, $email_message, $headers); ?> <?php } ?> MOD EDIT: . . . BBCode tags added.

I am trying to make sure the user input (which will be emailed after processing) is only being sent to the proper address by explicitly keeping out bcc: cc: etc. I already have a fair amount of validation, but I wanted to be sure people don't steal the data. Is there a better way? /slaps forehead/ of course.

I am trying to keep the user input clean with this script but can't figure out what is wrong with it. the error I am getting is Warning: preg_match() expects parameter 1 to be string, $bad_strings = array( "content-type:", "mime-version:", "multipart/mixed", "Content-Transfer-Encoding:", "bcc:", "cc:", "to:", ); if (preg_match($bad_strings, $first_name)) { die;

Thanks

Hi I'm trying to strip all punctuation and validate a phone number after entering a number I get. the other question I have is how to get the validation part to only respond if there is no match I tried if( !preg_match..... but it didn't work Compilation failed: range out of order in character class at offset 8 on this line $phone = preg_replace( "/[$punctuation]/", '', $_REQUEST[ 'number' ] ); here is the code around it. $punctuation = preg_quote( "().- "); $phone = preg_replace( "/[$punctuation]/", '', $_REQUEST[ 'number' ] ); $valid = "/[1?][2-9][0-9]{2}[2-9][0-9]{2}[0-9]{4}/"; if ( preg_match( $valid, $number ) == 1 ) { echo( "${_REQUEST[ 'number' ]} is valid<br />" ); }

nevermind got it.

I am trying to use PEAR VALIDATION for a registration form an am not able to get it to work. require 'Validate/US.php'; $email = $_REQUEST['email']; $validate = new Validate(); if (!$validate->email("$email")) { echo "Invalid email"; } is what I am using. and I $email is defined earlier in the code as the user input for email. here is the rest of the code. <?php if(isset($_POST['email'])) { // EDIT THE 2 LINES BELOW AS REQUIRED $email_to = "[email protected]"; $email_subject = "$first_name"; function died($error) { // your error code can go here echo "We are very sorry, but there were error(s) found with the form you submitted. "; echo "These errors appear below.<br /><br />"; echo $error."<br /><br />"; echo "Please go back and fix these errors.<br /><br />"; die(); } // validation expected data exists if(!isset($_POST['first_name']) || !isset($_POST['last_name']) || !isset($_POST['address']) || !isset($_POST['city']) || !isset($_POST['state']) || !isset($_POST['zip']) || !isset($_POST['email']) || !isset($_POST['telephone']) || !isset($_POST['comments'])) { died('We are sorry, but there appears to be a problem with the form you submitted.'); } $first_name = $_POST['first_name']; // required $last_name = $_POST['last_name']; // required $address = $_POST['address']; // required $city = $_POST['city']; // required $state = $_POST['state']; // required $state = $_POST['zip']; // required $email_from = $_POST['email']; // required $telephone = $_POST['telephone']; // not required $comments = $_POST['comments']; // required $error_message = ""; $email_exp = "^[A-Z0-9._%-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$"; if(!eregi($email_exp,$email_from)) { $error_message .= 'The Email Address you entered does not appear to be valid.<br />'; } $string_exp = "^[a-z .'-]+$"; if(!eregi($string_exp,$first_name)) { $error_message .= 'The First Name you entered does not appear to be valid.<br />'; } $string_exp = "^[a-z .'-]+$"; if(!eregi($string_exp,$last_name)) { $error_message .= 'The Last Name you entered does not appear to be valid.<br />'; } require 'Validate/US.php'; $email = $_REQUEST['email']; $validate = new Validate(); if (!$validate->email("$email")) { echo "Invalid email"; } // $phoneNumber = '$telephone'; $result = Validate_US::phoneNumber($phoneNumber); echo 'Test ' . $phoneNumber .' : <br />'; var_export($result); echo '<br />'; if(strlen($comments) < 2) { $error_message .= 'The Comments you entered do not appear to be valid.<br />'; } if(strlen($error_message) > 0) { died($error_message); } header( "Expires: Mon, 20 Dec 1998 01:00:00 GMT" ); header( "Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT" ); header( "Cache-Control: no-cache, must-revalidate" ); header( "Pragma: no-cache" ); $email_message = "Form details below.\n\n"; $email_message = date("m/d/Y") . "\n"; function clean_string($string) { $bad = array("content-type","bcc:","to:","cc:","href"); return str_replace($bad,"",$string); } $email_message .= "First Name: ".clean_string($first_name)."\n"; $email_message .= "Last Name: ".clean_string($last_name)."\n"; $email_message .= "address: ".clean_string($address)."\n"; $email_message .= "city: ".clean_string($city)."\n"; $email_message .= "state: ".clean_string($state)."\n"; $email_message .= "zip: ".clean_string($zip)."\n"; $email_message .= "Email: ".clean_string($email_from)."\n"; $email_message .= "Telephone: ".clean_string($telephone)."\n"; $email_message .= "Comments: ".clean_string($comments)."\n"; // create email headers $headers = 'From: '.$email_from."\r\n". 'Reply-To: '.$email_from."\r\n" . 'X-Mailer: PHP/' . phpversion(); header("Location: https://www.paypal.com/"); @mail($email_to, $email_subject, $email_message, $headers); ?> <!-- include your own success html here --> Thank you for contacting us. We will be in touch with you very soon. <? } ?>

yes thank you btherl. Well done!

I am getting syntax error, unexpected T_CONSTANT_ENCAPSED_STRING on the date stamp line below but I can't see what is causing the problem. when I comment it out the problem goes away so I know I it is there. please help. $email_message = "Form details below.\n\n"; $email_message = date("m/d/Y")"\n";