[SOLVED] HTML form to Email using PHP - Help a newbie pleasie!

[mogsy]

Hi,

 

After having my contact form hacked to send spam I have had a go and tried to write a php script using bits from different scripts etc. Just wondered if some of you more experienced with PHP (I've only been learning as I go)would take a look at it for me and tell me what you think please?

 

On the HTML form side I used Javascript to make sure certain fields are filled and a valid email address is entered before passing the info over to my php script. On the HTML form page I have a hidden field (using CSS Display none) and if a bot fills this field in then the PHP script is set to recognise it as spam and it will not be sent(will this work?)

 

<?php

$spam = $_POST['info'];

// Check whether hidden field has been filled
if ($spam != "") {
// if so print error message and exit
echo "Suspected injection attempt - mail not being sent."; exit;
} else

// check to see whether name, enquiry details and email contain info in case javascript is off
if (empty($_POST['name']) || empty($_POST['enquiry_details']) || empty($_POST['email']) ) {
   // here, they have not filled in either their name, email or enquiry details.  Set an error.
   header("Location: error.htm"); exit;
}
else
// Pick up the form data and assign it to variables
$title = $_POST['title'];
$name = $_POST['name'];

// check to see whether common injection terms are entered into certain fields
function contains_bad_str($str_to_test)   {
  $bad_strings = array(
                "content-type:"
                ,"mime-version:"
                ,"multipart/mixed"
        ,"Content-Transfer-Encoding:"
                ,"bcc:"
        ,"cc:"
        ,"to:"
  );
  // if terms are present, set error and exit
  foreach($bad_strings as $bad_string) {
    if(eregi($bad_string, strtolower($str_to_test) )) {
      echo "Suspected injection attempt - mail not being sent.";
      exit;
    }
  }
}
// check for newlines
function contains_newlines($str_to_test) {
   if(preg_match("/(%0A|%0D|\\n+|\\r+)/i", $str_to_test) != 0) {
     echo "Suspected injection attempt - mail not being sent.";
     exit;
   }
}

contains_bad_str($title);
contains_bad_str($name);
contains_bad_str($email);
contains_bad_str($phone);
contains_bad_str($address);
contains_bad_str($heard_from);
contains_bad_str($heard_other);
contains_bad_str($style);
contains_bad_str($enquiry_details);

contains_newlines($title);
contains_newlines($name);
contains_newlines($email);
contains_newlines($phone);
contains_newlines($heard_from);
contains_newlines($heard_other);

$email = $_POST['email'];

/* If e-mail is not valid show error message */
if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/", $email))
{
    header("Location: error.htm");
    exit;
}

$phone = $_POST['phone'];
$address = $_POST['address'];
$heard_from = $_POST['heard_from'];
$heard_other = $_POST['heard_other'];
$style = $_POST['style'];
$enquiry_details = $_POST['enquiry_details'];

// Build the email (replace the address in the $to section with your own)
$to = '[email protected]';
$subject = "Contact form enquiry";
$message = "Title:$title,

Name:$name,

Phone:$phone,

Address: $address,

Heard from: $heard_from,

Heard other: $heard_other,

Style: $style,

Enquiry details: $enquiry_details,";
$headers = "From: $email";

// Send the mail using PHPs mail() function
// succe=false or true; = return values from mail() function
$succe = mail($to, $subject, $message, $headers);

// Redirect
if($succe)
{
    header("Location: confirmation.htm");
    exit(); // redirect to confirmation page and end php
}
else
{
    // end php, with a message of failure
    exit("Sorry. Mail was not sent. Go Back, try again");
}
?> 

 

The error page you get directed to just basically says click back on your browser and make sure you have entered your name, email and enquiry details (only using the error page incase people have Javascript switched off)

 

I've tested it locally and online (a spare domain I have), and everything seems to work (not sure how I check to see if the code stopping new lines works, any ideas?) - is there anything I need to add to the script? (I am planning on adding a Captcha to my form, but I thought I would make a start on the script first)

 

Thanks

M

[colombian]

The steps you have taken should keep you spam safe for a while.

The hidden form field works ok for bots, and obviously removing the bcc/ etc from the input will help. You could use regular expression to verify the email address, that way you can skip the cc:/bcc/etc part, since those will not pass through a good email regex.

 

You can send your script into the wild of the internet if you testing shows it's working.

 

Also - FYI - you don't need to test for bcc, cc, etc on your for fields in general - you just need to test that against your email field.

 

 

(Note: I didn't proof the code, just read the comments on what you did and briefly glanced through the code).

 

 

[mogsy]

Thanks for the response! I was unsure about the cc:/bcc/etc part so thought I would put it in - I've used a email regex on the javascript didn't think to use it on the PHP side too! Will do a PHP regex.

 

Thanks again, its nice to know I am going along the right lines!!

M