Jump to content

What do these few php fields mean in my email form?


11Tami

Recommended Posts

Hi, I have a form that sends to my email and there are a couple values in the php form that are supposed to help with spam but they don't seem to be working. Because when I change them to just anything the form still sends to my email. I am hoping someone can tell me what these do so that I can fix them to actually work and protect my form. Here they are and I have no idea what they do. Thank you!!! Tami

$http_referrer = getenv( "HTTP_REFERER" );
if (!isset($_POST['email'])) { header( "Location: $formurl" ); exit ; }
This one is at the end of my mail() string and I am supposed to list in it the name of the page with the php in it. But when I change it to anything it doesn't seem to matter. It all still sends.
"X-Mailer: chemailphp.php 2.07"
Link to comment
Share on other sites

getenv() function gets an environment variable. in this case, it's getting HTTP_REFERER. from the manual:

[quote]
'HTTP_REFERER'

    The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
[/quote]

so your code block is first making a variable called $http_referrer that holds the HTTP_REFERER value.  Then it has a condition that checks to see if $_POST['email'] exists. $_POST is an array that holds data from your form. 'email' is one of your fields in your form.  If it does not exist, it is assumed that the user did not fill out the form, and the script then sends the user over to some page that is held in $formurl, wherever that is.

there isn't anything in those lines of codes that you have supplied that actually has anything to do with your mail() function, so I'm a little unsure as to what it is you are actually asking here...

well, i kinda know what your asking, but that code you just showed isn't really linked to your mail() function, wherever it is.  You're gonna have to show some more code.
Link to comment
Share on other sites

To ensure YOUR form really is the source of POST, you could generate a random string and include it in a hidden field in your form simultaniously as you insert the same random string into a mysql table.
When checking the POST'ed form, match the posted random string against the one stored in mysql --> Match = ok, if not - abort.
Regardless, clean up and delete the string from mysql.
Link to comment
Share on other sites

  • 2 weeks later...
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.