Form Elements?

[Neebski]

Hey there, I currently have a "contact us" form on my website and quite often I get just spam emails from it containing html and links. The form its self does not render the html when it sends the email to me so when I view it I just see a page of html and a bunch of links all over the place. What I am asking, is there a way to disable the use of html code in the form?

Thanks so much
- Kevin Neberman.

[Twey]

Yes.

However, you'll need to provide details about the form processor.

[Neebski]

The form is located here: http://www.ayalapercussion.com/other/contact.php
and the php send mail code is this



<?

$mailto = $_POST['sendto'] ;

$subject = "Ayala Percussion Ensemble Email Message" ;

$formurl = "contact.php" ;
$errorurl = "error.php" ;
$thankyouurl = "index.asp" ;

$name = $_POST['name'] ;
$email = $_POST['email'] ;
$comments = $_POST['comments'] ;
$http_referrer = getenv( "HTTP_REFERER" );

if (!isset($_POST['email'])) {
header( "Location: $formurl" );
exit ;
}
if (empty($mailto) || empty($name) || empty($email) || empty($comments)) {
header( "Location: $errorurl" );
exit ;
}
if ($mailto == "Choose A Contact.") {
header( "Location: $errorurl" );
exit ;
}
if ($subject == "Choose A Subject.") {
header( "Location: $errorurl" );
exit ;
}
if (get_magic_quotes_gpc()) {
$comments = stripslashes( $comments );
}

$messageproper =

"This message was sent from: " . $name .
"\n$http_referrer\n\n" .
"________________________( COMMENTS )________________________\n\n" .
"\nName: " . $name .
"\nE-Mail: " . $email .
"\n\nMessage: \n" . $comments .
"\n____________________________________________________________\n" ;

mail($mailto, $subject, $messageproper, "From: \"$name\" <$email>\nReply-To: \"$name\" <$email>\nX-Mailer: feedback2.php" );
header( "Location: $thankyouurl" );
exit ;

?>

[Twey]

Ouch! This script is a disaster area. A malicious user could use your server to send spam or other unpleasant emails.

Firstly, don't send the recipient from the form. Hard-code it into the PHP script or store it somewhere else inaccessible to the user. The user can modify the contents of form elements (yes, even hidden ones) arbitrarily.

Secondly, add two CRLF sequences before the beginning of the message or after the end of the headers. PHP may do this automatically, but inserting extra headers at the top of a message is historically a common way to abuse mailing scripts.

Thirdly, validate all the input you receive before inserting it into a mail header. For example, a name should consist only of alphanumeric characters, a space, or a hyphen. Don't forget to check for non-English characters as well. $email may consist of many things, but should not contain greater-than or lesser-than symbols (< and >), CR or LF characters ("\r" or "\n").

Fourthly, all URLs sent as Location headers should be absolute, according to the HTTP specification. Most browsers will error-correct this, but you shouldn't rely upon it.

Fifthly, the SMTP specification says that mail headers should be separated by a CRLF sequence ("\r\n") not a single LF ("\n").

Sixthly, strip out all HTML tags by doing:

Code:

$comments = preg_replace('/<[^>]+>/g', '', $comments);

[Neebski]

where exactly would I put the code you gave me?

I tried putting it in the mail.php file, but no luck.

[mburt]

If you just copy and pasted that code, simply inserting what Twey gave here won't work. You have to understand how PHP works, and that for one: there can't be more than one variable with the same name, so logically you must replace your "comments" variable with Twey's here.

[Neebski]

lol, I understand that and did replace the comments code but it still didnt work. Ill play with it later today and see what happens.

[Twey]

Put it after this line:

Code:

$comments = $_POST['comments'] ;