Results 1 to 4 of 4

Thread: *Secure* PHP form script?

  1. #1
    Join Date
    Apr 2008
    Location
    San Diego, CA
    Posts
    352
    Thanks
    57
    Thanked 6 Times in 6 Posts

    Default *Secure* PHP form script?

    Hi all,

    I am using the following simple script to send contact form leads to my email. The site I got it from, however, indicated that it was not entirely secure. After my site got mentioned on some popular blogs, I have started getting blank submissions, which I assume are from bots, so now I'm a bit worried about the security issue.

    Code:
    <?php
    
    $name = $_REQUEST['name'];
    $email = $_REQUEST['email'];
    $message =  $name . "\n\n" . $_REQUEST['message'];
    
    if ( ereg( "[\r\n]", $name ) || ereg( "[\r\n]", $email ) ) {
    	header( "Location: http://freshcutsd.com/thank-you/" );
    } else {
    	mail( "contact.php@freshcutsd.com", "Contact Form Submission",
    		$message, "From: $email" );
    	header( "Location: http://freshcutsd.com/thank-you/" );
    }
    
    ?>
    Can someone point me to a form handling script that is totally secure? Can bots execute injection attacks or send spam from my domain with the script I am currently using?

    Thanks a bunch for any insight!

    Edit: Did a search (should have done it before, sorry), and found this:

    http://www.w3schools.com/php/php_secure_mail.asp

    Is the above script totally secure for my needs?
    Last edited by jlizarraga; 05-08-2009 at 01:59 AM. Reason: more info
    My site: FreshCut :)

  2. #2
    Join Date
    Jul 2008
    Posts
    138
    Thanks
    13
    Thanked 1 Time in 1 Post

    Default

    I briefly looked at the script from W3C that you posted, and it looks like it offers a little bit better security.

    Give this a shot though. It will significantly cut down on your spam mail, and will also reduce the possibility of others using your form to attack someone else.

    The arrays are checked against all the fields in the form incase someone is trying to slip something through.

    The form will submit to itself so you can create a separate contact page or include it into another page (just remove the HTML tags)

    Code:
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    	<title>My Email Form</title>
    </head>
    <body>
    
    <?php
    function clean($data) {
    	$data = trim(stripslashes(strip_tags($data)));
    	return $data;
    }
    
    $exploits = "/(content-type|bcc:|cc:|document.cookie|onclick|onload|javascript|alert)/i";
    $profanity = "/(beastial|bestial|blowjob|clit|cum|cunilingus|cunillingus|cunnilingus|****|ejaculate|fag|felatio|fellatio|****|fuk|fuks|gangbang|gangbanged|gangbangs|hotsex|jism|jiz|orgasim|orgasims|orgasm|orgasms|phonesex|phuk|phuq|****|pussies|pussy|spunk|xxx)/i";
    $spamwords = "/(viagra|phentermine|tramadol|adipex|advai|alprazolam|ambien|ambian|amoxicillin|antivert|blackjack|backgammon|texas|holdem|poker|carisoprodol|ciara|ciprofloxacin|debt|dating|****)/i";
    $bots = "/(Indy|Blaiz|Java|libwww-perl|Python|OutfoxBot|User-Agent|PycURL|AlphaServer)/i";
    
    if (preg_match($bots, $_SERVER['HTTP_USER_AGENT'])) {
    	exit("<p>Known spam bots are not allowed.</p>");
    }
    foreach ($_POST as $key => $val) {
    	$c[$key] = clean($val);
    
    	if (preg_match($exploits, $val)) {
    		exit("<p>Exploits/malicious scripting attributes aren't allowed.</p>");
    	} elseif (preg_match($profanity, $val) || preg_match($spamwords, $val)) {
    		exit("<p>That kind of language is not allowed through our form.</p>");
    	}
    }
    
    $show_form = true;
    $error_msg = NULL;
    
    if (isset($c['submit'])) {
    	if (empty($c['name']) || empty($c['email']) || empty($c['comments'])) {
    		$error_msg .= "Name, e-mail and comments are required fields. \n";
    	} elseif (strlen($c['name']) > 15) {
    		$error_msg .= "The name field is limited at 15 characters. Your first name or nickname will do! \n";
    	} elseif (!ereg("^[A-Za-z' -]*$", $c['name'])) {
    		$error_msg .= "The name field must not contain special characters. \n";
    	} elseif (!ereg("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,6})$",strtolower($c['email']))) {
    		$error_msg .= "That is not a valid e-mail address. \n";
    	}
    
    	if ($error_msg == NULL) {
    		$show_form = false;
    
    		if (!empty($c['url']) && !ereg("^(http|https)", $c['url'])) {
    			$c['url'] = "http://" . $c['url'];
    		}
    
    		$subject = "Automatic Form Email";
    
    		$message = "You received this e-mail message through your website: \n\n";
    		foreach ($c as $key => $val) {
    			$message .= ucwords($key) . ": $val \n";
    		}
    		$message .= "IP: {$_SERVER['REMOTE_ADDR']} \n";
    		$message .= "Browser: {$_SERVER['HTTP_USER_AGENT']}";
    
    		if (strstr($_SERVER['SERVER_SOFTWARE'], "Win")) {
    			$headers   = "From: YOUR-EMAIL@MAIL.COM \n";
    			$headers  .= "Reply-To: {$c['email']}";
    		} else {
    			$headers   = "From: YOUR WEBSITE <YOUR-EMAIL@MAIL.COM> \n";
    			$headers  .= "Reply-To: {$c['email']}";
    		}
    
    		$recipient = "YOUR-EMAIL@MAIL.COM";
    
    		if (mail($recipient,$subject,$message,$headers)) {
    			echo "<p>Your mail was successfully sent.</p>";
    		} else {
    			echo "<p>Your mail could not be sent this time.</p>";
    		}
    	}
    }
    if (!isset($c['submit']) || $show_form == true) {
    	function get_data($var) {
    		global $c;
    		if (isset($c[$var])) {
    			echo $c[$var];
    		}
    	}
    
    	if ($error_msg != NULL) {
    		echo "<p><strong style='color: red;'>ERROR:</strong><br />";
    		echo nl2br($error_msg) . "</p>";
    	}
    ?>
    	<form action="<?php echo $_SERVER['REQUEST_URI']; ?>" method="post"><p>
    		<label><input type="text" name="name" id="name" value="<?php get_data("name"); ?>" /> Name</label><br />
    		<label><input type="text" name="email" id="email" value="<?php get_data("email"); ?>" /> E-mail</label><br />
    		<label><input type="text" name="url" id="url" value="<?php get_data("url"); ?>" /> Website</label><br />
    		<label><input type="text" name="location" id="location" value="<?php get_data("location"); ?>" /> Location</label><br />
    		<label><textarea name="comments" id="comments"><?php get_data("comments"); ?></textarea> Comments</label><br />
    		<input type="submit" name="submit" id="submit" value="Send" />
    	</p></form>
    <?php
    }
    ?>
    
    </body>
    </html>
    Post if you have any questions. Hope this helps, good luck.

  3. #3
    Join Date
    Apr 2009
    Location
    Cognac, France
    Posts
    400
    Thanks
    2
    Thanked 57 Times in 57 Posts

    Default

    For what you appear to need the W3schools script offers a reasonable amount of security by sanitizing the input for you.

    When I started out I was also advised to include this code to limit PHP injection:-

    $email = str_replace(array("\n","\r"),'',$email);

  4. #4
    Join Date
    Apr 2008
    Location
    San Diego, CA
    Posts
    352
    Thanks
    57
    Thanked 6 Times in 6 Posts

    Default

    Thanks guys, I will give it a shot once I have my site restored (got hacked) and let you know how it goes!
    My site: FreshCut :)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •