*Secure* PHP form script?

**jlizarraga** · 05-08-2009, 01:55 AM

Hi all,

I am using the following simple script to send contact form leads to my email. The site I got it from, however, indicated that it was not entirely secure. After my site got mentioned on some popular blogs, I have started getting blank submissions, which I assume are from bots, so now I'm a bit worried about the security issue.

Code:

<?php

$name = $_REQUEST['name'];
$email = $_REQUEST['email'];
$message =  $name . "\n\n" . $_REQUEST['message'];

if ( ereg( "[\r\n]", $name ) || ereg( "[\r\n]", $email ) ) {
	header( "Location: http://freshcutsd.com/thank-you/" );
} else {
	mail( "contact.php@freshcutsd.com", "Contact Form Submission",
		$message, "From: $email" );
	header( "Location: http://freshcutsd.com/thank-you/" );
}

?>

Can someone point me to a form handling script that is totally secure? Can bots execute injection attacks or send spam from my domain with the script I am currently using?

Thanks a bunch for any insight!

Edit: Did a search (should have done it before, sorry), and found this:

http://www.w3schools.com/php/php_secure_mail.asp

Is the above script totally secure for my needs?

**?foru** · 05-11-2009, 02:30 AM

I briefly looked at the script from W3C that you posted, and it looks like it offers a little bit better security.

Give this a shot though. It will significantly cut down on your spam mail, and will also reduce the possibility of others using your form to attack someone else.

The arrays are checked against all the fields in the form incase someone is trying to slip something through.

The form will submit to itself so you can create a separate contact page or include it into another page (just remove the HTML tags)

Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
	<title>My Email Form</title>
</head>
<body>

<?php
function clean($data) {
	$data = trim(stripslashes(strip_tags($data)));
	return $data;
}

$exploits = "/(content-type|bcc:|cc:|document.cookie|onclick|onload|javascript|alert)/i";
$profanity = "/(beastial|bestial|blowjob|clit|cum|cunilingus|cunillingus|cunnilingus|****|ejaculate|fag|felatio|fellatio|****|fuk|fuks|gangbang|gangbanged|gangbangs|hotsex|jism|jiz|orgasim|orgasims|orgasm|orgasms|phonesex|phuk|phuq|****|pussies|pussy|spunk|xxx)/i";
$spamwords = "/(viagra|phentermine|tramadol|adipex|advai|alprazolam|ambien|ambian|amoxicillin|antivert|blackjack|backgammon|texas|holdem|poker|carisoprodol|ciara|ciprofloxacin|debt|dating|****)/i";
$bots = "/(Indy|Blaiz|Java|libwww-perl|Python|OutfoxBot|User-Agent|PycURL|AlphaServer)/i";

if (preg_match($bots, $_SERVER['HTTP_USER_AGENT'])) {
	exit("<p>Known spam bots are not allowed.</p>");
}
foreach ($_POST as $key => $val) {
	$c[$key] = clean($val);

	if (preg_match($exploits, $val)) {
		exit("<p>Exploits/malicious scripting attributes aren't allowed.</p>");
	} elseif (preg_match($profanity, $val) || preg_match($spamwords, $val)) {
		exit("<p>That kind of language is not allowed through our form.</p>");
	}
}

$show_form = true;
$error_msg = NULL;

if (isset($c['submit'])) {
	if (empty($c['name']) || empty($c['email']) || empty($c['comments'])) {
		$error_msg .= "Name, e-mail and comments are required fields. \n";
	} elseif (strlen($c['name']) > 15) {
		$error_msg .= "The name field is limited at 15 characters. Your first name or nickname will do! \n";
	} elseif (!ereg("^[A-Za-z' -]*$", $c['name'])) {
		$error_msg .= "The name field must not contain special characters. \n";
	} elseif (!ereg("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,6})$",strtolower($c['email']))) {
		$error_msg .= "That is not a valid e-mail address. \n";
	}

	if ($error_msg == NULL) {
		$show_form = false;

		if (!empty($c['url']) && !ereg("^(http|https)", $c['url'])) {
			$c['url'] = "http://" . $c['url'];
		}

		$subject = "Automatic Form Email";

		$message = "You received this e-mail message through your website: \n\n";
		foreach ($c as $key => $val) {
			$message .= ucwords($key) . ": $val \n";
		}
		$message .= "IP: {$_SERVER['REMOTE_ADDR']} \n";
		$message .= "Browser: {$_SERVER['HTTP_USER_AGENT']}";

		if (strstr($_SERVER['SERVER_SOFTWARE'], "Win")) {
			$headers   = "From: YOUR-EMAIL@MAIL.COM \n";
			$headers  .= "Reply-To: {$c['email']}";
		} else {
			$headers   = "From: YOUR WEBSITE <YOUR-EMAIL@MAIL.COM> \n";
			$headers  .= "Reply-To: {$c['email']}";
		}

		$recipient = "YOUR-EMAIL@MAIL.COM";

		if (mail($recipient,$subject,$message,$headers)) {
			echo "<p>Your mail was successfully sent.</p>";
		} else {
			echo "<p>Your mail could not be sent this time.</p>";
		}
	}
}
if (!isset($c['submit']) || $show_form == true) {
	function get_data($var) {
		global $c;
		if (isset($c[$var])) {
			echo $c[$var];
		}
	}

	if ($error_msg != NULL) {
		echo "<p><strong style='color: red;'>ERROR:</strong><br />";
		echo nl2br($error_msg) . "</p>";
	}
?>
	<form action="<?php echo $_SERVER['REQUEST_URI']; ?>" method="post"><p>
		<label><input type="text" name="name" id="name" value="<?php get_data("name"); ?>" /> Name</label><br />
		<label><input type="text" name="email" id="email" value="<?php get_data("email"); ?>" /> E-mail</label><br />
		<label><input type="text" name="url" id="url" value="<?php get_data("url"); ?>" /> Website</label><br />
		<label><input type="text" name="location" id="location" value="<?php get_data("location"); ?>" /> Location</label><br />
		<label><textarea name="comments" id="comments"><?php get_data("comments"); ?></textarea> Comments</label><br />
		<input type="submit" name="submit" id="submit" value="Send" />
	</p></form>
<?php
}
?>

</body>
</html>

Post if you have any questions. Hope this helps, good luck.

**forum_amnesiac** · 05-11-2009, 08:46 AM

For what you appear to need the W3schools script offers a reasonable amount of security by sanitizing the input for you.

When I started out I was also advised to include this code to limit PHP injection:-

$email = str_replace(array("\n","\r"),'',$email);