SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Guru
    Join Date
    Oct 2010
    Location
    Portland, Or
    Posts
    634
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    advs on a secure contact form please?

    working on debugging this contact form. I grabbed the original off the net, customized it a bit. It was passed on and customized some more for security. Now it is no longer working. The server is thought to be the issue. Could I have advice on how to best trouble shoot this please?
    or what would be a better way to secure it?
    thank you

    PHP Code:
    <?php 
    //If the form is submitted
    if(isset($_POST['submitted'])) {

        
    //Check to see if the honeypot captcha field was filled in
        
    if(trim($_POST['checking']) !== '') {
            
    $hasError true;
        } else {
        
            
    //Check to make sure that the name field is not empty
            
    if(trim($_POST['contactFName']) === '') {
                
    $nameFError 'You forgot to enter your First name.';
                            if(
    trim($_POST['contactLName']) === '') {
                    
    $nameLError 'You forgot to enter your Last name.';
                }
                
    $hasError true;
            } else if(
    trim($_POST['contactLName']) === '') {
                
    $nameLError 'You forgot to enter your Last name.';
                
    $hasError true;
            }
               else {
                
    $name trim($_POST['contactFName'])." ".trim($_POST['contactLName']);
                
    // filtering on spambot text - SCB
                
    if(strpos($name,'../') !== false) { $hasError true$commentError 'Your name contains invalid characters. Please revise.'; }
                            if(
    strpos($name,'..\\') !== false) { $hasError true$commentError 'Your name contains invalid characters. Please revise.'; }
                if(
    strpos($name,'.htm') !== false) { $hasError true$commentError 'Your name contains invalid characters. Please revise.'; }
                if(
    strpos($name,'.html') !== false) { $hasError true$commentError 'Your name contains invalid characters. Please revise.'; }
                if(
    strpos($name,'.ini') !== false) { $hasError true$commentError 'Your name contains invalid characters. Please revise.'; }
                if(
    strpos($name,'.php') !== false) { $hasError true$commentError 'Your name contains invalid characters. Please revise.'; }
                if(
    strpos($name,'.htaccess') !== false) { $hasError true$commentError 'Your name contains invalid characters. Please revise.'; }
                if(
    strpos($name,'.bat') !== false) { $hasError true$commentError 'Your name contains invalid characters. Please revise.'; }
                if(
    strpos($name,'.reg') !== false) { $hasError true$commentError 'Your name contains invalid characters. Please revise.'; }
                if(
    strpos($name,'.sct') !== false) { $hasError true$commentError 'Your name contains invalid characters. Please revise.'; }
                if(
    strpos($name,'.vb') !== false) { $hasError true$commentError 'Your name contains invalid characters. Please revise.'; }
                if(
    strpos($name,'.ws') !== false) { $hasError true$commentError 'Your name contains invalid characters. Please revise.'; }
                if(
    strpos($name,'.php') !== false) { $hasError true$commentError 'Your name contains invalid characters. Please revise.'; }
                if(
    strpos($name,'.aspx') !== false) { $hasError true$commentError 'Your name contains invalid characters. Please revise.'; }
                if(
    strpos($name,'/etc') !== false) { $hasError true$commentError 'Your name contains invalid characters. Please revise.'; }
                if(
    strpos($name,'/passwd') !== false) { $hasError true$commentError 'Your name contains invalid characters. Please revise.'; }
                if(
    strpos($name,'Response.Write') !== false) { $hasError true$commentError 'Your name contains invalid characters. Please revise.'; }
                if(
    strpos($name,'injected_value') !== false) { $hasError true$commentError 'Your name contains invalid characters. Please revise.'; }
                if(
    strpos($name,'C:\\') !== false) { $hasError true$commentError 'Your name contains invalid characters. Please revise.'; }
            }
            
            
    //Check to make sure sure that a valid email address is submitted
            
    if(trim($_POST['email']) === '')  {
                
    $emailError 'You forgot to enter your email address.';
                
    $hasError true;
            } else if (!
    eregi("^[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}$"trim($_POST['email']))) {
                
    $emailError 'You entered an invalid email address.';
                
    $hasError true;
            } else {
                
    $email trim($_POST['email']);
            }
                
            
    //Check to make sure comments were entered    
            
    if(trim($_POST['comments']) === '') {
                
    $commentError 'You forgot to enter your comments.';
                
    $hasError true;
            } else {
                if(
    function_exists('stripslashes')) {
                    
    $comments stripslashes(trim($_POST['comments']));
                } else {
                    
    $comments trim($_POST['comments']);
                }
                            
    // filtering on spambot text - SCB
                
    if(strpos($_POST['comments'],'../') !== false) { $hasError true$commentError 'Your comment contains invalid characters. Please revise.'; }
                            if(
    strpos($_POST['comments'],'..\\') !== false) { $hasError true$commentError 'Your comment contains invalid characters. Please revise.'; }
                if(
    strpos($_POST['comments'],'.htm') !== false) { $hasError true$commentError 'Your comment contains invalid characters. Please revise.'; }
                if(
    strpos($_POST['comments'],'.html') !== false) { $hasError true$commentError 'Your comment contains invalid characters. Please revise.'; }
                if(
    strpos($_POST['comments'],'.ini') !== false) { $hasError true$commentError 'Your comment contains invalid characters. Please revise.'; }
                if(
    strpos($_POST['comments'],'.php') !== false) { $hasError true$commentError 'Your comment contains invalid characters. Please revise.'; }
                if(
    strpos($_POST['comments'],'.htaccess') !== false) { $hasError true$commentError 'Your comment contains invalid characters. Please revise.'; }
                if(
    strpos($_POST['comments'],'.bat') !== false) { $hasError true$commentError 'Your comment contains invalid characters. Please revise.'; }
                if(
    strpos($_POST['comments'],'.reg') !== false) { $hasError true$commentError 'Your comment contains invalid characters. Please revise.'; }
                if(
    strpos($_POST['comments'],'.sct') !== false) { $hasError true$commentError 'Your comment contains invalid characters. Please revise.'; }
                if(
    strpos($_POST['comments'],'.vb') !== false) { $hasError true$commentError 'Your comment contains invalid characters. Please revise.'; }
                if(
    strpos($_POST['comments'],'.ws') !== false) { $hasError true$commentError 'Your comment contains invalid characters. Please revise.'; }
                if(
    strpos($_POST['comments'],'.php') !== false) { $hasError true$commentError 'Your comment contains invalid characters. Please revise.'; }
                if(
    strpos($_POST['comments'],'.aspx') !== false) { $hasError true$commentError 'Your comment contains invalid characters. Please revise.'; }
                if(
    strpos($_POST['comments'],'/etc') !== false) { $hasError true$commentError 'Your comment contains invalid characters. Please revise.'; }
                if(
    strpos($_POST['comments'],'/passwd') !== false) { $hasError true$commentError 'Your comment contains invalid characters. Please revise.'; }
                if(
    strpos($_POST['comments'],'C:\\') !== false) { $hasError true$commentError 'Your comment contains invalid characters. Please revise.'; }
                if(
    strpos($_POST['comments'],'Response.Write') !== false) { $hasError true$commentError 'Your comment contains invalid characters. Please revise.'; }
                if(
    strpos($_POST['comments'],'injected_value') !== false) { $hasError true$commentError 'Your comment contains invalid characters. Please revise.'; }
            }
                    
    // SCB - record IP
                    
    $ip $_SERVER['REMOTE_ADDR'];

            
    //If there is no error, send the email
            
    if(!isset($hasError)) {

                
    $emailTo 'xyz.xyz@email.com';
                            
    $emailTo2 'xyz.xyz@email.com'//testing only - remove on launch
                
    $subject 'FORM - Contact Form Submission from '.$name;
                
    $sendCopy trim($_POST['sendCopy']);
                
    $body "Name: $name \n\nEmail: $email \n\nComments: $comments \n\nIP: $ip";
                
    $bodyNoIp "Name: $name \n\nEmail: $email \n\nComments: $comments";
                
    $headers 'From: us to you <'.$emailTo.'>' "\r\n" 'Reply-To: ' $email;
                
                
    mail($emailTo$subject$body$headers);
                            
    mail($emailTo2$subject$body$headers);

                if(
    $sendCopy == true) {
                    
    $subject 'Thank you for your interest in us';
                    
    $headers "From: $name <$email>";
                    
    mail($email$subject$bodyNoIp$headers);
                }

                
    $emailSent true;

            }
                    
    //If there is an error, send the email to SCB for testing
                    
    if(isset($hasError)) {
                            
    $emailTo 'xyz.xyz@email.com'
                
    $subject 'ERROR - Contact Form Submission from '.$name;
                
    $sendCopy trim($_POST['sendCopy']);
                
    $body "Name: $name \n\nEmail: $email \n\nComments: $comments \n\nIP: $ip";
                
    $headers 'From: us to you<'.$emailTo.'>' "\r\n" 'Reply-To: ' $email;
                
    mail($emailTo$subject$body$headers);
                
    //$emailSent = true;
            
    }
        }
    ?>

  2. #2
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    4,810
    Mentioned
    141 Post(s)
    Tagged
    0 Thread(s)
    What version of PHP are you running as the first thing I spotted was the use of eregi which is deprecated as of 5.3
    http://php.net/manual/en/function.eregi.php

    Secondly, seriously WTF is with ALL of those IF statements. There has to be a better way of validating those fields.
    Be sure to congratulate xMog on earning April's Member of the Month
    Go ahead and blame me, I still won't lose any sleep over it
    My Blog | My Technical Notes

  3. #3
    SitePoint Guru
    Join Date
    Oct 2010
    Location
    Portland, Or
    Posts
    634
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    will have to check, did not do that part.
    &yes I totally agree on the if statements, even to me they look a bit too repetitive.
    Am looking for a better solution.
    If you have a youtube tutorial off the top of your head (or a site point one)please head me that way.
    Thank you
    D

  4. #4
    SitePoint Guru
    Join Date
    Oct 2010
    Location
    Portland, Or
    Posts
    634
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    actually think i found it.will post results later & hope for some feedback.

  5. #5
    SitePoint Guru
    Join Date
    Oct 2010
    Location
    Portland, Or
    Posts
    634
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    so started back from scratch. It should be working but can't confirm I received an email yet.
    and still need to put in any safety features.

    PHP Code:
    <?php

    if (isset($_POST['contactName']) && ($_POST['contactEmail']) && ($_POST['contactText'])){
        
    $contactName $_POST['contactName'];
        
    $contactEmail $_POST['contactEmail'];
        
    $contactText $_POST['contactText'];
        
        if (!empty(
    $contactName) && !empty($contactEmail) && !empty($contactText)){
            if(
    strlen($contactName)>25 || strlen ($contactEmail)>50 || strlen ($contactText)>1000){
                echo 
    'max length exceeded';
            }else{
                
    $emailTo='yourEmail@gmail.com';
                
    $subject='Contact form sumbission';
                
    $body$contactName."\n".$contactText;
                
    $headers='From: .$contactEmail';
                
                
                    if (
    mail($emailTo$subject$body$headers )) {
                        echo 
    'Thank you for contacting us. We will be in touch shortly';
                    }else{
                        echo 
    'Sorry, unable to send/receive this message. Please try again later.';
                    }
                }
            }else{
            echo 
    'All fields are requried';
            }
    }






    ?>



    <form action="" method="POST">

    Name: <br> <input type="text" name="contactName" maxlength="25"><br>
    Email Address: <br> <input type="text" name="contactEmail" maxlength="50"><br>
    Message<br> 
    <textarea name="contactText" rows="6" cols="50" maxlength="1000"> </textarea>
    <input type="submit" value="send" >


    </form>

  6. #6
    SitePoint Guru
    Join Date
    Oct 2010
    Location
    Portland, Or
    Posts
    634
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    k was having some probs w/my form. so found out the issue might have been that local host was not set up to support that.
    I followed this instructions from stackoverflow.
    HTML Code:
    You can send mail from localhost with sendmail package , sendmail package is inbuild in XAMPP. So if you are using XAMPP then you can easily send mail from localhost.
    
    for example you can configure C:\xampp\php\php.ini and c:\xampp\sendmail\sendmail.ini for gmail to send mail.
    
    in C:\xampp\php\php.ini find extension=php_openssl.dll and remove the semicolon from the beginning of that line to make SSL working for gmail for localhost.
    
    in php.ini file find [mail function] and change
    
    SMTP=smtp.gmail.com
    smtp_port=587
    sendmail_from = my-gmail-id@gmail.com
    sendmail_path = "\"C:\xampp\sendmail\sendmail.exe\" -t"
    Now Open C:\xampp\sendmail\sendmail.ini. Replace all the existing code in sendmail.ini with following code
    
    [sendmail]
    
    smtp_server=smtp.gmail.com
    smtp_port=587
    error_logfile=error.log
    debug_logfile=debug.log
    auth_username=my-gmail-id@gmail.com
    auth_password=my-gmail-password
    force_sender=my-gmail-id@gmail.com
    Now you have done!! create php file with mail function and send mail from localhost.
    
    PS: don't forgot to replace my-gmail-id and my-gmail-password in above code.
    But is still doesn't seem to be working. & did change the deafult port 25 to 587 and also went back to the xampp control panel. opened up the config/port settings and in the mercury tab also change the port from 25 to 587.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •