SitePoint Sponsor

User Tag List

Results 1 to 10 of 10

Hybrid View

  1. #1
    SitePoint Member
    Join Date
    Mar 2004
    Location
    Sweden
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Spam-Free Coded PHP Email Form

    Hi,

    I've been reading a lot about form spaming and even been a victim myself, so I removed the old php form script I had and looking for a new one now. So I was wondering if anyone knows a good spam-free (coded so spaming through the form is disabled or something like that) php-emailform script. Don't want to risk another un-safe form, been having problem with someone sending spam-mails to my competitors

    Hope someone can help, thank in advance

    (Sorry, posted in the wrong forum, please move it)
    Thanks,
    *Averaging $2 a day and growing.

  2. #2
    SitePoint Member
    Join Date
    Nov 2005
    Location
    Queensland
    Posts
    4
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I assume you have been using a PHP form handler that emulates CGI form handlers. Is there a reason you don't just use the PHP mail() function?

    I just put a PHP script at the top of the form page that formats the form variables and then sends the email. I prefer this because I can also make the script format the email in HTML.

    The only way spammers can use the script is if they pass the exact same form variables through to the form page, and then they can't control where it is sent because the recipient details are hard-coded into the PHP script rather than being passed through hidden form variables (which can be found in the HTML). I haven't bothered protecting the scripts any further, but you could also tie the script to a session variable to ensure that the form was sent from the correct server and page.

  3. #3
    SitePoint Member
    Join Date
    Jul 2005
    Posts
    4
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have some code at home about protecting your email address with Javascript (even though I do it via a split up table)

    I really don't know if it will work with a PHP Form though. Worth having a look on Google about Javascript Protection

  4. #4
    Matthew's Daddy Mike Empuria's Avatar
    Join Date
    Oct 2004
    Location
    Box, Wiltshire
    Posts
    514
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here you go. It's PHP code for an email form that I got from somewhere and added code to stop email injection attack and make it validate. It posts to itself so you don't need thank you pages, all fields are required, it validates XHTML Strict and is tableless. Just put it into your page, change the $email_address value, add the CSS and you should be good to go.

    PHP Code:
    <?php //Start of the contact form
    $email_address "who@yourbusiness.com";
    $sender_name = @$_POST[sender_name];
    $sender_email = @$_POST[sender_email];
    $subject = @$_POST[subject];
    $message = @$_POST[message];
    $op = @$_POST[op];
    $form_block "
    <form method=\"post\" action=\"
    $_SERVER[PHP_SELF]\">
    <fieldset>
    <legend>All fields are required</legend>
        <label for=\"sender_name\">Name:</label>
        <input id=\"sender_name\" type=\"text\" name=\"sender_name\" value=\"
    $sender_name\" size=\"30\" /><br />

        <label for=\"sender_email\">Your E-Mail:</label>
        <input id=\"sender_email\" type=\"text\" name=\"sender_email\" value=\"
    $sender_email\" size=\"30\" /><br />

        <label for=\"subject\">Subject</label>
        <input id=\"subject\" type=\"text\" name=\"subject\" value=\"
    $subject\" size=\"30\" /><br />
        
        <label for=\"message\">Message</label>
        <textarea id=\"message\" name=\"message\" cols=\"30\" rows=\"5\">
    $message</textarea><br />
        
        <input class=\"hidden\" type=\"hidden\" name=\"op\" value=\"ds\" /><br />
        <input class=\"submitbutton\" type=\"submit\" name=\"submit\" value=\"Send E-Mail\" />
    </fieldset>
    </form>"
    ;
    if (
    $op != "ds") {
       
    // they need to see the form
       
    echo "$form_block";
    } else if (
    $op == "ds") {
    //This is the line of code stopping the email injection attack       
    if(eregi("MIME-Version: ",$_POST['sender_name'].$_POST['sender_email'].$_POST['subject'].$_POST['message'])){die('Connection problem, try later.');
    //end of code

           if (
    $sender_name == "") {
                
    // check value of $_POST[sender_name]
                
    $name_err "<p class=\"error\"> Please enter your name!</p>";
                
    $send "no";
              }
              if (
    $sender_email == "") {
                
    // check value of $_POST[sender_email]
                
    $email_err "<p class=\"error\">Please enter your e-mail address!</p>";
                
    $send "no";
              }
              if (
    $subject == "") {
                
    // check value of $_POST[sender_email]
                
    $subject_err "<p class=\"error\">Please enter a subject!</p>";
                
    $send "no";
              }
              if (
    $message == "") {
              
    // check value of $_POST[message]
                
    $message_err "<p class=\"error\">Please enter a message!</p>";
                
    $send "no";
              }
              
              if (@
    $send != "no") {
                
    // it's ok to send so build the mail
                
    $to "$email_address";
                
    $subject "$subject";
                
    $mailheaders "From: Your Business <$to> \n";
                
    $mailheaders .= "Reply-To: $sender_email\n";
                
    $msg "E-MAIL SENT FROM THE PAGE\n";
                
    $msg .= "Sender's Name:    $sender_name\n";
                
    $msg .= "Sender's E-Mail:  $sender_email\n";
                
    $msg .= "Message:          $message\n";
                
    mail($to$subject$msg$mailheaders);
                echo 
    "<p>Thank you, $sender_name, your message has been sent. I will contact you as soon as possible.</p>";
              } else if (
    $send == "no") {
                echo 
    "$name_err";
                echo 
    "$email_err";
                echo 
    "$subject_err";
                echo 
    "$message_err";
                echo 
    "$form_block";
              }
    }

    ?>
    Here is the CSS to match it:

    Code:
    /* Form style inspired by Nadia P's http://www.dreamweaverresources.com/tutorials/styled_form.htm*/
    form { width: 95%;
    	margin: 0 0 0 10px; }
    	
    label {
    	display: block;
    	width: 150px;
    	float: left;
    	margin-bottom: 10px;
    	text-align: right;
    	padding-right: 20px;
    	color:#003;
    }
    br {
    	clear: left;
    }
    fieldset{ 
    	padding:10px;
    	border:1px solid #036;
    	margin-bottom:15px; 
    }
    input, textarea{
    	color: #000;
    	border: 1px solid #069;
    	background: url(images/formbg.jpg);
    	margin-top: 2px;
    	margin-bottom: 2px;
    }
    legend{
    	padding:10px; 
    	color:#069;
    	font-size: 95%;
    	font-weight: bold;
    }
    .submitbutton {
    	border: 1px solid #036; 
    	background:#CCF;
    }
    .hidden {
    	border:none;
    }

  5. #5
    SitePoint Wizard
    Join Date
    Jun 2005
    Posts
    1,441
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question

    Hi Mike, your post is very much appreciated. One thing, using that code which you kindly suggested above, where exactly would you put this code please:

    elseif (!preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/", $from)) {
    echo "Sorry you have entered an invalid email address, please check and try again";
    }

    Does this code just about cover the problems of someone inputting the wrong email address? Also, is there a way of checking that the domain name exists?

    Any help appreciated.

    Dez.

  6. #6
    Matthew's Daddy Mike Empuria's Avatar
    Join Date
    Oct 2004
    Location
    Box, Wiltshire
    Posts
    514
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dez
    ...where exactly would you put this code please:

    elseif (!preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/", $from)) {
    echo "Sorry you have entered an invalid email address, please check and try again";
    }
    I'm not a PHP expert but if instead of the line
    PHP Code:
    if ($sender_email == "") {
                
    // check value of $_POST[sender_email]
                
    $email_err "<p class=\"error\">Please enter your e-mail address!</p>";
                
    $send "no";
              } 
    You use
    PHP Code:
    if ((!preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/"$sender_email))) {
                
    // check value of $_POST[sender_email] is valid email address
                
    $email_err "<p class=\"error\">Sorry you have entered an invalid email address, please check and try again</p>";
                
    $send "no";
              } 
    It seems to work fine.

    As far as I know the code is checking that a valid e_mail address pattern i.e something @ somewhere dot domain is being submitted. It is NOT checking that the email address exists.

    I don't know if you can check to see if a domain exists with php code you'd best ask in the PHP Forum.

    Hope this helps.

  7. #7
    SitePoint Wizard
    Join Date
    Jun 2005
    Posts
    1,441
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question

    Hi Mike,

    Many thanks for your kind help, I've just adjusted the code a little to bear your comments in mind, but I've now tried the code and receive this error message:

    Email address is valid
    Warning: Cannot modify header information - headers already sent by (output started at /home/practice/public_html/030106/index.php:2) in /home/practice/public_html/030106/index.php on line 121

    The form is on here:
    http://1url.org/go/1ttu0n

    The complete code, including the php, is on here:
    http://1url.org/go/1qefa4

    Please feel free to send as many tests via the form as you need.

    Any help you can give is very much appreciated.

    Dez.

  8. #8
    Matthew's Daddy Mike Empuria's Avatar
    Join Date
    Oct 2004
    Location
    Box, Wiltshire
    Posts
    514
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Dez
    If I were you I'd go to the PHP Forum with this.

    Mike

  9. #9
    SitePoint Wizard
    Join Date
    Jun 2005
    Posts
    1,441
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question

    Ok, Mike, just hopping over to there now.

  10. #10
    Texan at Heart Corey Bryant's Avatar
    Join Date
    Sep 2003
    Location
    Castle Rock, CO
    Posts
    2,491
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I had a client with a similar problem and he checked out How do I stop spammers using header injection with my PHP Scripts? - that seemed to work well with him


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •