| SitePoint Sponsor |
Hi,
I've been reading a lot about form spaming and even been a victim myself, so I removed the old php form script I had and looking for a new one now. So I was wondering if anyone knows a good spam-free (coded so spaming through the form is disabled or something like that) php-emailform script. Don't want to risk another un-safe form, been having problem with someone sending spam-mails to my competitors
Hope someone can help, thank in advance
(Sorry, posted in the wrong forum, please move it)
Thanks,
*Averaging $2 a day and growing.
I assume you have been using a PHP form handler that emulates CGI form handlers. Is there a reason you don't just use the PHP mail() function?
I just put a PHP script at the top of the form page that formats the form variables and then sends the email. I prefer this because I can also make the script format the email in HTML.
The only way spammers can use the script is if they pass the exact same form variables through to the form page, and then they can't control where it is sent because the recipient details are hard-coded into the PHP script rather than being passed through hidden form variables (which can be found in the HTML). I haven't bothered protecting the scripts any further, but you could also tie the script to a session variable to ensure that the form was sent from the correct server and page.
I have some code at home about protecting your email address with Javascript (even though I do it via a split up table)
I really don't know if it will work with a PHP Form though. Worth having a look on Google about Javascript Protection
Here you go. It's PHP code for an email form that I got from somewhere and added code to stop email injection attack and make it validate. It posts to itself so you don't need thank you pages, all fields are required, it validates XHTML Strict and is tableless. Just put it into your page, change the $email_address value, add the CSS and you should be good to go.
Here is the CSS to match it:PHP Code:<?php //Start of the contact form
$email_address = "who@yourbusiness.com";
$sender_name = @$_POST[sender_name];
$sender_email = @$_POST[sender_email];
$subject = @$_POST[subject];
$message = @$_POST[message];
$op = @$_POST[op];
$form_block = "
<form method=\"post\" action=\"$_SERVER[PHP_SELF]\">
<fieldset>
<legend>All fields are required</legend>
<label for=\"sender_name\">Name:</label>
<input id=\"sender_name\" type=\"text\" name=\"sender_name\" value=\"$sender_name\" size=\"30\" /><br />
<label for=\"sender_email\">Your E-Mail:</label>
<input id=\"sender_email\" type=\"text\" name=\"sender_email\" value=\"$sender_email\" size=\"30\" /><br />
<label for=\"subject\">Subject</label>
<input id=\"subject\" type=\"text\" name=\"subject\" value=\"$subject\" size=\"30\" /><br />
<label for=\"message\">Message</label>
<textarea id=\"message\" name=\"message\" cols=\"30\" rows=\"5\">$message</textarea><br />
<input class=\"hidden\" type=\"hidden\" name=\"op\" value=\"ds\" /><br />
<input class=\"submitbutton\" type=\"submit\" name=\"submit\" value=\"Send E-Mail\" />
</fieldset>
</form>";
if ($op != "ds") {
// they need to see the form
echo "$form_block";
} else if ($op == "ds") {
//This is the line of code stopping the email injection attack
if(eregi("MIME-Version: ",$_POST['sender_name'].$_POST['sender_email'].$_POST['subject'].$_POST['message'])){die('Connection problem, try later.');
//end of code
}
if ($sender_name == "") {
// check value of $_POST[sender_name]
$name_err = "<p class=\"error\"> Please enter your name!</p>";
$send = "no";
}
if ($sender_email == "") {
// check value of $_POST[sender_email]
$email_err = "<p class=\"error\">Please enter your e-mail address!</p>";
$send = "no";
}
if ($subject == "") {
// check value of $_POST[sender_email]
$subject_err = "<p class=\"error\">Please enter a subject!</p>";
$send = "no";
}
if ($message == "") {
// check value of $_POST[message]
$message_err = "<p class=\"error\">Please enter a message!</p>";
$send = "no";
}
if (@$send != "no") {
// it's ok to send so build the mail
$to = "$email_address";
$subject = "$subject";
$mailheaders = "From: Your Business <$to> \n";
$mailheaders .= "Reply-To: $sender_email\n";
$msg = "E-MAIL SENT FROM THE PAGE\n";
$msg .= "Sender's Name: $sender_name\n";
$msg .= "Sender's E-Mail: $sender_email\n";
$msg .= "Message: $message\n";
mail($to, $subject, $msg, $mailheaders);
echo "<p>Thank you, $sender_name, your message has been sent. I will contact you as soon as possible.</p>";
} else if ($send == "no") {
echo "$name_err";
echo "$email_err";
echo "$subject_err";
echo "$message_err";
echo "$form_block";
}
}
?>
Code:/* Form style inspired by Nadia P's http://www.dreamweaverresources.com/tutorials/styled_form.htm*/ form { width: 95%; margin: 0 0 0 10px; } label { display: block; width: 150px; float: left; margin-bottom: 10px; text-align: right; padding-right: 20px; color:#003; } br { clear: left; } fieldset{ padding:10px; border:1px solid #036; margin-bottom:15px; } input, textarea{ color: #000; border: 1px solid #069; background: url(images/formbg.jpg); margin-top: 2px; margin-bottom: 2px; } legend{ padding:10px; color:#069; font-size: 95%; font-weight: bold; } .submitbutton { border: 1px solid #036; background:#CCF; } .hidden { border:none; }
Hi Mike, your post is very much appreciated.One thing, using that code which you kindly suggested above, where exactly would you put this code please:
elseif (!preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/", $from)) {
echo "Sorry you have entered an invalid email address, please check and try again";
}
Does this code just about cover the problems of someone inputting the wrong email address? Also, is there a way of checking that the domain name exists?
Any help appreciated.
Dez.
I'm not a PHP expert but if instead of the lineOriginally Posted by Dez
You usePHP Code:if ($sender_email == "") {
// check value of $_POST[sender_email]
$email_err = "<p class=\"error\">Please enter your e-mail address!</p>";
$send = "no";
}
It seems to work fine.PHP Code:if ((!preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/", $sender_email))) {
// check value of $_POST[sender_email] is valid email address
$email_err = "<p class=\"error\">Sorry you have entered an invalid email address, please check and try again</p>";
$send = "no";
}
As far as I know the code is checking that a valid e_mail address pattern i.e something @ somewhere dot domain is being submitted. It is NOT checking that the email address exists.
I don't know if you can check to see if a domain exists with php code you'd best ask in the PHP Forum.
Hope this helps.
Hi Mike,
Many thanks for your kind help, I've just adjusted the code a little to bear your comments in mind, but I've now tried the code and receive this error message:
Email address is valid
Warning: Cannot modify header information - headers already sent by (output started at /home/practice/public_html/030106/index.php:2) in /home/practice/public_html/030106/index.php on line 121
The form is on here:
http://1url.org/go/1ttu0n
The complete code, including the php, is on here:
http://1url.org/go/1qefa4
Please feel free to send as many tests via the form as you need.
Any help you can give is very much appreciated.
Dez.
Dez
If I were you I'd go to the PHP Forum with this.
Mike
Ok, Mike, just hopping over to there now.
I had a client with a similar problem and he checked out How do I stop spammers using header injection with my PHP Scripts? - that seemed to work well with him
Posting Permissions
Bookmarks