SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    SitePoint Evangelist Redivider's Avatar
    Join Date
    Nov 2003
    Location
    PA
    Posts
    465
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Contact form security

    Recently I have been getting a lot of weird messages through the contact form on one of my websites. Sometimes they are blank, sometimes there's just some garbage characters and sometimes there's a spam type email with a bunch of links to porn sites and stuff.

    Aside from just being annoyed by it, should I be worried that someone is using my form for something other than what I intended? In other words, is it possible for someone to find a vulnerability in a php contact form and use it to send spam or something like that?

    I can handle the junk emails that come through I just want to make sure the form isn't being used for anything else without me knowing about it.

    Here's the code I'm using (with some names and emails changed):

    PHP Code:
    if(isset($_POST['submit'])) {
        
        
    $name_error_msg $email_error_message $subject_error_message $message_error_message NULL;
        
        if(
    strlen($_POST['realname']) > 0){
            
    $name_flag true;
        } else {
            
    $name_flag false;
            
    $name_error_msg '<font color="red">Please enter your name.</font>';
        }
        
    $regex =
         
    '^'.
         
    '[_a-z0-9-]+'.        /* One or more underscore, alphanumeric,
                               or hyphen charactures. */
         
    '(\.[_a-z0-9-]+)*'.  /* Followed by zero or more sets consisting
                               of a period and one or more underscore,
                               alphanumeric, or hyphen charactures. */
         
    '@'.                  /* Followed by an "at" characture. */
         
    '[a-z0-9-]+'.        /* Followed by one or more alphanumeric
                               or hyphen charactures. */
        
    '(\.[a-z0-9-]{2,})+'/* Followed by one or more sets consisting
                               of a period and two or more alphanumeric
                               or hyphen charactures. */
         
    '$';
        
        if(
    eregi($regex$_POST['email']) > 0){
            
    $email_flag true;
        } else {
            
    $email_flag false;
            
    $email_error_msg '<font color="red">Please enter a valid email address.</font>';
        }

        if(
    strlen($_POST['subject']) > 0){
            
    $subject_flag true;
        } else {
            
    $subject_flag false;
            
    $subject_error_msg '<font color="red">Please enter a subject line.</font>';
        }
        
        if(
    strlen($_POST['message']) > 0){
            
    $message_flag true;
        } else {
            
    $message_flag false;
            
    $message_error_msg '<font color="red">Please enter a message.</font>';
        }
        
        if(
    $name_flag && $email_flag && $subject_flag && $message_flag){
        
            
    $subject $_POST['subject'];
            
    $email $_POST['email'];
            
    $name $_POST['realname'];
            
    $message $_POST['message'];
            
    $hour_est = (int)date("g") + 3;
            
    $email_date date("D F j, Y \a\\t $hour_est:ia E\S\T");
            
    $headers "From: {$email}\r\n";
            
    $sendthisto "recipient@email.com";
            
    $body "A message from the contact form:\r\n";
            
    $body .= "-------------------------------------------------------------------------------\n";
            
    $body .= "From: {$name} ({$email})\r\n";
            
    $body .= "Date: {$email_date}\r\n\r\n"
            
    $body .= "$message";
            
    $body stripslashes($body);
            
    $subject stripslashes($subject);
            
            if(
    mail($sendthisto$subject$body$headers)) {
                
    header('Location: thanks.php');
                exit();
            } else {
                
    $error_msg '<p class="error"><font color="red">There was a problem sending your message. Please try again.</font></p>';
            }
        }


  2. #2
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    yes bad code can be exploited. bad contact form code can frequently be used to send spam from your domain.

    search for
    contact form spam
    or
    captcha

    its discussed often with many methods to fight it.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •