Help Required Please for Beginner - ()include and email security

[HMCx]

Hi,
I was reading and noticed that it was advised that you should not put email addresses in the variable $to??
It was recommended to put up 2 php.files one for the contact form and one for include()?? My query is I can manage $to="include('mail.php')";
but how do you write the include file exactly?

I have a $to and also a $header underneath which show email addresses of client, and I became worried when they forwarded back email received when testing and I noticed another email addresses added to theirs on their email i.e., me@mycompany.com@ carrierzone.com. It wasn't on the Mds email, thank god, but on any employees. HELP! I have given them two php.files one for each diff. form they have and both redirect to a thank you page. It works on one and not on the other(redirecting) both identical in script but obviously pointing to its relevant page - any ideas?
Most grateful for your help.

Thanks
H

[Jake Arkinstall]

Hi H, welcome to the forums.

include isn't set to a variable - it's just there, e.g.

PHP Code:

include('mail.php'); 


Can I see the code?

[HMCx]

arkinstall,

Thanks very much for the reply. I'm not sure how to write the other php.script that points towards this include()?? Is it true, do you know, what I've heard about spamming bots etc. if you use $to = me@myaddress.com??
it is not secure instead use include()and call this other php.file from your script file. It was news to me, but now I'm worried. Also this script works completely fine, apart from that forwarded email, I mentioned before. I've made another one, more or less similar to work with another html. file and although same (ish),(used with same website), it won't show the redirect to the Thank You page? The one below does redirect though. Your thoughts welcomed.

Herewith code : I've removed email/web addresses.


<?php

$page = "http://www.mysite.com/bookingform.html";
if (!ereg($page, $_SERVER['HTTP_REFERER'])){
echo "Invalid referer";
die;
}


function validate_email($email)
{
$myregex="[a-zA-Z0-9._-)+@([a-zA-ZO-9._-]+\.)+([a-zA-Z]){2,3}$";
$validate = eregi($myregex,$email);
return $validate;
}


// get posted data into local variables
$to = "transport@mysite.com";
$header="Bcc:him@mysite.com";
$subject = "Book Transport Submitted";
$date = Trim(stripslashes($_POST['date']));
$name= Trim(stripslashes($_POST['name']));
$email = Trim(stripslashes($_POST['email']));
$company = Trim(stripslashes($_POST['company']));
$address = Trim(stripslashes($_POST['address']));
$telno = Trim(stripslashes($_POST['telno']));
$invoiceto= Trim(stripslashes($_POST['invoiceto']));
$accountno = Trim(stripslashes($_POST['accountno']));
$consignment = Trim(stripslashes($_POST['consignment']));
$collection = Trim(stripslashes($_POST['collection']));
$delivery = Trim(stripslashes($_POST['delivery']));
$collectionpcode= Trim(stripslashes($_POST['collectionpcode']));
$deliverypcode = Trim(stripslashes($_POST['deliverypcode']));
$prioritydate = Trim(stripslashes($_POST['prioritydate']));
$prioritytime = Trim(stripslashes($_POST['prioritytime']));
$servicelevel = Trim(stripslashes($_POST['servicelevel']));
$quarterdescription = Trim(stripslashes($_POST['quarterdescription']));
$quarter = Trim(stripslashes($_POST['quarter']));
$quarterweight = Trim(stripslashes($_POST['quarterweight']));
$halfdescription = Trim(stripslashes($_POST['halfdescription']));
$halfoversize = Trim(stripslashes($_POST['halfoversize']));
$halfosweight= Trim(stripslashes($_POST['halfosweight']));
$fulldescription = Trim(stripslashes($_POST['fulldescription']));
$full = Trim(stripslashes($_POST['full']));
$fullweight = Trim(stripslashes($_POST['fullweight']));
$fullosdescription = Trim(stripslashes($_POST['fullosdescription']));
$fulloversize = Trim(stripslashes($_POST['fulloversize']));
$fullosweight = Trim(stripslashes($_POST['fullosweight']));
$totalpallets = Trim(stripslashes($_POST['totalpallets']));
$totalweight = Trim(stripslashes($_POST['totalweight']));
$specialinstructions = Trim(stripslashes($_POST['specialinstructions']));

if(trim($date) == '')
{
$errmsg = 'Please enter a date';
}
else if(trim($email) == '')
{
$errmsg = 'Please enter your email address';
}
else if(!trim($email))
{
$errmsg = 'Your email address is not valid';
}
else if(trim($name) == '')
{
$errmsg = 'Please enter your name';
}
else if(trim($company) == '')
{
$errmsg = 'Please enter your company name';
}
else if(trim($address) == '')
{
$errmsg = 'Please enter your address';
}
else if(trim($telno) == '')
{
$errmsg = 'Please enter your telephone no';
}
else if(trim($invoiceto) == '')
{
$errmsg = 'Please enter invoice details';
}
else if(trim($consignment) == '')
{
$errmsg = 'Please enter consignment number';
}
else if(trim($collection) == '')
{
$errmsg = 'Please enter collection details';
}
else if(trim($delivery) == '')
{
$errmsg = 'Please enter delivery details';
}
else if(trim($collectionpcode) == '')
{
$errmsg = 'Please enter a postcode';
}
else if(trim($deliverypcode) == '')
{
$errmsg = 'Please enter a postcode';
}
else if(trim($prioritydate) == '')
{
$errmsg = 'Please enter a date';
}
else if(trim($prioritytime) == '')
{
$errmsg = 'Please enter a time';
}
else if(trim($servicelevel) == '')
{
$errmsg = 'Please enter a service level';
}
else if(trim($totalpallets) == '')
{
$errmsg = 'Please enter a total';
}
else if(trim($totalweight) == '')
{
$errmsg = 'Please enter total weight';
}

if($errmsg == '')

if(get_magic_quotes_gpc())
{
$subject = stripslashes($subject);
$message = stripslashes($message);
}

// no errors, build message


// prepare email body text
$message = "";
$message .= "\r\n";
$message .= "Date:";
$message .= $date;
$message .= "\r\n";
$message .= "Name: ";
$message .= $name;
$message .= "\r\n";
$message .= "Email: ";
$message .= $email;
$message .= "\r\n";
$message .= "Company: ";
$message .= $company;
$message .= "\r\n";
$message .= "Address: ";
$message .= $address;
$message .= "\r\n";
$message .= "Telephone No: ";
$message .= $telno;
$message .= "\r\n";
$message .= "Invoice To: ";
$message .= $invoiceto;
$message .= "\r\n";
$message .= "Account No: ";
$message .= $accountno;
$message .= "\r\n";
$message .= "Consignment; ";
$message .= $consignment;
$message .= "\r\n";
$message .= "Collection: ";
$message .= $collection;
$message .= "\r\n";
$message .= "Delivery: ";
$message .= $delivery;
$message .= "\r\n";
$message .= "Collection Postcode: ";
$message .= $collectionpcode;
$message .= "\r\n";
$message .= "Delivery Postcode: ";
$message .= $deliverypcode;
$message .= "\r\n";
$message .= "Priority Date: ";
$message .= $prioritydate;
$message .= "\r\n";
$message .= "Priority Time: ";
$message .= $prioritytime;
$message .= "\r\n";
$message .= "Service Level: ";
$message .= $servicelevel;
$message .= "\r\n";
$message .= "Quarter Description: ";
$message .= $quarterdescription;
$message .= "\r\n";
$message .= "Quarter: ";
$message .= $quarter;
$message .= "\r\n";
$message .= "Quarter Weight: ";
$message .= $quarterweight;
$message .= "\r\n";
$message .= "Half Description: ";
$message .= $halfdescription;
$message .= "\r\n";
$message .= "Half: ";
$message .= $half;
$message .= "\r\n";
$message .= "Half Weight: ";
$message .= $halfweight;
$message .= "\r\n";
$message .= "Half OS Description: ";
$message .= $halfosdescription;
$message .= "\r\n";
$message .= "Half Oversize: ";
$message .= $halfoversize;
$message .= "\r\n";
$message .= "Half Oversize Weight: ";
$message .= $halfosweight;
$message .= "\r\n";
$message .= "Full Description: ";
$message .= $fulldescription;
$message .= "\r\n";
$message .= "Full: ";
$message .= $full;
$message .= "\r\n";
$message .= "Full Weight: ";
$message .= $fullweight;
$message .= "\r\n";
$message .= "Full OS Description: ";
$message .= $fullosdescription;
$message .= "\r\n";
$message .= "Full Oversize: ";
$message .= $fulloversize;
$message .= "\r\n";
$message .= "Full OS Weight: ";
$message .= $fullosweight;
$message .= "\r\n";
$message .= "Total Pallets: ";
$message .= $totalpallets;
$message .= "\r\n";
$message .= "Total Weight: ";
$message .= $totalweight;
$message .= "\r\n";
$message .= "Special Instructions: ";
$message .= $specialinstructions;
$message .= "\r\n";


ini_set("sendmail_from", " me@mysite.com ");


mail($to,$subject,$message,$header,"From: me@mysite.com");
header( "Location: http://www.mysite.com/ThankYou.html" );

$mime_boundary="==Multipart_Boundary_x".md5(mt_rand())."x";
$to = "$email";
$subject = "Your Book Transport Submission";
$headers = "From : Me<transport@mysite.com>\r\n";
$headers .="Reply-To: <transport@mysite.com>\r\n";
$headers .="MIME-Version: 1.0\r\n";
$headers .="Content-Type: multipart/alternative;boundary=\"{$mime_boundary}\"\r\n";
$message = "--{$mime_boundary}\r\n";
$message .= "Content-Type: text/plain; charset=\"iso-8859-1\"\r\n";
$message .= "Content-Transfer-Encoding: 7bit\r\n";
$message .= "$name:\r\n";
$message .= "We have received your Book Transport Form. We will contact you
shortly.\r\n";
$message .="Thank you. \r\n";
$message .= "--{$mime_boundary}\r\n";
$message .= "Content-Type: text/html; charset=\"iso-8859-1\"\r\n";
$message .= "Content-Transfer-Encoding: 7bit\r\n";
$message .= "<html>\r\n";
$message .= "<body style=\"font-family:Verdana, Verdana, Generva, sans-serif; font-size:14px; colour:#666666;\">\r\n";
$message .= "$namebr>\r\n";
$message .= "<br>\r\n";
$message .= "We have received your Book Transport Form. We will contact you
shortly.<br>\r\n";
$message .="<br>\r\n";
$message .="Thank You.<br>\r\n";
$message .="my company\r\n";
$message .= "</body>\r\n";
$message .= "</html>\r\n";

$message .= "--$mime_boundary--\r\n";

$mail_sent = @mail ($to, $subject, $message, $headers);
echo $mail_sent ? "Thank you for your submission, we will contact you shortly." : "Mail failed. Please use your browser back button and try again.";

?>

[Hammer65]

Either you heard wrong or the person that told you that is misinformed. Spam bots can't change a value of a variable in your code, set from a string literal. Everything dealing with your submission can easily be on a single page.

There are two things that you have to protect yourself from, in relation to spammers.

The first is mail header injection. MIME headers are separated by the character sequence "\r\n". If you use a form field or other outside input, to set the value of a mail header, such as "To", "From" or "subject", an attacker can alter the resulting mail message by "injecting" those characters along with there own mail headers.

They can add alternate subjects, recipients and even add attachments and alternate messages. It works in a similar fashion to SQL injection, but the language it is using, is the syntax for MIME email, instead of SQL statements for a database (or Javascript/HTML in the case of XSS attack).

The main protection for this is to detect the use of "\r\n" in values destined to be inserted into headers, ensure that you only have a single email address in input values destined for the To or From headers, and that the body of the message does not contain the strings, "boundary" or "content-type" (case insensitive matches). Reject all submissions without sending mail if any of this is detected.

The second concern is the content of the mail itself, which is one of the things that spam filter software is designed to deal with. You can emulate some of what those fiters do, for form submissions.

One of the things spammers like to do is post links. To prevent that find a regular expression that matches URL's and use it to filter out links in the content of the post as one long string. If the length of the altered content is different by a certain percentage than the unaltered posted content, then reject the submission. That percentage can be adjusted so that ligit users can still post one or two URL's without a problem, more than that would trigger a rejection.

It would be best to use proven mail code such as PHPMailer, PEAR::mail or Zend mail (there are others). Sending mail reliably with PHP is somewhat of a dark art. The spammers unfortunately get you coming and going. They will hit your form and try to use your system as a spam relay, and their activities cause server admins to lock down spam filters to the point where sending automated mail becomes a chalenge.

There are a number of other steps that one can take to avoid automated submissions such as captcha systems, session tokens, randomized field names and so on. Many of these have been discussed here before.

[HMCx]

Hammer,

Thanks for reply. Wow for a beginner, that's quite a lot to digest, I'll have to reread again to take it all on board. You talk about MIME headers separated by "\r\n" which in my script above, I have put in but are you saying I should be careful of using $headers eg.
$headers = "From : Me<transport@mysite.com>\r\n";
$headers .="Reply-To: <transport@mysite.com>\r\n";
which are above in the script?

I've heard of PHPMailer, what exactly is this? Is this already written or code I should follow, learn and use?
Many thanks
H

[Hammer65]

If you Google for "PHP mail injection" you will get a lot of examples of how it works. What you put in your code isn't the problem, it's what you use for header values, that come from a form.

For instance if you want the user to receive a confirmation email of a registration, you will have to ask for their email address somewhere on the registration form. A spammer knows this and can put additional header content in that field. They simply enter an email for the "enter your email here" field, followed by "\r\n" and additional headers and "\r\n" sequences, to essentially "inject" other content into your message. This allows them to alter your email and even send to a long list of other addresses without your knowledge. They usually do this with a bot, after they have analyzed your form and crafted the bot to submit the same information as your form does, to your submission page.

PHPMailer is a PHP based class that takes care of many of the details of putting together a message. It is proven pre-written code. It also makes it much easier to do HTML formatted messages and attachments. There are several of these classes out there, but PHPMailer is used by a lot of PHP based open source projects for mail features..

[HMCx]

Thanks for the reply and explanation. I shall have a look at this PHPMailer, I think I understand what you are saying. Is this how perhaps, as per my original posting, the email the client received via the form, which was then forwarded back to me for checking had on the email mailto:them@theirsite.com@carrierzone.com included? Do I take it that this has already been spammed? Thanks once again for your help

[Jake Arkinstall]

Chances are, if you've been spammed once, you're in a database full of "victims".
I had this problem once, and had to delete my old MSN account - it was getting literally hundreds of emails a day from spammers.

[Hammer65]

As you may know, you can put multiple addresses in the To header. Each email address can be separated by a comma (and I believe a semicolon although I don't remember for sure). If you supply a form field for a To address, and only want to ensure that a single address ends up in that header, you will need to either validate on that or allow it (some ligit users might try to put in multiples), but only take the first address.