Advs on a secure contact form please?

PHP
1

working on debugging this contact form. I grabbed the original off the net, customized it a bit. It was passed on and customized some more for security. Now it is no longer working. The server is thought to be the issue. Could I have advice on how to best trouble shoot this please?
or what would be a better way to secure it?
thank you

<?php
//If the form is submitted
if(isset($_POST['submitted'])) {

	//Check to see if the honeypot captcha field was filled in
	if(trim($_POST['checking']) !== '') {
		$hasError = true;
	} else {
	
		//Check to make sure that the name field is not empty
		if(trim($_POST['contactFName']) === '') {
			$nameFError = 'You forgot to enter your First name.';
                        if(trim($_POST['contactLName']) === '') {
				$nameLError = 'You forgot to enter your Last name.';
			}
			$hasError = true;
		} else if(trim($_POST['contactLName']) === '') {
			$nameLError = 'You forgot to enter your Last name.';
			$hasError = true;
		}
           else {
			$name = trim($_POST['contactFName'])." ".trim($_POST['contactLName']);
			// filtering on spambot text - SCB
			if(strpos($name,'../') !== false) { $hasError = true; $commentError = 'Your name contains invalid characters. Please revise.'; }
                        if(strpos($name,'..\\\\') !== false) { $hasError = true; $commentError = 'Your name contains invalid characters. Please revise.'; }
			if(strpos($name,'.htm') !== false) { $hasError = true; $commentError = 'Your name contains invalid characters. Please revise.'; }
			if(strpos($name,'.html') !== false) { $hasError = true; $commentError = 'Your name contains invalid characters. Please revise.'; }
			if(strpos($name,'.ini') !== false) { $hasError = true; $commentError = 'Your name contains invalid characters. Please revise.'; }
			if(strpos($name,'.php') !== false) { $hasError = true; $commentError = 'Your name contains invalid characters. Please revise.'; }
			if(strpos($name,'.htaccess') !== false) { $hasError = true; $commentError = 'Your name contains invalid characters. Please revise.'; }
			if(strpos($name,'.bat') !== false) { $hasError = true; $commentError = 'Your name contains invalid characters. Please revise.'; }
			if(strpos($name,'.reg') !== false) { $hasError = true; $commentError = 'Your name contains invalid characters. Please revise.'; }
			if(strpos($name,'.sct') !== false) { $hasError = true; $commentError = 'Your name contains invalid characters. Please revise.'; }
			if(strpos($name,'.vb') !== false) { $hasError = true; $commentError = 'Your name contains invalid characters. Please revise.'; }
			if(strpos($name,'.ws') !== false) { $hasError = true; $commentError = 'Your name contains invalid characters. Please revise.'; }
			if(strpos($name,'.php') !== false) { $hasError = true; $commentError = 'Your name contains invalid characters. Please revise.'; }
			if(strpos($name,'.aspx') !== false) { $hasError = true; $commentError = 'Your name contains invalid characters. Please revise.'; }
			if(strpos($name,'/etc') !== false) { $hasError = true; $commentError = 'Your name contains invalid characters. Please revise.'; }
			if(strpos($name,'/passwd') !== false) { $hasError = true; $commentError = 'Your name contains invalid characters. Please revise.'; }
			if(strpos($name,'Response.Write') !== false) { $hasError = true; $commentError = 'Your name contains invalid characters. Please revise.'; }
			if(strpos($name,'injected_value') !== false) { $hasError = true; $commentError = 'Your name contains invalid characters. Please revise.'; }
			if(strpos($name,'C:\\\\') !== false) { $hasError = true; $commentError = 'Your name contains invalid characters. Please revise.'; }
		}
		
		//Check to make sure sure that a valid email address is submitted
		if(trim($_POST['email']) === '')  {
			$emailError = 'You forgot to enter your email address.';
			$hasError = true;
		} else if (!eregi("^[A-Z0-9._%-]+@[A-Z0-9._%-]+\\.[A-Z]{2,4}$", trim($_POST['email']))) {
			$emailError = 'You entered an invalid email address.';
			$hasError = true;
		} else {
			$email = trim($_POST['email']);
		}
			
		//Check to make sure comments were entered	
		if(trim($_POST['comments']) === '') {
			$commentError = 'You forgot to enter your comments.';
			$hasError = true;
		} else {
			if(function_exists('stripslashes')) {
				$comments = stripslashes(trim($_POST['comments']));
			} else {
				$comments = trim($_POST['comments']);
			}
                        // filtering on spambot text - SCB
			if(strpos($_POST['comments'],'../') !== false) { $hasError = true; $commentError = 'Your comment contains invalid characters. Please revise.'; }
                        if(strpos($_POST['comments'],'..\\\\') !== false) { $hasError = true; $commentError = 'Your comment contains invalid characters. Please revise.'; }
			if(strpos($_POST['comments'],'.htm') !== false) { $hasError = true; $commentError = 'Your comment contains invalid characters. Please revise.'; }
			if(strpos($_POST['comments'],'.html') !== false) { $hasError = true; $commentError = 'Your comment contains invalid characters. Please revise.'; }
			if(strpos($_POST['comments'],'.ini') !== false) { $hasError = true; $commentError = 'Your comment contains invalid characters. Please revise.'; }
			if(strpos($_POST['comments'],'.php') !== false) { $hasError = true; $commentError = 'Your comment contains invalid characters. Please revise.'; }
			if(strpos($_POST['comments'],'.htaccess') !== false) { $hasError = true; $commentError = 'Your comment contains invalid characters. Please revise.'; }
			if(strpos($_POST['comments'],'.bat') !== false) { $hasError = true; $commentError = 'Your comment contains invalid characters. Please revise.'; }
			if(strpos($_POST['comments'],'.reg') !== false) { $hasError = true; $commentError = 'Your comment contains invalid characters. Please revise.'; }
			if(strpos($_POST['comments'],'.sct') !== false) { $hasError = true; $commentError = 'Your comment contains invalid characters. Please revise.'; }
			if(strpos($_POST['comments'],'.vb') !== false) { $hasError = true; $commentError = 'Your comment contains invalid characters. Please revise.'; }
			if(strpos($_POST['comments'],'.ws') !== false) { $hasError = true; $commentError = 'Your comment contains invalid characters. Please revise.'; }
			if(strpos($_POST['comments'],'.php') !== false) { $hasError = true; $commentError = 'Your comment contains invalid characters. Please revise.'; }
			if(strpos($_POST['comments'],'.aspx') !== false) { $hasError = true; $commentError = 'Your comment contains invalid characters. Please revise.'; }
			if(strpos($_POST['comments'],'/etc') !== false) { $hasError = true; $commentError = 'Your comment contains invalid characters. Please revise.'; }
			if(strpos($_POST['comments'],'/passwd') !== false) { $hasError = true; $commentError = 'Your comment contains invalid characters. Please revise.'; }
			if(strpos($_POST['comments'],'C:\\\\') !== false) { $hasError = true; $commentError = 'Your comment contains invalid characters. Please revise.'; }
			if(strpos($_POST['comments'],'Response.Write') !== false) { $hasError = true; $commentError = 'Your comment contains invalid characters. Please revise.'; }
			if(strpos($_POST['comments'],'injected_value') !== false) { $hasError = true; $commentError = 'Your comment contains invalid characters. Please revise.'; }
		}
                // SCB - record IP
                $ip = $_SERVER['REMOTE_ADDR'];

		//If there is no error, send the email
		if(!isset($hasError)) {

			$emailTo = 'xyz.xyz@email.com';
                        $emailTo2 = 'xyz.xyz@email.com'; //testing only - remove on launch
			$subject = 'FORM - Contact Form Submission from '.$name;
			$sendCopy = trim($_POST['sendCopy']);
			$body = "Name: $name \
\
Email: $email \
\
Comments: $comments \
\
IP: $ip";
			$bodyNoIp = "Name: $name \
\
Email: $email \
\
Comments: $comments";
			$headers = 'From: us to you <'.$emailTo.'>' . "\\r\
" . 'Reply-To: ' . $email;
			
			mail($emailTo, $subject, $body, $headers);
                        mail($emailTo2, $subject, $body, $headers);

			if($sendCopy == true) {
				$subject = 'Thank you for your interest in us';
				$headers = "From: $name <$email>";
				mail($email, $subject, $bodyNoIp, $headers);
			}

			$emailSent = true;

		}
                //If there is an error, send the email to SCB for testing
                if(isset($hasError)) {
                        $emailTo = 'xyz.xyz@email.com';
			$subject = 'ERROR - Contact Form Submission from '.$name;
			$sendCopy = trim($_POST['sendCopy']);
			$body = "Name: $name \
\
Email: $email \
\
Comments: $comments \
\
IP: $ip";
			$headers = 'From: us to you<'.$emailTo.'>' . "\\r\
" . 'Reply-To: ' . $email;
			mail($emailTo, $subject, $body, $headers);
			//$emailSent = true;
		}
	}
} ?>
2

What version of PHP are you running as the first thing I spotted was the use of eregi which is deprecated as of 5.3
http://php.net/manual/en/function.eregi.php

Secondly, seriously WTF is with ALL of those IF statements. There has to be a better way of validating those fields.

3

will have to check, did not do that part.
&yes I totally agree on the if statements, even to me they look a bit too repetitive.
Am looking for a better solution.
If you have a youtube tutorial off the top of your head (or a site point one)please head me that way.
Thank you
D

4

actually think i found it.will post results later & hope for some feedback.

5

so started back from scratch. It should be working but can’t confirm I received an email yet.
and still need to put in any safety features.

<?php

if (isset($_POST['contactName']) && ($_POST['contactEmail']) && ($_POST['contactText'])){
	$contactName = $_POST['contactName'];
	$contactEmail = $_POST['contactEmail'];
	$contactText = $_POST['contactText'];
	
	if (!empty($contactName) && !empty($contactEmail) && !empty($contactText)){
		if(strlen($contactName)>25 || strlen ($contactEmail)>50 || strlen ($contactText)>1000){
			echo 'max length exceeded';
		}else{
			$emailTo='yourEmail@gmail.com';
			$subject='Contact form sumbission';
			$body= $contactName."\
".$contactText;
			$headers='From: .$contactEmail';
			
			
				if (mail($emailTo, $subject, $body, $headers )) {
					echo 'Thank you for contacting us. We will be in touch shortly';
				}else{
					echo 'Sorry, unable to send/receive this message. Please try again later.';
				}
			}
		}else{
		echo 'All fields are requried';
		}
}






?>



<form action="" method="POST">

Name: <br> <input type="text" name="contactName" maxlength="25"><br>
Email Address: <br> <input type="text" name="contactEmail" maxlength="50"><br>
Message<br>
<textarea name="contactText" rows="6" cols="50" maxlength="1000"> </textarea>
<input type="submit" value="send" >


</form>
6

k was having some probs w/my form. so found out the issue might have been that local host was not set up to support that.
I followed this instructions from stackoverflow.

	
You can send mail from localhost with sendmail package , sendmail package is inbuild in XAMPP. So if you are using XAMPP then you can easily send mail from localhost.

for example you can configure C:\\xampp\\php\\php.ini and c:\\xampp\\sendmail\\sendmail.ini for gmail to send mail.

in C:\\xampp\\php\\php.ini find extension=php_openssl.dll and remove the semicolon from the beginning of that line to make SSL working for gmail for localhost.

in php.ini file find [mail function] and change

SMTP=smtp.gmail.com
smtp_port=587
sendmail_from = my-gmail-id@gmail.com
sendmail_path = "\\"C:\\xampp\\sendmail\\sendmail.exe\\" -t"
Now Open C:\\xampp\\sendmail\\sendmail.ini. Replace all the existing code in sendmail.ini with following code

[sendmail]

smtp_server=smtp.gmail.com
smtp_port=587
error_logfile=error.log
debug_logfile=debug.log
auth_username=my-gmail-id@gmail.com
auth_password=my-gmail-password
force_sender=my-gmail-id@gmail.com
Now you have done!! create php file with mail function and send mail from localhost.

PS: don't forgot to replace my-gmail-id and my-gmail-password in above code.

But is still doesn’t seem to be working. & did change the deafult port 25 to 587 and also went back to the xampp control panel. opened up the config/port settings and in the mercury tab also change the port from 25 to 587.