I don’t want a website blacklisted for sending out spam but someone is doing that and I get this kind of junk. 4 at the same time 6:11pm
example:
purpose: quote
state: CA
age: 9
first_name: behappy
last_name: byYWAmIwbRgoMskOcT
email: razer22 at yahoo.com ( it was “@” and live link so I just took it out for the thread)
cellphone: 21400857234
wkphone: 34093459776
HTML
<form id="form" method="post" action="http://wwwsite.com/send/app.php">
<ul id="Form" class="container">
<li id="lo"><a href='#' class="link"> </a>
<div>
<fieldset> <br />
<label for="What is the Quote For?">What is the Quote For?</label>
<select name="Purpose" id="Purpose" data-type="purpose" class="inputclass pageRequired" title="Your Purpose?">
<option value="" selected="selected">Select One</option>
<option value="Liability">Liability</option>
<option value="Comp-Collision">Comp/Collision</option>
</select>
......
<input name="Submit" type="submit" id="submit" value="All Done »" class="button done" />
<input type="hidden" name="config" value="0"/>
<input type="hidden" name="time" value="<?php echo time(); ?>" />
<input type="text" name="nospam" value="" style="display:none;"/>
app.php
<?php
////////////////////////////////////////////////////////////////////////////
// dB Masters' PHP FormM@iler,
// http://www.dbmasters.net/
////////////////////////////////////////////////////////////////////////////
// General Variables
$check_referrer="no";
$referring_domains="http://domain.com/,http://www.domain.com/,http://subdomain.domain.com/";
// options to use if hidden field "config" has a value of 0
// recipient info
$charset[0]="iso-8859-1";
$tomail[0]="";
$bcc_tomail[0]="";
if($_POST['State']=="Arizona" OR $_POST['State']=="Georgia" OR $_POST['State']=="North Carolina"){
$group = $_POST['Age'];
$ar_group = array("$", ",");
$group_checked = str_replace($ar_group, "", $group);
if(ctype_digit($group_checked) && $group_checked > 17)
$cc_tomail[0]="";
}
// Mail contents config
$subject[0]="App";
$reply_to_field[0]="Email";
$reply_to_name[0]="FirstName";
$required_fields[0]="Purpose,State,Age,FirstName,LastName,Email,Phone";
$required_email_fields[0]="";
$attachment_fields[0]="";
$return_ip[0]="yes";
$mail_intro[0]="Please call as soon as possible";
$mail_fields[0]="Purpose,State,Age,FirstName,LastName,Email,Phone";
$mail_type[0]="text";
$mail_priority[0]="1";
// Send back to sender config
$send_copy[0]="no";
$send_copy_format[0]="vert_table";
$send_copy_fields[0]="Purpose,State,Age,FirstName,LastName,Email,Phone";
$send_copy_attachment_fields[0]="";
$copy_subject[0]="Registration";
$copy_intro[0]="Thanks for your inquiry, the following message has been delivered.";
$copy_from[0]="noreply@";
$copy_tomail_field[0]="Email";
// Result options
$header[0]="";
$footer[0]="";
$error_page[0]="";
$thanks_page[0]="";
// options to use if hidden field "config" has a value of 1
// recipient info
$charset[1]="";
$tomail[1]="";
$cc_tomail[1]="";
$bcc_tomail[1]="";
// Mail contents config
$subject[1]="";
$reply_to_field[1]="";
$reply_to_name[1]="";
$required_fields[1]="";
$required_email_fields[1]="";
$attachment_fields[1]="";
$return_ip[1]="";
$mail_intro[1]="";
$mail_fields[1]="Purpose,State,Age,FirstName,LastName,Email,Phone";
$mail_type[1]="";
$mail_priority[1]="";
// Send back to sender config
$send_copy[1]="";
$send_copy_format[1]="";
$send_copy_fields[1]="";
$send_copy_attachment_fields[1]="";
$copy_subject[1]="";
$copy_intro[1]="";
$copy_from[1]="";
$copy_tomail_field[1]="";
// Result options
$header[1]="";
$footer[1]="";
$error_page[1]="";
$thanks_page[1]="";
/////////////////////////////////////////////////////////////////////////
// Don't muck around past this line unless you know what you are doing //
/////////////////////////////////////////////////////////////////////////
ob_start();
$config=$_POST["config"];
$debug=0;
$debug_text="";
// fix for Windows email server security
ini_set("sendmail_from",$tomail[$config]);
// email validation regular expression
//Old ereg expression
//$regex = "^[-a-z0-9!#$%&\\'*+/=?^_`{|}~]+(\\.[-a-z0-9!#$%&\\'*+/=?^_`{|}~]+)*@(([a-z0-9]([-a-z0-9]*[a-z0-9]+)?){1,63}\\.)+([a-z]([-a-z0-9]*[a-z0-9]+)?){2,63}$";
//New preg expression
$regex = "/^[-a-z0-9!#$%&\\'*+\\/=?^_`{|}~]+(\\.[-a-z0-9!#$%&\\'*+\\/=?^_`{|}~]+)*@(([a-z0-9]([-a-z0-9]*[a-z0-9]+)?){1,63}\\.)+([a-z]([-a-z0-9]*[a-z0-9]+)?){2,63}$/i";
//old ereg expression
//$header_injection_regex = "(\\r|\
)";
//new preg expression
$header_injection_regex = "/(\\r|\
)/";
if($header[$config]!="")
include($header[$config]);
if($_POST["submit"] || $_POST["Submit"] || $_POST["submit_x"] || $_POST["Submit_x"])
{
////////////////////////////
// begin global functions //
////////////////////////////
// get visitor IP
function getIP()
{
if(getenv(HTTP_X_FORWARDED_FOR))
$user_ip=getenv("HTTP_X_FORWARDED_FOR");
else
$user_ip=getenv("REMOTE_ADDR");
return $user_ip;
}
// get value of given key
function parseArray($key)
{
$array_value=$_POST[$key];
$count=1;
extract($array_value);
foreach($array_value as $part_value)
{
if($count > 1){$value.=", ";}
$value.=$part_value;
$count=$count+1;
}
return $value;
}
// stripslashes and autolink url's
function parseValue($value)
{
$value=preg_replace("/(http:\\/\\/+.[^\\s]+)/i",'<a href="\\\\1">\\\\1</a>', $value);
return $value;
}
// html header if used
function htmlHeader()
{
$htmlHeader="<!DOCTYPE HTML PUBLIC \\"-//W3C//DTD HTML 4.01//EN\\">\
<html>\
<head><meta http-equiv=\\"Content-Type\\" content=\\"text/html; charset=".$charset[$config]."\\"></head>\
<body>\
<table cellpadding=\\"2\\" cellspacing=\\"0\\" border=\\"0\\" width=\\"600\\">\
";
return $htmlHeader;
}
// html footer if used
function htmlFooter()
{
$htmlFooter="</table>\
</body>\
</html>\
";
return $htmlFooter;
}
// build verticle table format
function buildVertTable($fields, $intro, $to, $send_ip)
{
$message=htmlHeader();
if($intro != "")
$message.="<tr>\
<td align=\\"left\\" valign=\\"top\\" colspan=\\"2\\">".$intro."</td>\
</tr>\
";
$fields_check=preg_split('/,/',$fields);
$run=sizeof($fields_check);
for($i=0;$i<$run;$i++)
{
$cur_key=$fields_check[$i];
$cur_value=$_POST[$cur_key];
if(is_array($cur_value))
{
$cur_value=parseArray($cur_key);
}
$cur_value=parseValue($cur_value);
if($allow_html[$config]=="no")
$cur_value=htmlspecialchars(nl2br($cur_value));
else
$cur_value=nl2br($cur_value);
$message.="<tr>\
<td align=\\"left\\" valign=\\"top\\" style=\\"white-space:nowrap;\\"><b>".$cur_key."</b></td>\
<td align=\\"left\\" valign=\\"top\\" width=\\"100%\\">".$cur_value."</td>\
</tr>\
";
}
if($send_ip=="yes" && $to=="recipient")
{
$user_ip=getIP();
$message.="<tr>\
<td align=\\"left\\" valign=\\"top\\" style=\\"white-space:nowrap;\\"><b>Sender IP</b></td>\
<td align=\\"left\\" valign=\\"top\\" width=\\"100%\\">".$user_ip."</td>\
</tr>\
";
}
$message.=htmlFooter();
return $message;
}
// build horizontal table format
function buildHorzTable($fields, $intro, $to, $send_ip)
{
$message=htmlHeader();
$fields_check=preg_split('/,/',$fields);
$run=sizeof($fields_check);
if($intro != "")
$message.="<tr>\
<td align=\\"left\\" valign=\\"top\\" colspan=\\"".$run."\\">".$intro."</td>\
</tr>\
";
$message.="<tr>\
";
for($i=0;$i<$run;$i++)
{
$cur_key=$fields_check[$i];
$message.="<td align=\\"left\\" valign=\\"top\\" style=\\"white-space:nowrap;\\"><b>".$cur_key."</b></td>\
";
}
if($send_ip=="yes" && $to=="recipient")
$message.="<td align=\\"left\\" valign=\\"top\\" style=\\"white-space:nowrap;\\"><b>Sender IP</b></td>\
";
$message.="</tr>\
";
$message.="<tr>\
";
for($i=0;$i<$run;$i++)
{
$cur_key=$fields_check[$i];
$cur_value=$_POST[$cur_key];
if(is_array($cur_value))
{
$cur_value=parseArray($cur_key);
}
$cur_value=parseValue($cur_value);
if($allow_html[$config]=="no")
$cur_value=htmlspecialchars(nl2br($cur_value));
else
$cur_value=nl2br($cur_value);
$message.="<td align=\\"left\\" valign=\\"top\\">".$cur_value."</td>\
";
}
$message.="</tr>\
";
$message.="<tr>\
";
if($send_ip=="yes" && $to=="recipient")
{
$user_ip=getIP();
$message.="<td align=\\"left\\" valign=\\"top\\">".$user_ip."</td>\
";
}
$message.="</tr>\
";
$message.=htmlFooter();
return $message;
}
// build plain text format
function buildTextTable($fields, $intro, $to, $send_ip)
{
$message="";
if($intro != "")
$message.=$intro."\
\
";
$fields_check=preg_split('/,/',$fields);
$run=sizeof($fields_check);
for($i=0;$i<$run;$i++)
{
$cur_key=$fields_check[$i];
$cur_value=$_POST[$cur_key];
if(is_array($cur_value))
{
$cur_value=parseArray($cur_key);
}
$cur_value=parseValue($cur_value);
if($allow_html[$config]=="no")
$cur_value=htmlspecialchars($cur_value);
else
$cur_value=$cur_value;
$message.="".$cur_key.": ".$cur_value."\
";
}
if($send_ip=="yes" && $to=="recipient")
{
$user_ip=getIP();
$message.="Sender IP: ".$user_ip."\
";
}
return $message;
}
// get the proper build fonction
function buildTable($format, $fields, $intro, $to, $send_ip)
{
if($format=="vert_table")
$message=buildVertTable($fields, $intro, $to, $send_ip);
else if($format=="horz_table")
$message=buildHorzTable($fields, $intro, $to, $send_ip);
else
$message=buildTextTable($fields, $intro, $to, $send_ip);
return $message;
}
// referrer checking security option
function checkReferer()
{
if($check_referrer=="yes")
{
$ref_check=preg_split('/,/',$referring_domains);
$ref_run=sizeof($ref_check);
$referer=$_SERVER['HTTP_REFERER'];
$domain_chk="no";
for($i=0;$i<$ref_run;$i++)
{
$cur_domain=$ref_check[$i];
if(stristr($referer,$cur_domain)){$domain_chk="yes";}
}
}
else
{
$domain_chk="yes";
}
return $domain_chk;
}
// checking required fields and email fields
function checkFields($text_fields, $email_fields, $regex)
{
$error_message="";
if($debug==1)
$error_message.="<li>text_fields: ".$text_fields."<br />email_fields: ".$email_fields."<br />reply_to_field: ".$reply_to_field."<br />reply_to_name: ".reply_to_name."</li>";
if($text_fields != "")
{
$req_check=preg_split('/,/',$text_fields);
$req_run=sizeof($req_check);
for($i=0;$i<$req_run;$i++)
{
$cur_field_name=$req_check[$i];
$cur_field=$_POST[$cur_field_name];
if($cur_field=="")
{
$error_message.="<li>You are missing the <b>".$req_check[$i]."</b> field</li>\
";
}
}
}
if($email_fields != "")
{
$email_check=preg_split('/,/',$email_fields);
$email_run=sizeof($email_check);
for($i=0;$i<$email_run;$i++)
{
$cur_email_name=$email_check[$i];
$cur_email=$_POST[$cur_email_name];
//if($cur_email=="" || !eregi($regex, $cur_email))
if($cur_email=="" || !preg_match($regex, $cur_email))
{
$error_message.="<li>You are missing the <b>".$email_check[$i]."</b> field or it is not a valid email address.</li>\
";
}
}
}
return $error_message;
}
// attachment function
function getAttachments($attachment_fields, $message, $content_type, $border)
{
$att_message="This is a multi-part message in MIME format.\\r\
";
$att_message.="--{$border}\\r\
";
$att_message.=$content_type."\\r\
";
$att_message.="Content-Transfer-Encoding: 7bit\\r\
\\r\
";
$att_message.=$message."\\r\
\\r\
";
$att_check=preg_split('/,/',$attachment_fields);
$att_run=sizeof($att_check);
for($i=0;$i<$att_run;$i++)
{
$fileatt=$_FILES[$att_check[$i]]['tmp_name'];
$fileatt_name=$_FILES[$att_check[$i]]['name'];
$fileatt_type=$_FILES[$att_check[$i]]['type'];
if (is_uploaded_file($fileatt))
{
$file=fopen($fileatt,'rb');
$data=fread($file,filesize($fileatt));
fclose($file);
$data=chunk_split(base64_encode($data));
$att_message.="--{$border}\
";
$att_message.="Content-Type: {$fileatt_type}; name=\\"{$fileatt_name}\\"\\r\
";
$att_message.="Content-Disposition: attachment; filename=\\"{$fileatt_name}\\"\\r\
";
$att_message.="Content-Transfer-Encoding: base64\\r\
\\r\
".$data."\\r\
\\r\
";
}
}
$att_message.="--{$border}--\
";
return $att_message;
}
// function to set content type
function contentType($charset, $format)
{
if($format=="vert_table")
$content_type="Content-type: text/html; charset=".$charset."\\r\
";
else if($format=="horz_table")
$content_type="Content-type: text/html; charset=".$charset."\\r\
";
else
$content_type="Content-type: text/plain; charset=".$charset."\\r\
";
return $content_type;
}
//////////////////////////
// end global functions //
//////////////////////////
////////////////////////////////
// begin procedural scripting //
////////////////////////////////
// anti-spam empty field check
if($_POST[$empty_field[$config]] != "")
{
$empty_message = "<li>This submission failed and was flagged as spam.</li>\
";
}
// anti-spam character scan check
if(strlen($character_scan[$config]) > 0)
{
$spam_message="";
$field_check=preg_split('/,/',$character_scan[$config]);
$field_run=sizeof($field_check);
for($i=0;$i<$field_run;$i++)
{
$cur_field_name=$field_check[$i];
$cur_field=$_POST[$cur_field_name];
if(preg_match("/<(.|\
)+?>/", $cur_field) || preg_match("/\\[(.|\
)+?\\]/", $cur_field))
$spam_message.="<li>This message contains disallowed characters.</li>\
";
}
}
// anti-spam time delay check
if((strlen($time_delay[$config]) > 0 && strlen($_POST["time"]) > 0) || (strlen($time_delay[$config]) > 0 && (strlen($_POST["time"]) == 0 || !$_POST["time"])))
{
if((time() - $_POST["time"]) < $time_delay[$config])
$time_message = "<li>This has been stopped by the timer, and is likely spam.</li>\
";
}
// anti-spam CAPTCHA check
if(strlen($captcha_codes[$config]) > 0)
{
$captcha_check=preg_split('/,/',$captcha_codes[$config]);
if(strtolower($_POST["captcha_entry"]) != strtolower($captcha_check[$_POST["captcha_code"]]))
$captcha_message = "<li>CAPTCHA test did not match.</li>\
";
}
// anti-spam max URL check
if(strlen($max_url_fields[$config]) > 0)
{
$max_url_message="";
$field_check=preg_split('/,/',$max_url_fields[$config]);
$field_run=sizeof($field_check);
for($i=0;$i<$field_run;$i++)
{
$cur_field_name=$field_check[$i];
$cur_field=$_POST[$cur_field_name];
preg_match_all("/http:/", $cur_field, $matches);
if(count($matches[0]) > $max_urls[$config])
$max_url_message.="<li>This message contains too many URL's.</li>\
";
}
}
// set anti-spam flagging option
if(strlen($empty_message.$spam_message.$time_message.$captcha_message.$max_url_message) > 0 && strlen($flag_spam[$config]) == 0)
$set_flag = 2;
else if(strlen($empty_message.$spam_message.$time_message.$captcha_message.$max_url_message) > 0 && strlen($flag_spam[$config]) > 0)
$set_flag = 1;
else
$set_flag = 0;
// header injection check
$security_filter="";
if(strlen($_POST[$reply_to_field[$config]]) > 0)
{
//if(eregi($header_injection_regex,$_POST[$reply_to_field[$config]]))
if(preg_match($header_injection_regex,$_POST[$reply_to_field[$config]]))
$security_filter.="<li>Header injection attempt detected, mail aborted.</li>\
";
else
$reply_to_field_checked=$_POST[$reply_to_field[$config]];
}
if(strlen($_POST[$reply_to_name[$config]]) > 0)
{
//if(eregi($header_injection_regex,$_POST[$reply_to_name[$config]]))
if(preg_match($header_injection_regex,$_POST[$reply_to_name[$config]]))
$security_filter.="<li>Header injection attempt detected, mail aborted.</li>\
";
else
$reply_to_name_checked=$_POST[$reply_to_name[$config]];
}
// check domain referrer and continue
$domain_chk=checkReferer();
if($domain_chk=="yes")
{
$error_message=checkFields($required_fields[$config], $required_email_fields[$config], $regex);
if(strlen($error_message) < 1 && strlen($security_filter) < 1 && $set_flag < 2)
{
// build appropriate message format for recipient
$content_type=contentType($charset[$config], $mail_type[$config]);
$message=buildTable($mail_type[$config], $mail_fields[$config], $mail_intro[$config], "recipient", $return_ip[$config]);
// build header data for recipient message
//$extra="From: ".$_POST[$reply_to_field[$config]]."\\r\
";
$extra="From: ".$reply_to_name_checked." <".$reply_to_field_checked.">\\r\
";
if($cc_tomail[$config]!="")
$extra.="Cc: ".$cc_tomail[$config]."\\r\
";
if($bcc_tomail[$config]!="")
$extra.="Bcc: ".$bcc_tomail[$config]."\\r\
";
if($mail_priority[$config]!="")
$extra.="X-Priority: ".$mail_priority[$config]."\\r\
";
// get attachments if necessary
if($attachment_fields[$config]!="")
{
$semi_rand=md5(time());
$border="==Multipart_Boundary_x{$semi_rand}x";
$extra.="MIME-Version: 1.0\\r\
";
$extra.="Content-Type: multipart/mixed; boundary=\\"{$border}\\"";
$message=getAttachments($attachment_fields[$config], $message, $content_type, $border);
}
else
{
$extra.="MIME-Version: 1.0\\r\
".$content_type;
}
// send recipient email
if($debug==1)
{
if($set_flag == 1)
$debug_text.="<p><b>Mail would have sent flagged for spam if not in debug mode.</b></p>";
else
$debug_text.="<p><b>Mail would have sent if not in debug mode.</b></p>";
}
else if($debug==0)
{
if($set_flag == 1)
$subject = $flag_spam[$config]." ".$subject[$config];
else
$subject = $subject[$config];
mail("".$tomail[$config]."", "".stripslashes($subject)."", "".stripslashes($message)."", "".$extra."");
}
// autoresponse email if necessary
if($send_copy[$config]=="yes")
{
// build appropriate message format for autoresponse
$content_type=contentType($charset[$config], $copy_format[$config]);
$message=buildTable($copy_format[$config], $copy_fields[$config], $copy_intro[$config], "autoresponder", $return_ip[$config]);
// build header data for autoresponse
$copy_tomail=$_POST[$copy_tomail_field[$config]];
$copy_extra="From: ".$copy_from[$config]."\\r\
";
// get autoresponse attachments if necessary
if($copy_attachment_fields[$config]!="")
{
$semi_rand=md5(time());
$border="==Multipart_Boundary_x{$semi_rand}x";
$copy_extra.="MIME-Version: 1.0\\r\
";
$copy_extra.="Content-Type: multipart/mixed; boundary=\\"{$border}\\"";
$message=getAttachments($copy_attachment_fields[$config], $message, $content_type, $border);
}
else
{
$copy_extra.="MIME-Version: 1.0\\r\
".$content_type;
}
// send autoresponse email
if($debug==1)
{
if($set_flag == 1)
$debug_text.="<p><b>Autoresponder would have sent flagged for spam if not in debug mode.</b></p>";
else
$debug_text.="<p><b>Autoresponder would have sent if not in debug mode.</b></p>";
}
else if($debug==0)
{
$send_copy = 1;
//if($copy_tomail=="" || !eregi($regex,$copy_tomail))
if($copy_tomail=="" || !preg_match($regex,$copy_tomail))
$send_copy = 0;
if($send_copy == 1)
{
if($set_flag == 1)
$copy_subject = $flag_spam[$config]." ".$copy_subject[$config];
else
$copy_subject = $copy_subject[$config];
mail("$copy_tomail", "".$copy_subject."", "$message", "$copy_extra");
}
}
}
// showing thanks pages from a successful submission
if($thanks_page[$config]=="")
{
echo "<h3>".$thanks_page_title[$config]."</h3>\
";
echo "<p>".$thanks_page_text[$config]."</p>\
";
if(strlen($debug_text) > 0)
echo "<p><b><i>".$debug_text."</i></b></p>\
";
}
else
{
header("Location: ".$thanks_page[$config]);
}
}
else
{
// entering error page options from missing required fields
if($error_page[$config]=="")
{
echo "<h3>".$error_page_title[$config]."</h3>\
";
echo "<ul>\
";
echo $security_filter.$empty_message.$error_message.$spam_message.$time_message.$captcha_message.$max_url_message;
echo "</ul>\
";
echo "<p>".$error_page_text[$config]."</p>\
";
}
else
{
header("Location: ".$error_page[$config]);
}
}
}
else
{
echo "<h3>".$error_page_title[$config]."</h3>\
";
// message if unauthorized domain trigger from referer checking option
echo "<p>Sorry, mailing request came from an unauthorized domain.</p>\
";
}
//////////////////////////////
// end procedural scripting //
//////////////////////////////
}
else
{
echo "<h3>Error</h3>";
echo "<p>No form data has been sent to the script</p>\
";
}
if($footer[$config]!="")
include($footer[$config]);
ob_end_flush();
?>
I am not a php programmer so that is part of the reason it gets spammed.
How would you an expert, handle this if you wanted to make sure the data being input is sanitized, filtered, it secure from injection headers and illegal sending, email and phone are validated (without javascript) , and NO captchas whatsoever? ( I already know there are captcha solvers out there anyway and I just don’t want it.)
The form is 7 years old and I have seen tectite but I get too confused with it configuring it. So, for an eternal php newbie, iIs there a way to make this php code stronger and more secure? Please share your solutions. getting spam is like getting the finger every day you drive.
Thanks