scotttyz Posted March 10, 2004 Posted March 10, 2004 If any phpers want to take a minute and try to poke some holes in my php script for mailing form submissions. This script works BTW. I am trying to ensure the script is secure as possible by taking out any unwanted @'s that a spammer may try to send to my mail sending script. I have not used any pre maid scripts as we send email to various emails depending on form submissions and this script is used with some other php classes to update a .htaccess style user list. Well here it is, let me know if you can find any holes!! ><?php // set up our variables $redirect = "thanks.html"; //thank URL $subject = "Website Information Request"; //Subject for email $maildate = date("D F dS, Y"); //Lets add a date $headers = ""; //Clear variable $mailingto = ""; //Clear variable $message = ""; //Clear variable $SecureEmail = $_POST["email"]; //ensure we are getting form data not sent thru URL $SecureSalesrep = $_POST["salesrep"]; //ensure we are getting form data not sent thru URL $SecureCustname = str_replace('@', " at ", $CustName); //remove any @'s from variable // check to see if there is more than one @ in email, if so blank it out $atCount = substr_count($SecureEmail, '@'); if ($atCount > 1) { $SecureEmail = "webserver@****"; } // if the required field on form is selected use the USERNAME@ and send the email to that user if ($SecureSalesrep == "") { $mailingto = "me@****"; } else { $mailingto = "$SecureSalesrep@****"; } // Set up headers // if the user entered an email we will send this email FROM them if ($SecureEmail == "") { $headers .= "From: webserver@****\r\n"; $headers .= "Reply-to: webserver@****\r\n"; } else { $headers .= "From: $SecureEmail\r\n"; $headers .= "Reply-to: $SecureEmail\r\n"; } $headers .= "X-Mailer: PHP/" . phpversion(); //parse the form posts foreach($HTTP_POST_VARS as $key => $value) { $message .= $key ." : " .$value ."\n"; } // Lets remove every @ in the post varriables to ensure no one tries to pass a cc: user@domain.com etc $securemessage = str_replace('@', " at ", $message); // Build the message. We have ensured the $email has only 1 @, $securemessage has no @'s, $custName has no @'s $tmessage = "Information was requested by $SecureCustname from our website on $maildate\n\n$securemessage\n------------------- end of email --------------------\nMail generated by AAP mail: PHP Webserver form script\n-----------------------------------------------------"; //Send this thing. We should be totaly spammer secure $ret = mail($mailingto, $subject, $tmessage ,$headers); //And lets go to another page if ($ret) { header("Location: $redirect"); } else { echo('<p>We are sorry, our server is temporarily unable to send mail.<br>Please call us at OUR NUMBER so we may better serve you.<br>Thank You, All About Play<br> Or you may return to our <a href="http://www.****">home</a> page.</p>'); } ?> BTW, Any TCH'ers feel free to hack, copy, use modify this code as you wish. Any non TCH'ers must pay $1 to me for each use (j/k) Quote
Alan Posted March 11, 2004 Posted March 11, 2004 Looks good to me, I just use filters, and spammers get discarded. I also use a scipt that Don sent me, which has worked so far. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.