Need Some Input From Some Tch Phpers

liunx

Guest
If any phpers want to take a minute and try to poke some holes in my php script for mailing form submissions. This script works BTW. I am trying to ensure the script is secure as possible by taking out any unwanted @'s that a spammer may try to send to my mail sending script. I have not used any pre maid scripts as we send email to various emails depending on form submissions and this script is used with some other php classes to update a .htaccess style user list.<br /><br />Well here it is, let me know if you can find any holes!!<br /><!--c1--><div class='codetop'>CODE</div><div class='codemain'><!--ec1--><?php<br />// set up our variables<br />$redirect = "thanks.html"; //thank URL<br />$subject  = "Website Information Request"; //Subject for email<br />$maildate = date("D F dS, Y"); //Lets add a date<br />$headers = ""; //Clear variable<br />$mailingto = ""; //Clear variable<br />$message = ""; //Clear variable<br />$SecureEmail = $_POST["email"]; //ensure we are getting form data not sent thru URL<br />$SecureSalesrep = $_POST["salesrep"]; //ensure we are getting form data not sent thru URL<br />$SecureCustname = str_replace('@', " at ", $CustName); //remove any @'s from variable<br /><br />// check to see if there is more than one @ in email, if so blank it out<br />$atCount = substr_count($SecureEmail, '@');<br />if ($atCount > 1) {<br />$SecureEmail = "webserver@****";    <br />}<br /><br />// if the required field on form is selected use the USERNAME@ and send the email to that user<br />if ($SecureSalesrep == "")<br />{<br />$mailingto = "me@****";<br />} else {<br />$mailingto = "$SecureSalesrep@****";<br />}<br /><br />// Set up headers<br />// if the user entered an email we will send this email FROM them<br />if ($SecureEmail == "") {<br />$headers .= "From: webserver@****\r\n"; <br />$headers .= "Reply-to: webserver@****\r\n";<br />} else {<br />$headers .= "From: $SecureEmail\r\n";<br />$headers .= "Reply-to: $SecureEmail\r\n";<br />}<br />$headers .= "X-Mailer: PHP/" . phpversion(); <br /><br />//parse the form posts<br />foreach($HTTP_POST_VARS as $key => $value)<br />{<br />$message .= $key ." : " .$value ."\n";<br />} <br />// Lets remove every @ in the post varriables to ensure no one tries to pass a cc: <!-- e --><a href="mailto:[email protected]">[email protected]</a><!-- e --> etc<br />$securemessage = str_replace('@', " at ", $message);<br /><br />// Build the message. We have ensured the $email has only 1 @, $securemessage has no @'s, $custName has no @'s<br />$tmessage = "Information was requested by $SecureCustname from our website on $maildate\n\n$securemessage\n------------------- end of email --------------------\nMail generated by AAP mail: PHP Webserver form script\n-----------------------------------------------------";<br /><br />//Send this thing. We should be totaly spammer secure<br />$ret = mail($mailingto, $subject, $tmessage ,$headers);<br /><br />//And lets go to another page<br />if ($ret) {<br />header("Location: $redirect");<br />} else {<br />echo('<p>We are sorry, our server is temporarily unable to send mail.<br>Please call us at OUR NUMBER so we may better serve you.<br>Thank You, All About Play<br> Or you may return to our <a href=http://www.totalchoicehosting.com/forums/lofiversion/index.php/"http://www.****">home</a> page.</p>');<br />}<br />?><!--c2--></div><!--ec2--><br /><br />BTW, Any TCH'ers feel free to hack, copy, use modify this code as you wish. <br /><br />Any non TCH'ers must pay $1 to me for each use (j/k)<!--content-->
Looks good to me, I just use filters, and spammers get discarded. <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/tongue.gif" style="vertical-align:middle" emoid=":P" border="0" alt="tongue.gif" /><br /><br />I also use a scipt that Don sent me, which has worked so far. <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/smile.gif" style="vertical-align:middle" emoid=":)" border="0" alt="smile.gif" /><!--content-->
 
Back
Top