Not signed in (Sign In)
SkillShare - A place to discuss Web Standards and Web Design topics
Categories
Vanilla 1.1.5a is a product of Lussumo. More Information: Documentation, Community Support.
-
looking for a good php form script/tutorial that can refer a friend to your site and spam proof
-
The best one I've found:
Secure and Accessible PHP Contact Form
http://green-beast.com/blog/?page_id=71 -
thx droppyale
-
Just realized this isn't what you are looking for... apologies for suggesting the wrong script. Take a look at hotscripts, you might find what you are looking for there.
-
Here is the best way to sanitize your website forms with php, at least this is what I put on clients sites.
<?
function sanitize($content)
{
$parsed = $content;
$parsed = htmlentities($parsed);
$parsed = strip_tags($parsed, '<br>');
$parsed = stripslashes($parsed);
// removes both types of line endings
$parsed = str_replace(array("\r", "\n", "'", "&", ";"), '', $parsed);
$parsed = trim($parsed);
return $parsed;
}
// It checks form is posted fromserver and it checks form is submitted using POST method
if (strpos($_SERVER["HTTP_REFERER"],"yourname.com") == false || $_SERVER["REQUEST_METHOD"] != "POST")
{
echo "We're Sorry, we could not send the form as we have detected contents which could be SPAM. ";
$message = ('Spam was blocked at dakno.com ');
mail("websitename.com", "Contact Information", $message, $headers, "From:info@yourname.com");
exit();
}
else{
$submitted_email = "info@yourname.com";
$message = '
Name: '.$name.' <BR>
Phone: '.$phone.' <Br>
E-Mail: '.$email.' <BR>
Comments: '.$comment.' <BR>
';
//make comments lower case for string comparison
$lowercase = strtolower($message);
// count number of times the word mime occurs
$mimetimes = substr_count($lowercase, 'mime');
$spam1 = substr_count($lowercase, 'http');
$spam2 = substr_count($lowercase, 'Ó');
$spam3 = substr_count($lowercase, 'Ã');
$spam4 = substr_count($lowercase, 'content-type');
//make comments box remove HTML functionality to prevent spam
$finished = sanitize($message);
/* To send HTML mail, you can set the Content-type header. */
$headers = "MIME-Version: 1.0\n";
/* additional headers */
$headers .= "From: Your Name. <yourname@info.com>\n";
$headers .= "X-Mailer: PHP4\n";
$safeMsg = $search = array ('@<script[^>]*?>.*?</script>@si', // Strip out javascript
'@<[\/\!]*?[^<>]*?>@si', // Strip out HTML tags
'@([\r\n])[\s]+@', // Strip out white space
'@&(quot|#34);@i', // Replace HTML entities
'@&(amp|#38);@i',
'@&(lt|#60);@i',
'@&(gt|#62);@i',
'@&(nbsp|#160);@i',
'@&(iexcl|#161);@i',
'@&(cent|#162);@i',
'@&(pound|#163);@i',
'@&(copy|#169);@i',
'@&#(\d+);@e'); // evaluate as php
$replace = array ('',
'',
'\1',
'"',
'&',
'<',
'>',
' ',
chr(161),
chr(162),
chr(163),
chr(169),
'chr(\1)');
$safeMsg = preg_replace($search, $replace, $message);
$safeHeader = preg_replace($search, $replace, $headers);
// if mime does not occur in the message then send email
if($mimetimes < 1 && $spam1 <1 && $spam2 <1 && $spam3 <1 && $spam4 <1){
echo 'Thank you for your request. We will be in contact with you soon.';
//ini_set(sendmail_from, $submitted_email);
// Mail Function */
//mail("brad@dakno.com", "MiniContact on Dakno", $safeMsg, $safeHeader);
mail("info@yourname.com", $safeMsg, $safeHeader);
// Version 0.1
}
else{
echo "We're Sorry, we could not send the form as we have dedected contents which could be SPAM.";
}
}
?> -
I don't know that I would call that script the "best way". that santitize function will munge up the message if there's any html and it's really not effective in removing html at all. try posting a urlencoded message. Another problem with the above is that you're doing a preg_replace on hardcoded text ($headers).. and, in the first set of validation you're passing an undefined variable ($headers) to the mail function.
I hate to use the word, but the "Secure and Accessible PHP Contact Form" is also amateurish in code and functionality.. they're both noble efforts for the "good fight", but neither appear effective in preventing header injection. -
dhayes nailed it: the above code doesn't really address the header injection attack. It does, but in a round about way.
See the solution part on this page for more information and protection code.
http://www.nyphp.org/phundamentals/email_header_injection.php
1 to 7 of 7