Secure contact form with phpmailer

Is it possible to make secure contact form that use phpmailer. How I secure it so if I get spam or dangerous exe files in attachment in my mail box?

Here is my send page code:

<?php
error_reporting(E_ALL ^ E_NOTICE);
$message .= "<b>Error ID:</b> {$_POST['error_id']}<br /><br />";
$message .= "<b>Day:</b> {$_POST['day']}<br /><br />";
$subject = "New error-message";

require("class.phpmailer.php");
$mail = new PHPMailer();

$mail->From = "no-reply@mail.be";
$mail->FromName = "Errormessage";
$mail->AddAddress("matti@mail.be");


$mail->AddAttachment($_FILES['tiedosto1']['tmp_name'], basename($_FILES['tiedosto1']['name']));
$mail->AddAttachment($_FILES['tiedosto2']['tmp_name'], basename($_FILES['tiedosto2']['name']));
$mail->AddAttachment($_FILES['tiedosto3']['tmp_name'], basename($_FILES['tiedosto3']['name']));
$mail->AddAttachment($_FILES['tiedosto4']['tmp_name'], basename($_FILES['tiedosto4']['name']));
$mail->AddAttachment($_FILES['tiedosto5']['tmp_name'], basename($_FILES['tiedosto5']['name']));
$mail->IsHTML(True);                              

$mail->Subject  =  $subject; //
$mail->Body     =  $message;
if(!$mail->Send())
{
   echo "Error<p>";
   echo "Mailer Error: " . $mail->ErrorInfo;
   exit;
} else {
}
?>
mattimeikalainenAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Ray PaseurConnect With a Mentor Commented:
Add a CAPTCHA test to your form that is used to upload the files.  It will not help you avoid evil attachments from evil people, but it will go a long way toward ensuring that you will not get evil files from evil 'bots.  Here is a simple example.  The first script shows how to call the captcha_image.php script.
<?php // RAY_captcha_in_action.php
error_reporting(E_ALL);

// IF ANYTHING WAS POSTED
if (!empty($_POST))
{
    // TEST THE STRINGS
    if ($_POST["_newMd5"] != md5($_POST["_newCode"]))
    {
        // MIGHT WANT TO MAKE THIS USER-FRIENDLY
        echo 'SECURITY CODE NUMBER DID NOT MATCH';
    }
    else
    {
        echo "SUCCESS!";
    }
}
// END OF PHP - PUT UP THE FORM
?>
<form method="post">
<!-- STYLE THIS TO SUIT YOUR PAGE STYLE -->
Type <img style="display:inline;" src="RAY_captcha_image.php?dt=<?php $x = mt_rand(1000,10000); echo base64_encode($x); ?>" /> here:
<input name="_newCode" type="text"   maxlength="64" size="6" autocomplete="off" />
<input name="_newMd5"  type="hidden" value="<?php echo md5($x); ?>" />
<input type="submit" />
</form>

Open in new window

0
 
Dave BaldwinFixer of ProblemsCommented:
It would be difficult to write a malware scanner in PHP so you need to make sure your anti-virus on your computer that receives the email is working and protecting you.  You can scan the message text for unwanted content with PHP.
0
 
Loganathan NatarajanLAMP DeveloperCommented:
You can also validate those extensions on the client side or server side before you start mail attachment process.
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
gizmolaCommented:
The $_FILES['somefile']['type'] for any files will provide you a mimetype sent by the client.  This can be tampered with, but it makes a good barrier, if you don't want to accept .exe's or other types of files based on their extensions.

Combined with a whitelist based on this list http://www.w3schools.com/media/media_mimeref.asp you could simply not attach any files where the type column isn't in your list of acceptable attachment types.
0
 
mattimeikalainenAuthor Commented:
Can you write me code examples, I dont know how to do it.
0
 
Loganathan NatarajanLAMP DeveloperCommented:
0
 
pius_babbunCommented:
You can check the file extension as you before attach the files in mailer from $_FILES and restrict the exe files for this case.
0
 
Ray PaseurCommented:
... And this second script is the captcha_image.php script that the first one calls.

You can use reCaptcha if you want to, but I find the images quite difficult to read and a little too much of a nuisance.

HTH, ~Ray
<?php // RAY_captcha_image.php

// GENERATES A PICTURE OF A NUMBER INTO THE BROWSER OUTPUT
error_reporting(E_ALL ^ E_NOTICE);

// DECODE THE INCOMING STRING
$data = base64_decode($_GET['dt']);

// CREATE AN IMAGE RESOURCE - CHOOSE THE SIZE THAT BEST MATCHES YOUR PAGE STYLE
$im = imagecreate(46,13);

// WHITE BACKGROUND
$bg = imagecolorallocate($im, 255,255,255);

// GRAY STRIPES
$gray = imagecolorallocate($im, 188,188,188);

// FIREBRICK TEXT
$text = imagecolorallocate($im, 178,34,34);

// ADD THE NUMBER TO THE IMAGE
imagestring($im,5,4,0,$data,$text);

// WRITE A GRAY STRIPE (OR MORE IF YOU CHOOSE)
imageline($im,4,12,38,0,$gray);

// SEND THE IMAGE INTO THE BROWSER OUTPUT STREAM
header('Content-type: image/png');
imagepng($im);
imagedestroy($im);

Open in new window

0
 
gizmolaCommented:
function checkFileType($fileType) {
  $fileTypes = array('image/png', 
                     'image/jpg', 
					 'image/gif',
					 );
   return (isset($fileType) && in_array($fileType, $fileTypes)) ? true : false;
}

Open in new window


You would use this like so:

if checkFileType($_FILES['tiedosto1']['type'])
	$mail->AddAttachment($_FILES['tiedosto1']['tmp_name'], basename($_FILES['tiedosto1']['name']));

Open in new window


if (checkFileType($_FILES['tiedosto1']['type']))
	$mail->AddAttachment($_FILES['tiedosto1']['tmp_name'], basename($_FILES['tiedosto1']['name']));

Open in new window

0
 
gizmolaCommented:
In the example above, use the 2nd if (checkfileType... example.  I accidently pasted in that first example by mistake.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.