[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

php mail

Posted on 2013-01-08
3
Medium Priority
?
294 Views
Last Modified: 2013-01-12
could you please check my script for security resons?
do you think I have an open space for the spammers to use my code to send spam emails from my web site?
I use also spry form validation with Dreamweaver.
<?php

$ipi = getenv("REMOTE_ADDR");

$httprefi = getenv ("HTTP_REFERER");

$httpagenti = getenv ("HTTP_USER_AGENT");

$httpref = $_POST['httpref'];

if(isset($_POST['email'])) {
     
    // EDIT THE 2 LINES BELOW AS REQUIRED
    $email_to = "my mail address";
    $email_subject = "contact form";
     
    function died($error) {
        // your error code can go here
        echo "there are some errors  ";
        echo "error<br /><br />";
        echo $error."<br /><br />";
        echo "Please go back and fix these errors.<br /><br />";
        die();
    }
     
    // validation expected data exists
    if(!isset($_POST['first_name']) ||
        !isset($_POST['last_name']) ||
        !isset($_POST['email']) ||
        !isset($_POST['telephone'])) {
        died('We are sorry, but there appears to be a problem with the form you submitted.');      
    }
     
    $first_name = $_POST['first_name']; // required
    $last_name = $_POST['last_name']; // required
    $email_from = $_POST['email']; // required
    $telephone = $_POST['telephone']; // not required
         
    $error_message = "";
    $email_exp = '/^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}$/';
  if(!preg_match($email_exp,$email_from)) {
    $error_message .= 'The Email Address you entered does not appear to be valid.<br />';
  }
  
  if(strlen($error_message) > 0) {
    died($error_message);
  }
    $email_message = "Web site contact form\n\n";
     
    function clean_string($string) {
      $bad = array("content-type","bcc:","to:","cc:","href");
      return str_replace($bad,"",$string);
    }
     
    $email_message .= "<br><br>" . "Ad-Soyad: ".clean_string($first_name)."\n"."<br>";
	$email_message .= "Email: ".clean_string($email_from)."\n"."<br>";
	$email_message .= "Cep Tel: ".clean_string($telephone)."\n"."<br>";
    $email_message .= "Sehir: ".clean_string($last_name)."\n"."<br>";
    $email_message .= "IP: ".clean_string($ipi)."\n"."<br>";
	$email_message .= "Refferal: ".clean_string($httprefi)."\n"."<br>";
	$email_message .= "Browser: ".clean_string($httpagenti)."\n"."<br>";
 
$headers .= 'Content-type: text/html; charset=utf-8' ."\n";
$headers .= "Reply-To: myotheremail@domain.com" ."\n";
$headers .= 'Cc: myotheremail@domain.com'  ."\n";
$headers .= 'Bcc: myotheremail@domain.com' ."\n";


// create email headers
//$headers .= "From: info@livcon.com.tr" . "\r\n";
//$headers .= "Reply-To: info@livcon.com.tr" . "\r\n"; 
//$headers .= "Organization: LIVCON\r\n"; 
//$headers .= "X-Priority: 3\r\n";
//$headers .= "X-MSMail-Priority: Normal" ."\r\n";
'X-Mailer: PHP/' . phpversion();
@mail($email_to, $email_subject, $email_message, $headers); 

echo "thank you";
}
?>

Open in new window

0
Comment
Question by:Braveheartli
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 35

Accepted Solution

by:
gr8gonzo earned 1560 total points
ID: 38755175
It does not look like the code is vulnerable. You are controlling the To, CC, and BCC, and the headers, although I would make sure that your first $headers assignment is not appending:

From:
$headers .= 'Content-type: text/html; charset=utf-8' ."\n";

To:
$headers = 'Content-type: text/html; charset=utf-8' ."\n";
0
 
LVL 53

Assisted Solution

by:COBOLdinosaur
COBOLdinosaur earned 440 total points
ID: 38755362
The only thing I would change is the validation of the email address.

if (!filter_var($email_from, FILTER_VALIDATE_EMAIL))

Will catch any invalid email address without the regex

Cd&
0
 
LVL 13

Expert Comment

by:darren-w-
ID: 38756164
Use htmlentities on the message : $email_message
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

JavaScript has plenty of pieces of code people often just copy/paste from somewhere but never quite fully understand. Self-Executing functions are just one good example that I'll try to demystify here.
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question