Solved

php mail

Posted on 2013-01-08
3
267 Views
Last Modified: 2013-01-12
could you please check my script for security resons?
do you think I have an open space for the spammers to use my code to send spam emails from my web site?
I use also spry form validation with Dreamweaver.
<?php

$ipi = getenv("REMOTE_ADDR");

$httprefi = getenv ("HTTP_REFERER");

$httpagenti = getenv ("HTTP_USER_AGENT");

$httpref = $_POST['httpref'];

if(isset($_POST['email'])) {
     
    // EDIT THE 2 LINES BELOW AS REQUIRED
    $email_to = "my mail address";
    $email_subject = "contact form";
     
    function died($error) {
        // your error code can go here
        echo "there are some errors  ";
        echo "error<br /><br />";
        echo $error."<br /><br />";
        echo "Please go back and fix these errors.<br /><br />";
        die();
    }
     
    // validation expected data exists
    if(!isset($_POST['first_name']) ||
        !isset($_POST['last_name']) ||
        !isset($_POST['email']) ||
        !isset($_POST['telephone'])) {
        died('We are sorry, but there appears to be a problem with the form you submitted.');      
    }
     
    $first_name = $_POST['first_name']; // required
    $last_name = $_POST['last_name']; // required
    $email_from = $_POST['email']; // required
    $telephone = $_POST['telephone']; // not required
         
    $error_message = "";
    $email_exp = '/^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}$/';
  if(!preg_match($email_exp,$email_from)) {
    $error_message .= 'The Email Address you entered does not appear to be valid.<br />';
  }
  
  if(strlen($error_message) > 0) {
    died($error_message);
  }
    $email_message = "Web site contact form\n\n";
     
    function clean_string($string) {
      $bad = array("content-type","bcc:","to:","cc:","href");
      return str_replace($bad,"",$string);
    }
     
    $email_message .= "<br><br>" . "Ad-Soyad: ".clean_string($first_name)."\n"."<br>";
	$email_message .= "Email: ".clean_string($email_from)."\n"."<br>";
	$email_message .= "Cep Tel: ".clean_string($telephone)."\n"."<br>";
    $email_message .= "Sehir: ".clean_string($last_name)."\n"."<br>";
    $email_message .= "IP: ".clean_string($ipi)."\n"."<br>";
	$email_message .= "Refferal: ".clean_string($httprefi)."\n"."<br>";
	$email_message .= "Browser: ".clean_string($httpagenti)."\n"."<br>";
 
$headers .= 'Content-type: text/html; charset=utf-8' ."\n";
$headers .= "Reply-To: myotheremail@domain.com" ."\n";
$headers .= 'Cc: myotheremail@domain.com'  ."\n";
$headers .= 'Bcc: myotheremail@domain.com' ."\n";


// create email headers
//$headers .= "From: info@livcon.com.tr" . "\r\n";
//$headers .= "Reply-To: info@livcon.com.tr" . "\r\n"; 
//$headers .= "Organization: LIVCON\r\n"; 
//$headers .= "X-Priority: 3\r\n";
//$headers .= "X-MSMail-Priority: Normal" ."\r\n";
'X-Mailer: PHP/' . phpversion();
@mail($email_to, $email_subject, $email_message, $headers); 

echo "thank you";
}
?>

Open in new window

0
Comment
Question by:Braveheartli
3 Comments
 
LVL 34

Accepted Solution

by:
gr8gonzo earned 390 total points
ID: 38755175
It does not look like the code is vulnerable. You are controlling the To, CC, and BCC, and the headers, although I would make sure that your first $headers assignment is not appending:

From:
$headers .= 'Content-type: text/html; charset=utf-8' ."\n";

To:
$headers = 'Content-type: text/html; charset=utf-8' ."\n";
0
 
LVL 53

Assisted Solution

by:COBOLdinosaur
COBOLdinosaur earned 110 total points
ID: 38755362
The only thing I would change is the validation of the email address.

if (!filter_var($email_from, FILTER_VALIDATE_EMAIL))

Will catch any invalid email address without the regex

Cd&
0
 
LVL 13

Expert Comment

by:darren-w-
ID: 38756164
Use htmlentities on the message : $email_message
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
Browsers only know CSS so your awesome SASS code needs to be translated into normal CSS. Here I'll try to explain what you should aim for in order to take full advantage of SASS.
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now