Solved

php mail

Posted on 2013-01-08
3
282 Views
Last Modified: 2013-01-12
could you please check my script for security resons?
do you think I have an open space for the spammers to use my code to send spam emails from my web site?
I use also spry form validation with Dreamweaver.
<?php

$ipi = getenv("REMOTE_ADDR");

$httprefi = getenv ("HTTP_REFERER");

$httpagenti = getenv ("HTTP_USER_AGENT");

$httpref = $_POST['httpref'];

if(isset($_POST['email'])) {
     
    // EDIT THE 2 LINES BELOW AS REQUIRED
    $email_to = "my mail address";
    $email_subject = "contact form";
     
    function died($error) {
        // your error code can go here
        echo "there are some errors  ";
        echo "error<br /><br />";
        echo $error."<br /><br />";
        echo "Please go back and fix these errors.<br /><br />";
        die();
    }
     
    // validation expected data exists
    if(!isset($_POST['first_name']) ||
        !isset($_POST['last_name']) ||
        !isset($_POST['email']) ||
        !isset($_POST['telephone'])) {
        died('We are sorry, but there appears to be a problem with the form you submitted.');      
    }
     
    $first_name = $_POST['first_name']; // required
    $last_name = $_POST['last_name']; // required
    $email_from = $_POST['email']; // required
    $telephone = $_POST['telephone']; // not required
         
    $error_message = "";
    $email_exp = '/^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}$/';
  if(!preg_match($email_exp,$email_from)) {
    $error_message .= 'The Email Address you entered does not appear to be valid.<br />';
  }
  
  if(strlen($error_message) > 0) {
    died($error_message);
  }
    $email_message = "Web site contact form\n\n";
     
    function clean_string($string) {
      $bad = array("content-type","bcc:","to:","cc:","href");
      return str_replace($bad,"",$string);
    }
     
    $email_message .= "<br><br>" . "Ad-Soyad: ".clean_string($first_name)."\n"."<br>";
	$email_message .= "Email: ".clean_string($email_from)."\n"."<br>";
	$email_message .= "Cep Tel: ".clean_string($telephone)."\n"."<br>";
    $email_message .= "Sehir: ".clean_string($last_name)."\n"."<br>";
    $email_message .= "IP: ".clean_string($ipi)."\n"."<br>";
	$email_message .= "Refferal: ".clean_string($httprefi)."\n"."<br>";
	$email_message .= "Browser: ".clean_string($httpagenti)."\n"."<br>";
 
$headers .= 'Content-type: text/html; charset=utf-8' ."\n";
$headers .= "Reply-To: myotheremail@domain.com" ."\n";
$headers .= 'Cc: myotheremail@domain.com'  ."\n";
$headers .= 'Bcc: myotheremail@domain.com' ."\n";


// create email headers
//$headers .= "From: info@livcon.com.tr" . "\r\n";
//$headers .= "Reply-To: info@livcon.com.tr" . "\r\n"; 
//$headers .= "Organization: LIVCON\r\n"; 
//$headers .= "X-Priority: 3\r\n";
//$headers .= "X-MSMail-Priority: Normal" ."\r\n";
'X-Mailer: PHP/' . phpversion();
@mail($email_to, $email_subject, $email_message, $headers); 

echo "thank you";
}
?>

Open in new window

0
Comment
Question by:Braveheartli
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 35

Accepted Solution

by:
gr8gonzo earned 390 total points
ID: 38755175
It does not look like the code is vulnerable. You are controlling the To, CC, and BCC, and the headers, although I would make sure that your first $headers assignment is not appending:

From:
$headers .= 'Content-type: text/html; charset=utf-8' ."\n";

To:
$headers = 'Content-type: text/html; charset=utf-8' ."\n";
0
 
LVL 53

Assisted Solution

by:COBOLdinosaur
COBOLdinosaur earned 110 total points
ID: 38755362
The only thing I would change is the validation of the email address.

if (!filter_var($email_from, FILTER_VALIDATE_EMAIL))

Will catch any invalid email address without the regex

Cd&
0
 
LVL 13

Expert Comment

by:darren-w-
ID: 38756164
Use htmlentities on the message : $email_message
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
In threads here at EE, each comment has a unique Identifier (ID). It is easy to get the full path for an ID via the right-click context menu. However, we often want to post a short link within a thread rather than the full link. This article shows a…
The viewer will learn how to dynamically set the form action using jQuery.
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question