Solved

php mail

Posted on 2013-01-08
3
271 Views
Last Modified: 2013-01-12
could you please check my script for security resons?
do you think I have an open space for the spammers to use my code to send spam emails from my web site?
I use also spry form validation with Dreamweaver.
<?php

$ipi = getenv("REMOTE_ADDR");

$httprefi = getenv ("HTTP_REFERER");

$httpagenti = getenv ("HTTP_USER_AGENT");

$httpref = $_POST['httpref'];

if(isset($_POST['email'])) {
     
    // EDIT THE 2 LINES BELOW AS REQUIRED
    $email_to = "my mail address";
    $email_subject = "contact form";
     
    function died($error) {
        // your error code can go here
        echo "there are some errors  ";
        echo "error<br /><br />";
        echo $error."<br /><br />";
        echo "Please go back and fix these errors.<br /><br />";
        die();
    }
     
    // validation expected data exists
    if(!isset($_POST['first_name']) ||
        !isset($_POST['last_name']) ||
        !isset($_POST['email']) ||
        !isset($_POST['telephone'])) {
        died('We are sorry, but there appears to be a problem with the form you submitted.');      
    }
     
    $first_name = $_POST['first_name']; // required
    $last_name = $_POST['last_name']; // required
    $email_from = $_POST['email']; // required
    $telephone = $_POST['telephone']; // not required
         
    $error_message = "";
    $email_exp = '/^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}$/';
  if(!preg_match($email_exp,$email_from)) {
    $error_message .= 'The Email Address you entered does not appear to be valid.<br />';
  }
  
  if(strlen($error_message) > 0) {
    died($error_message);
  }
    $email_message = "Web site contact form\n\n";
     
    function clean_string($string) {
      $bad = array("content-type","bcc:","to:","cc:","href");
      return str_replace($bad,"",$string);
    }
     
    $email_message .= "<br><br>" . "Ad-Soyad: ".clean_string($first_name)."\n"."<br>";
	$email_message .= "Email: ".clean_string($email_from)."\n"."<br>";
	$email_message .= "Cep Tel: ".clean_string($telephone)."\n"."<br>";
    $email_message .= "Sehir: ".clean_string($last_name)."\n"."<br>";
    $email_message .= "IP: ".clean_string($ipi)."\n"."<br>";
	$email_message .= "Refferal: ".clean_string($httprefi)."\n"."<br>";
	$email_message .= "Browser: ".clean_string($httpagenti)."\n"."<br>";
 
$headers .= 'Content-type: text/html; charset=utf-8' ."\n";
$headers .= "Reply-To: myotheremail@domain.com" ."\n";
$headers .= 'Cc: myotheremail@domain.com'  ."\n";
$headers .= 'Bcc: myotheremail@domain.com' ."\n";


// create email headers
//$headers .= "From: info@livcon.com.tr" . "\r\n";
//$headers .= "Reply-To: info@livcon.com.tr" . "\r\n"; 
//$headers .= "Organization: LIVCON\r\n"; 
//$headers .= "X-Priority: 3\r\n";
//$headers .= "X-MSMail-Priority: Normal" ."\r\n";
'X-Mailer: PHP/' . phpversion();
@mail($email_to, $email_subject, $email_message, $headers); 

echo "thank you";
}
?>

Open in new window

0
Comment
Question by:Braveheartli
3 Comments
 
LVL 34

Accepted Solution

by:
gr8gonzo earned 390 total points
ID: 38755175
It does not look like the code is vulnerable. You are controlling the To, CC, and BCC, and the headers, although I would make sure that your first $headers assignment is not appending:

From:
$headers .= 'Content-type: text/html; charset=utf-8' ."\n";

To:
$headers = 'Content-type: text/html; charset=utf-8' ."\n";
0
 
LVL 53

Assisted Solution

by:COBOLdinosaur
COBOLdinosaur earned 110 total points
ID: 38755362
The only thing I would change is the validation of the email address.

if (!filter_var($email_from, FILTER_VALIDATE_EMAIL))

Will catch any invalid email address without the regex

Cd&
0
 
LVL 13

Expert Comment

by:darren-w-
ID: 38756164
Use htmlentities on the message : $email_message
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article discusses how to create an extensible mechanism for linked drop downs.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question