|
Recommended laptop
under £500.
Think I deserve a present? See my Amazon Wish List
|
PHP Contact form with some Anti header injection and simple URL spam filtering
<?php
/*
// LOOK AT THE FORM AT THE END AND MAKE CHANGES TO THE FIELDS
// REFLECT THOSE CHANGES IN THE FIELDS LISTED BELOW TOO!
//
// THIS SCRIPT IS RELEASED AS IS FOR YOUR OWN USE AND TESTING
// YOU MAY MODIFY IT BUT YOUR MODIFICATIONS MUST ALSO BE RELEASED
// UNDER THE SAME LICENCE/CONDITIONS
//
// The latest version will be availible via
// http://www.liamdelahunty.com/tips/contact_form.php
// Please consider a donation if this script is useful to you
// Please retain this notice in your script, and in all subsequent versions.
//
// You may remove the link to my page in the form
//
*/
// UPDATE THESE FIELDS
$email_to = "contact.form@$_SERVER[SERVER_NAME]"; // UPDATE TO YOUR EMAIL
$email_subject = "$SCRIPT_URI Contact Form"; // UPDATE SUBJECT
$send_server_data = 1; // send the server vars - 0=no, 1=yes
// list of required fields make sure the name is same in form.
$required = array("email", "comments");
// List of all the fields that SHOULDN'T have CR/LF in them;
$crlftest = $_POST["name"];
$crlftest .= $_POST["email"];
$crlftest .= $_POST["hear_about_us"];
$crlftest .= $_POST["newsletter"];
$crlftest .= $_POST["submit"];
$crlftest = urldecode($crlftest);
function table_errs($err_array, $fieldname){
print ("<tr>");
if ($err_array[$fieldname]) {
print ("<td class=err>");
}else{
print ("<td>");
}
}
function check_required($required,$fieldname){
global $err_array;
if (in_array($fieldname,$required)){
if ($_POST[$fieldname] == ""){
$err_array[$fieldname] = "<b>Sorry</b> $fieldname is required.<br>";
}
}
return $err_array;
}
if (!function_exists("stripos")) {
function stripos($str,$needle,$offset=0)
{
return strpos(strtolower($str),strtolower($needle),$offset);
}
}
if ($submit){
// do some testing?
if ($email != "" ){
$email = trim($email);
if(!ereg("([_a-z0-9A-Z\d\-\.]+@[_a-z0-9A-Z\d\-]+(\.[_a-z0-9A-Z\d\-]+)+)",$email,$regs)){
$err_array[email] = "<b>Sorry</b> your email address ($email) doesn't appear to be valid<br>";
}
}
$nasties[] = "Content-Type:";
$nasties[] = "To:";
$nasties[] = "Cc:";
$nasties[] = "Bcc:";
// lets check all the fields
foreach ($_POST as $key => $value){
$$key = $value;
// Annoying URL spams in comments any field
$http = substr_count($value, "http");
$href = substr_count($value, "href");
$url = substr_count($value, "[url");
if ($http > 1 OR $href > 1 OR $url > 1){
$err_array[$key] = "<b>Sorry</b> That looks a bit spammy. Rewrite it please.<br> $key - $http $href $url";
}
foreach($nasties as $nasty){
if(stripos($value,$nasty) !== FALSE){
// die or report
$err_array[$key] = "<b>Error</b> No need for $nasty in $key.";
}
}
// Check if the field is required
check_required($required,$key);
}
// hard coded testing list form fields for CR and LF characters - all the fields that SHOULDN'T have them in
if (eregi("\r",$crlftest) || eregi("\n",$crlftest)){
// die or report
$err_array[] = "<b>Error</b> One of more fields has a suspect content.";
}
if (eregi_replace("\?.*", "", $HTTP_REFERER) != $SCRIPT_URI){
// referer could be masked or via a translation script such as via google, so use at your own risk
// die or report
$err_array[] = "<b>Error</b> Referer is not from this page. Your form can not be sent. Please contact via the email link below.";
}
$err_count = count($err_array);
if ($err_count != 0){
print ("<p class=err>Please correct the $err_count error(s):<br>");
while (list($index,$value) = each($err_array)){
print ("$value<br>");
}
print ("</p>");
}
if ($err_count == 0){// no errors send message
reset($HTTP_POST_VARS);
foreach ($_POST as $key => $value){
$$key = $value;
$message .= "$key:\n$value\n\n";
}
if($send_server_data){
$message .= "\n\nSERVER:\n";
foreach ($_SERVER as $key => $value){
$$key = $value;
$message .= "$key:\n$value\n\n";
}
}
$email_headers = "From: $email\n";
@mail($email_to, $email_subject, $message, $email_headers);
print ("<p><b>Thank you $name.</b></p>");
}
}
if (!$submit OR $err_count != "0"){
print ("<p>Please use the form to send us a message.</p>");
}
print ("<form action=\"$PHP_SELF\" method=\"POST\">");
print ("<table>\n");
table_errs($err_array, "name");
print ("Your name: </td><td><input type=\"text\" size=35 name=\"name\" value=\"$name\"></td></tr>\n");
table_errs($err_array, "email");
print ("Your email (required): </td><td><input type=\"Text\" size=35 name=\"email\" value=\"$email\"></td></tr>\n");
table_errs($err_array, "comments");
print ("Your comments</td><td><textarea name=\"comments\" cols=\"29\" rows=\"4\">$comments</textarea></td></tr>\n");
table_errs($err_array, "hear_about_us");
print ("How did hear about us?</td><td><input type=\"Text\" size=35 name=\"hear_about_us\" value=\"$hear_about_us\"></td></tr>\n");
print ("<tr><td>Would you like to receive our occasional newsletter?</td><td><input type=\"Checkbox\" name=\"newsletter\" checked></td></tr>\n");
if (!$submit OR $err_count != "0"){
print ("<tr><td> </td><td><input name=\"submit\" type=\"Submit\" value=\"Send\"></td></tr>\n");
}else{
print ("<tr><td> </td><td><b>Request Submited</b></td></tr>\n");
print ("<tr><td colspan=\"2\" align=\"center\">Contact form from <a href=\"http://www.liamdelahunty.com/tips/\">Liam Delahunty's Hints and Tips</a></td></tr>\n");
}
print ("</table>");
print ("</form>");
?>
<?php
function ascii_encode($str){
global $encoded;
$encoded="";
for ($i=0; $i < strlen($str); $i++){
$encoded .= '&#'.ord(substr($str,$i)).';';
}
return;
}
ascii_encode("$email_to");
print ("<p><a href=\"mailto:$encoded\">$encoded</a></p>");
?>
Share this!
|