How hard is it to make your own contact form? I can get a free form made really easily online, but I'm wondering how it goes making your own. Anyone have any experience?
I would have sent you one working contact form by email seconds ago - but you have either no email or email contact disabled. PM is too ineffient. contact form is very simple and you may find one at hotscripts.com
to make things easy herebelow the code - gives you 1. the forum you insert into a HTML page 2. the PHP file that processes the form and sends it to your email address -------------- ------>> this below form : insert into a HTML page <form name=contactme action=contactme.php method=post> <div align="center"> <table> <tr> <td align=right>Your Name:</td> <td width="15"> </td> <td><input size=45 maxlength=45 type=text name=name style="font-family: Courier New; font-size: 10pt"></td></tr> <tr> <td align=right>Your Email Address:</td> <td> </td> <td><input size=45 maxlength=45 type=text name=from style="font-family: Courier New; font-size: 10pt"></td></tr> <tr> <td align=right>eMail Subject:</td> <td> </td> <td><input size=45 maxlength=90 type=text name=subject style="font-family: Courier New; font-size: 10pt"></td></tr> <tr> <td valign=top align=right>Contents:</td> <td> </td> <td><textarea name=body rows=12 cols=60 style="font-family: Courier New; font-size: 10pt"></textarea></td></tr> <tr> <td> </td> <td> </td> <td><input type=submit value=" Submit " name=submit style="font-size: 10pt; font-family: Tahoma"></td></tr> </table> </div> </form> ------------ below PHP code: save in same folder the below code to a file called in our example contactme.php the name MUST be identical as in the form itself !!!! if you save into OTHER folder - then adapt the path of "action=contactme.php" above <?php $body=" $name ($from) sent you an online message: Comments: ======== $body"; $success = mail("YOUR recipient email @ your_site dot com","$subject","$from","$body"); ?> <html> <head> </head> <body> . . . Thank you for your message . . . </body> </html>
Don't use that PHP! There's no error checking, or validation and it's wide open to being used as a platform for huge spam farms.
Listen to Adam. If you don't want to take him at his word, read email injection—SecurePHP. cheers, gary
giving a full detailed working example of a better PHP contact-form might be helpful if you know any better. welcome to share your expertise.
I'm sorry to say my ken of the rfcs 822, 2822 and 2821 is too poor to fully understand all the security issues. For that reason, I wouldn't be able to recommend a script, but I can sure as hell spot one that has done nothing to secure against email injection exploits. cheers, gary
I wrote one a couple of years ago, it has been deployed on 100's of sites and to my knowledge, it has never been exploited by spammers (and my logs indicate that they have tried). The example above is very bad and could be exploited in so many ways. Do not use it ever! It would take about 30 seconds to set up an XSS exploit that would be capable of spewing out spam by the bucketload. An example this bad is far worse than no example at all - because of it's serious flaws.
the problem is that you can simply add "fakesender@yahoo.com \r\n bcc:sendmespam@yahoo.com" into your sender field and your form will fire 2 emails out. "\r\n" adds another line to the email header and bcc:sendmespam@yahoo.com is your spam target. to fix that, you should check the string for a valid email at least: function isMail($emailaddress) { return(eregi("^[^@[:space:]]+@([[:alnum:]-]+.)+[[:alnum:]][[:alnum:]][[:alnum:]]?$", $emailaddress)); } //usage if(!isMail($sender)) { echo "invalid mail address!"; } PHP: returns true for valid addresses or false if the email is invalid (or if there is more than just a email-address in string). also check the subject line for any line breaks, you can add this bcc header there as well.
is there a particular reason why you dont want to share your contact form with us HERE in DP forum ?? may be your form is exactly what we all are waiting for - a better working more secure form. btw i use the one posted since more than a year and a few other sites as well it never has been exploited so far. the risk for getting killed by a car out in the streets or poisend by bad food was far greater concern to me than email spam that might eventually one day come or never occur. my site has been abused by hackers and I have learned to act on intrusion - my host as well cares.
RRWH thanks for sharing your download link btw i have tried the methods described above to add \r\n bcc:sendmespam-@-yahoo.com to a test senders address and see that just by definition of the field size in the simple form it is insufficient space defined to add even one more email address - unless of course both sender and spam-recipient would be very short hence for the time being i prefer to keep simple things simple and focus on quality instead. a host also has tools to prevent OUT-going spam since all is going thru the hosts local host-mailsystem. I enjoy the worlds largest host and am quiet happy since 2 years. the hackers i had once a while ago used other - far more professional - methods to do their jobs. that was serious security stuff and i spent some 2 weeks full time to study and solve the security issue. since then my host has installed a 2nd security monitoring system just for my site (and may be others as well ) to monitor live all attempts of site intrusion. successful teamwork so far. falcondriver I haven't figured out how to add the lines you posted. it seems they are NOT for the form and PHP posted on this page and need further changes of variables. i am - like so many -. NO coder at all - just a user of the web for successufl web publishing. the regex looks good and may make sense - may be you could further explain HOW to exactly use the lines with the form code posted HERE in this thread to make a simple contact for secure.
noooo, you got it all wrong! its only your browser who limits the input field. there are plenty of programs out there who read the available fields from a webpage and let the spammer fill in every value they want, without a limit (except your verify the input in your sender script via php). and you dont insert "\r\n" into this value, this is just how you write breaks in php (like "line 1\r\nline2"). if you want to insert multiple lines into a plain input field just write the lines seperated with a "return key" in a editor like notepad, press ctrl+a and ctrl+c and paste it into the input field via ctrl+v, thats all! like i said, this was just an easy function to check for an correct email adress. you can find what you need is at http://www.php.net/manual/en/function.mail.php (scroll down to the user comment "rsjaffe at gmail dot com 23-May-2006 08:23 Here's my way of detecting an attempt to hijack my mail form."). and you SHOULD always secure your mailfields. some people tried t use my form for spam maybe 20x in the last 12 months, and i only know it because i get an extra email with the used mailheader every time someone uses my form. how would you know that your form is abused it with your plain mail($myemail, $senderfield, $subject, $text) function?
thanks I am looking into it since my host supports php4 only and no php5 as the sample you referred to, i have to stick to common scripts for 4 up only
or even easier, make the form using the wizard that can be found in most of cpanel. after it's done, copy the form link, insert the link into an inline frame of the page you intend to put the form in, and wallaaa, there you have it. That's what I did anyway.