I made a contact form in PHP with antispam protection but when I execut the bellow cURL the email is still sent to my email address which is whovisitedme@gmail.com. And in that cURL I even don't bother to fill all the inputs. I fill only the first two. curl_send.php <?php $ch = curl_init("http://accesinterzis.ro/myportofolio/contactform.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, "name=AAAAAAAAAAAAA&phone_number=314&send=send"); curl_setopt($ch, CURLOPT_FOLLOWLOCATION , true); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"); curl_setopt($ch, CURLOPT_HEADER, false); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); echo curl_exec($ch); curl_close($ch); ?> Code (markup): contactform.php <?php #1 session_start(); #2 if (isset($_POST['send'])) { #3 $errors = array(); #4 foreach($_POST as $k => $v) { #4.1 $v = trim($v); #4.2 $$k = htmlentities(stripslashes($v)); #4.3 if (!isset($v)) { $errors[$k] = true; } else { if ($k != "message") { if (strlen($v) > 30) { $errors[$k] = true; } else { if ($k == 'name' && !preg_match('/^[a-z0-9_. ]*$/i', $v)) { $errors[$k] = true; } if ($k == 'phone_number' && !preg_match('/^[0-9.+ ]*$/', $v)) { $errors[$k] = true; } if ($k == 'email' && !preg_match('/^[a-z0-9_.]+@[a-z0-9-.]+\.[a-z]{2,4}$/i', $v)) { $errors[$k] = true; } if ($k == 'security_code' && $_SESSION['security_code'] != $v ) { $errors[$k] = true; } } } } } #5 if(count($errors) == 0) { #5.1 $to = 'whovisitedme@gmail.com'; $subject = substr($message,0,20).'...'; $body = 'This message is received from http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'<br /><br /> <strong>Name</strong>: '.$name.'<br /> <strong>Phone number</strong>: '.$phone_number.'<br /> <strong>Email address</strong>: '.$email.'<br /> <strong>Mesagge</strong>: '.$message.'<br /><br /> <strong style="color:#c00;">Infos about sender:</strong><br /> <strong>IP address</strong>: '.$_SERVER['REMOTE_ADDR'].'<br /> <strong>browser and operating system</strong>: '.$_SERVER['HTTP_USER_AGENT'].'<br /> <strong>dispatch hour</strong>: '.date("l, F j, Y, H:i:s"); $headers = "From: ".$email."\r\n"; #5.2 $headers .= 'MIME-Version: 1.0'."\r\n"; $headers .= 'Content-type: text/html; charset=utf-8' . "\r\n"; #5.3 if (mail($to, $subject, $body, $headers)) { $confirmation = 'Your message was succesfully sent. We will get in touch with you as soon as possible.'; } else { $confirmation = 'Something is wrong with the server. Your message wasn\'t sent.'; } } else { $confirmation = 'We got '.count($errors).' error(s). Check out the highlitghed field(s).'; } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title>How do I make a contact form?</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="description" content="How do I make a contact form?" /> <meta name="keywords" content="contact,form,php,script,send,email" /> <meta name="abstract" content="How do I make a contact form?" /> <meta name="author" content="AccesInterzis" /> <meta name="copyright" content="AccesInterzis" /> <meta name="robots" content="index,follow" /> <meta name="revisit-after" content="7 days" /> <link href="http://www.accesinterzis.ro/myportofolio/css/reset.css" type="text/css" rel="stylesheet" media="all" /> <style type="text/css"> /*the css which creates the form skin*/ </style> </head> <body> <form action="<?php echo htmlentities(strip_tags('http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']), ENT_QUOTES, 'utf-8'); ?>" method="post" id="contact_form"> <h1> <label> </label> Contact us </h1> <?php if ($confirmation) echo '<p id="confirmation">'.$confirmation.'</p>'; ?> <div <?php if ($errors['name']) echo 'id="name_field"'; ?>> <label for="name">Name<span>*</span>:</label> <input name="name" type="text" id="name" value="<?php if ($name) echo $name; ?>" /> </div> <div <?php if ($errors['phone_number']) echo 'id="phone_number_field"'; ?>> <label for="phone_number">Phone number<span>*</span>:</label> <input name="phone_number" type="text" id="phone_number" value="<?php if ($phone_number) echo $phone_number; ?>" /> </div> <div <?php if ($errors['email']) echo 'id="email_field"'; ?>> <label for="email">Email<span>*</span>:</label> <input name="email" type="text" id="email" value="<?php if ($email) echo $email; ?>" /> </div> <div <?php if ($errors['message']) echo 'id="message_field"'; ?>> <label for="message">Your message<span>*</span>:</label> <textarea name="message" rows="1" cols="1" id="message"><?php if ($message) echo $message; ?></textarea> </div> <div style="padding-left:115px;"> <img src="includes/captchaimage.inc.php?width=120&height=40&characters=5" /> </div> <div <?php if ($errors['security_code']) echo 'id="security_code_field"'; ?>> <label for="security_code">Are you human?<span>*</span></label> <input id="security_code" name="security_code" type="text" /> </div> <div> <label> </label> <input name="send" type="submit" id="send" value="send" /> </div> </form> </body> </html> Code (markup): Where is the bug? :chomp: Why can someone send an email using a bot, a curl as long as i implemented a captcha in my contact form? :chomp:
OK. I got it. Now I understand where is the bug. The first solution to fix it which popped in my mind was to replace if (isset($_POST['send'])) { Code (markup): with if (isset($_POST['name']) && isset($_POST['phone_number']) && isset($_POST['email']) && isset($_POST['security_code']) && isset($_POST['message']) && isset($_POST['send'])) { Code (markup): In this way I ensure that all my inputs are required. Do you have a better solution?
You can simply do: if(!empty($_POST)){ PHP: and @ javaongsan cURL doesnt execute javascript, since its being parsed and the process is not viewed via the browser. Furthermore javascript can easily be disabled. Theirfore use php to validate and the js is optional.