Contact Script!

rochow Notable Member

Messages:: 3,991

Likes Received:: 245

Best Answers:: 0

Trophy Points:: 240

#1

Below is an email script I spent the good part of today working on.

What are some improvements I can make? My server got hacked recently, and the only script was a mail one, so there must have been some vunerability they used to get in (or they got the root p/w but it doesn't look likely)

Feel free to use this on your own sites. I'm going to add in the option of using captcha soon

<?php
// PHP Mail Form
// Copyright 2007 Classic Media
// Last Updated: 5th November 2007
// www.classicmedia.com.au

// Email address to recieve emails
$recipient = "email@you.com";

// Subject of emails sent
$subject = "Website Contact Form";

// Show senders IP in email (answer either 'yes' or 'no')
$ip = 'no';

// Show browsers user agent in email (answer either 'yes' or 'no')
$agent = 'no';

// DO NOT CUSTOMIZE BELOW THIS POINT!
if (!isset($_POST['submit']) || $_SERVER['REQUEST_METHOD'] != "POST") {
exit("<p>You did not press the submit button; this page should not be accessed directly.</p>");
} else {
$exploits = "/(content-type|bcc:|cc:|document.cookie|onclick|onload|javascript|alert)/i";
$bots = "/(Indy|Blaiz|Java|libwww-perl|Python|OutfoxBot|User-Agent|PycURL|AlphaServer)/i";

if (preg_match($bots, $_SERVER['HTTP_USER_AGENT'])) {
exit("<p>Known spam bots are not allowed.</p>");
}
foreach ($_POST as $key => $value) {
$value = trim($value);

if (empty($value)) {
print "<meta http-equiv=\"refresh\" content=\"0;URL=error.php\">";
exit;
} elseif (preg_match($exploits, $value)) {
print "<meta http-equiv=\"refresh\" content=\"0;URL=error.php\">";
exit;
}

$_POST[$key] = stripslashes(strip_tags($value));
}

if (!ereg("^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+(.[a-z0-9-]+)*(.[a-z]{2,6})$",strtolower($_POST['email']))) {
print "<meta http-equiv=\"refresh\" content=\"0;URL=error.php\">";
}
function bad_str($str_to_test) {
$bad_strings = array(
"content-type:"
,"mime-version:"
,"multipart/mixed"
,"Content-Transfer-Encoding:"
,"bcc:"
,"cc:"
,"to:"
);

foreach($bad_strings as $bad_string) {
if(eregi($bad_string, strtolower($str_to_test))) {
print "<meta http-equiv=\"refresh\" content=\"0;URL=error.php\">";
exit;
}
if(preg_match("/(%0A|%0D|\\n+|\\r+)/i", $str_to_test) != 0) {
print "<meta http-equiv=\"refresh\" content=\"0;URL=error.php\">";
exit;
}
}
}

bad_str($_POST['name']);
bad_str($_POST['email']);
bad_str($_POST['phone']);
bad_str($_POST['request']);

$message = "You've received an e-mail through your website mail form: \n";
$message .= "Name: {$_POST['name']} \n";
$message .= "E-mail: {$_POST['email']} \n";
$message .= "Phone Number: {$_POST['phone']} \n";
$message .= "Details: {$_POST['message']} \n";
$message .= "Request: {$_POST['request']} \n";
if ($ip == 'yes') {
$message .= "IP: {$_SERVER['REMOTE_ADDR']} \n";
}
if ($agent == 'yes') {
$message .= "Browser: {$_SERVER['HTTP_USER_AGENT']} \n";
}

$headers = "From: <$recipient> \n";
$headers .= "Reply-To: <{$_POST['email']}>";

if (mail($recipient,$subject,$message,$headers)) {
print "<meta http-equiv=\"refresh\" content=\"0;URL=ok.php\">";
} else {
print "<meta http-equiv=\"refresh\" content=\"0;URL=error.php\">";
}
}
?>
Click to expand...

rochow, Nov 4, 2007 IP

ForumJoiner Active Member

Messages:: 762

Likes Received:: 32

Best Answers:: 0

Trophy Points:: 83

#2

How about this, to be sure that you can't be hacked?

After the user clicks "Submit", you write the exact e-mail in a text (.txt) file on the server. You send yourself a plain, safe, eMail with a link to that text file. In this way, you see exactly what tricks are played on you. You recorded the IP of the sender. Even if you can't find that person who sends spam, you can block that IP.

ForumJoiner, Dec 11, 2007 IP

wootwoot Peon

Messages:: 118

Likes Received:: 2

Best Answers:: 0

Trophy Points:: 0

#3

you might wanna add a captcha for better security

wootwoot, Dec 11, 2007 IP

rochow Notable Member

Messages:: 3,991

Likes Received:: 245

Best Answers:: 0

Trophy Points:: 240

#4

wootwoot said: ↑

you might wanna add a captcha for better security
Click to expand...

I haven't got any spam so far, so I haven't felt the need to add it in yet (the site isnt a top 100,000 alexa ranking or anything)

rochow, Dec 12, 2007 IP

Barti1987 Well-Known Member

Messages:: 2,703

Likes Received:: 115

Best Answers:: 0

Trophy Points:: 185

#5

Use this script instead:

http://www.free-php-scripts.net/P/Contact_Form

Peace,

Barti1987, Dec 12, 2007 IP

Log in or Sign up

Contact Script!

rochow Notable Member

ForumJoiner Active Member

wootwoot Peon

rochow Notable Member

Barti1987 Well-Known Member

Useful Searches