<? $domain = "mydomain.com"; // domain name of this site $to_email = "webmaster@mydomain.com"; // default destination email (override with hidden value 'to') $subj_prefix = "[Form Mail]"; // optional subject prefix to show where the mail is from // validate email address function function validemail($email) { // Check that there is only one @ symbol and that the lengths are right if (!ereg("^[^@]{1,64}@[^@]{1,255}$", $email)) { return false; } // Split it into sections $email_array = explode("@", $email); $local_array = explode(".", $email_array[0]); for ($i = 0; $i < sizeof($local_array); $i++) { if (!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$", $local_array[$i])) { return false; } } if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) { // Check if domain is IP or valid domain name $domain_array = explode(".", $email_array[1]); if (sizeof($domain_array) < 2) { return false; // Not enough parts to domain } for ($i = 0; $i < sizeof($domain_array); $i++) { if (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$", $domain_array[$i])) { return false; } } } return true; } // header injection check function function hicheck($field) { if (eregi("\r", $field) || eregi("\n", $field) || eregi("\t", $field) || eregi("%08", $field) || eregi("%09", $field) || eregi("%0a", $field) || eregi("%0d", $field)) die("Access denied (0x0004)"); } // ensure script is only used with action="POST" if(!$_SERVER['REQUEST_METHOD'] == "POST") die("Access denied (0x0001)"); // ensure script is only called from this domain if (stripos($_SERVER['HTTP_REFERER'],$domain)===FALSE) die("Access denied (0x0002)"); // load the form fields $from_name = trim(stripslashes($_POST["from-name"])); $from_email = trim(stripslashes($_POST["from-email"])); $to = trim(stripslashes($_POST["to"])); $subject = trim(stripslashes($_POST["subject"])); $message = trim(stripslashes($_POST["message"])); $verification = $_POST["verification"]; $success = $_POST["success"]; $failure = $_POST["failure"]; // hicheck all fields that will go into the email headers hicheck($from_name); hicheck($from_email); hicheck($subject); if($to != "") { hicheck($to); $to_email = $to."@".$domain; } // validate form fields $response = ""; if(!validemail($from_email)) $response = "Email address is invalid. "; if($subject == "") $response .= "Subject line is blank. "; if($message == "") $response .= "Message is blank. "; if(md5($verification) != $_COOKIE['tpverify']) $response .= "Verification code is incorrect. "; // if no errors, send the message if($response == "") { if($from_name=="") { $from = $from_email; } else { $from = '"'.$from_name.'" <'.$from_email.'>'; } mail($to_email, trim($subj_prefix." ".$subject), $message, "From: $from"); setcookie('tpverify',''); // delete the cookie if(!empty($success)) { header("Location: ".$success); } else { echo "Message sent."; } } else { $response .= "<br/>Click the Back button, correct your error and try again."; if(!empty($failure)) { header("Location: ".$failure."?err=".urlencode($response)); } else { echo $response; } } ?> Code (markup): This is the index.html <form action="formmail.php" method="POST"> <input type="hidden" name="success" value="email_ok.html"> <input type="hidden" name="failure" value="email_err.html"> <input type="hidden" name="to" value="sales"> <table border="0" cellpadding="2"> <tr> <td>From (name):</td> <td><input type="text" size="32" name="from-name"></td> </tr> <tr> <td>Email address:</td> <td><input type="text" size="32" name="from-email"></td> </tr> <tr> <td>Subject:</td> <td><input type="text" size="62" name="subject"></td> </tr> <tr> <td valign="top">Message:</td> <td valign="top"><textarea name="message" rows="15" cols="48"></textarea></td> </tr> <tr> <td>Verification code:</td> <td> <input type="text" size="8" name="verification"> <img src="captcha.php" alt="Verification code, please enter it" width="50" height="24" align="absbottom" /> </td> </tr> </table> <p><input type="submit" value="Send"></p> </form> Code (markup): Problems: - It doesn't display anything when the subject or any fields are blank like the code says. It just takes me to "emailerr.html" - (I renamed it from email_err.html to emailerr.html) - It doesn't send the mail when everything is right. It just takes me to "emailok.html" (I renamed it from email_ok.html to emailok.html) HTF?????? (AND YES, I changed the to_email and domain to the correct addresses.)