www.webdeveloper.com
Results 1 to 5 of 5

Thread: PHP email script, how to secure or validate?

  1. #1
    Join Date
    Jul 2008
    Location
    Scotland
    Posts
    10

    PHP email script, how to secure or validate?

    Hi,

    Not been here for a while.

    I am kind of new to PHP so don't know everything.

    I got a script for email, that when someone fills in a form, that form (when submitted) gets processed by a PHP script and sends out an email.

    So far it works wonders, untill I found that some robots/spiders must be using the link, so sometimes I get a blank email.

    is there anything I can add to the script to make it check that it has valid fields? or to the Form? I know I can get a javascript check but not everyone lets javascript work on their machine.

    what is the best way?

    here is the code for my form:
    Code:
    <form method="post" action="contact.php"> 
                                <table width="600px" class="form">
                                <tr><td width="60px" valign="top">Name:&nbsp;*</td><td><input type="text" name="name"></td></tr>
                                <tr><td width="60px" valign="top">Tel:</td><td><input type="text" name="tel"></td></tr>
                                <tr><td width="60px" valign="top">E-mail:&nbsp;*</td><td><input type="text" name="email"></td></tr>
                                <tr><td width="60px" valign="top">Your Enquiry:&nbsp;*</td><td><textarea name="message" cols="50" rows="4"></textarea></td></tr>
                                <tr><td width="60px" valign="top"></td>
                                    <td><input type="submit" name="submit" value="Submit Form">&nbsp;&nbsp;&nbsp;<input type="reset" name="reset" value="Reset Form"></td>
                                </tr>
                            </table>
                            </form>
    here is the PHP script:
    PHP Code:
    <?php

    ini_set
    ("sendmail_from""my_email_not_showing_here");

    // get posted data into local variables
    $EmailTo "my_email_not_showing_here";
    $Subject "The Subject";
    $name $_REQUEST['name']; 
    $tel $_REQUEST['tel']; 
    $email $_REQUEST['email']; 
    $message $_REQUEST['message']; 

    // validation
    $validationOK=true;
    if (!
    $validationOK) {
      print 
    "<meta http-equiv=\"refresh\" content=\"0;URL=http://www.abc.com/error.html\">";
      exit;
    }

    // prepare email body text
    $Body "";
    $Body .= "Name: ";
    $Body .= $name;
    $Body .= "\n";
    $Body .= "Tel: ";
    $Body .= $tel;
    $Body .= "\n";
    $Body .= "Details: ";
    $Body .= $message;
    $Body .= "\n";

    // send email 
    $success mail($EmailTo$Subject$Body"From: <$email>""-fmy_email_not_showing_here");

    // redirect to success page 
    if ($success){
      
    //sending mail to the person who filled in the form if they filled in the email
      
    mail($email$Subject"$name\n\nThank you for contacting this site.\nWe will contact you as soon as possible regarding your query.""From: <$EmailTo>""-fmy_email_not_showing_here");
      print 
    "<meta http-equiv=\"refresh\" content=\"0;URL=http://www.abc.com/thanks.html\">";
    }
    else{
      print 
    "<meta http-equiv=\"refresh\" content=\"0;URL=http://www.abc.com/error.html\">";
    }
    ?>
    Let me guess, you picked out yet another colorful box with a crank that I'm expected to turn and turn until OOP! big shock, a jack pops out and you laugh and the kids laugh and the dog laughs and I die a little inside.

  2. #2
    Join Date
    Jul 2008
    Posts
    37

    Validate email

    I use the simple technique of putting a 2nd HIDDEN email field on the form. I then test to see if that hidden field has data- if it does, the form was completed by a robot since human's can't see a hidden field.

    I then just don't process the email and redirect the robot to some random site like google, microsoft, yahoo etc.

    This technique is not quite as robust as some others, but it's simple and easy to implement.

  3. #3
    Join Date
    Jul 2008
    Location
    Scotland
    Posts
    10
    Quote Originally Posted by wspeeckaert View Post
    I use the simple technique of putting a 2nd HIDDEN email field on the form. I then test to see if that hidden field has data- if it does, the form was completed by a robot since human's can't see a hidden field.

    I then just don't process the email and redirect the robot to some random site like google, microsoft, yahoo etc.

    This technique is not quite as robust as some others, but it's simple and easy to implement.
    sounds fine in principle, but I was hoping to make sure that anyone filling in the form filled it in correctly. after all its not a long form, 4 fields max, and it would be good to have full info instead of partial.

    I found a javascript that has helped, it has taken me all day to implement it to a client who basically needs this validation.

    although i would prefer it not to be javascript, but I can understand the reason why it would have to be javascript.
    Let me guess, you picked out yet another colorful box with a crank that I'm expected to turn and turn until OOP! big shock, a jack pops out and you laugh and the kids laugh and the dog laughs and I die a little inside.

  4. #4
    Join Date
    Mar 2004
    Posts
    3,056
    There's two things you can do to fix this problem. The first one is very simple. Simply add the address of any page you don't want a spider to visit to a "disallow" instruction in a robots.txt file. The second part of the solution would be to use PHP's Perl Compatible Regular Expressions (PCRE) functions such as preg_match.

    Regular expressions can be a bit daunting if you've never come accross them before, but they're not so bad once you get the swing of them. If you get stuck with them or there's just something you're a bit unsure about, then post back with details about what you're trying to do and what's happening.

  5. #5
    Join Date
    Mar 2006
    Location
    California
    Posts
    306
    Might want to check this function out. It protects against email injection and validates it too:
    http://shaunwagner.com/user_files/php/as_mail.txt
    JS > PHP > Everything

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles