PHP email script, how to secure or validate?

**ikthius** · 12-14-2008 05:38 AM

Hi,

Not been here for a while.

I am kind of new to PHP so don't know everything.

I got a script for email, that when someone fills in a form, that form (when submitted) gets processed by a PHP script and sends out an email.

So far it works wonders, untill I found that some robots/spiders must be using the link, so sometimes I get a blank email.

is there anything I can add to the script to make it check that it has valid fields? or to the Form? I know I can get a javascript check but not everyone lets javascript work on their machine.

what is the best way?

here is the code for my form:

Code:

<form method="post" action="contact.php"> 
                            <table width="600px" class="form">
                            <tr><td width="60px" valign="top">Name:&nbsp;*</td><td><input type="text" name="name"></td></tr>
                            <tr><td width="60px" valign="top">Tel:</td><td><input type="text" name="tel"></td></tr>
                            <tr><td width="60px" valign="top">E-mail:&nbsp;*</td><td><input type="text" name="email"></td></tr>
                            <tr><td width="60px" valign="top">Your Enquiry:&nbsp;*</td><td><textarea name="message" cols="50" rows="4"></textarea></td></tr>
                            <tr><td width="60px" valign="top"></td>
                                <td><input type="submit" name="submit" value="Submit Form">&nbsp;&nbsp;&nbsp;<input type="reset" name="reset" value="Reset Form"></td>
                            </tr>
                        </table>
                        </form>

here is the PHP script:

PHP Code:


<?php

ini_set("sendmail_from", "my_email_not_showing_here");

// get posted data into local variables
$EmailTo = "my_email_not_showing_here";
$Subject = "The Subject";
$name = $_REQUEST['name']; 
$tel = $_REQUEST['tel']; 
$email = $_REQUEST['email']; 
$message = $_REQUEST['message']; 

// validation
$validationOK=true;
if (!$validationOK) {
  print "<meta http-equiv=\"refresh\" content=\"0;URL=http://www.abc.com/error.html\">";
  exit;
}

// prepare email body text
$Body = "";
$Body .= "Name: ";
$Body .= $name;
$Body .= "\n";
$Body .= "Tel: ";
$Body .= $tel;
$Body .= "\n";
$Body .= "Details: ";
$Body .= $message;
$Body .= "\n";

// send email 
$success = mail($EmailTo, $Subject, $Body, "From: <$email>", "-fmy_email_not_showing_here");

// redirect to success page 
if ($success){
  //sending mail to the person who filled in the form if they filled in the email
  mail($email, $Subject, "$name\n\nThank you for contacting this site.\nWe will contact you as soon as possible regarding your query.", "From: <$EmailTo>", "-fmy_email_not_showing_here");
  print "<meta http-equiv=\"refresh\" content=\"0;URL=http://www.abc.com/thanks.html\">";
}
else{
  print "<meta http-equiv=\"refresh\" content=\"0;URL=http://www.abc.com/error.html\">";
}
?>

**wspeeckaert** · 12-14-2008 09:20 AM

I use the simple technique of putting a 2nd HIDDEN email field on the form. I then test to see if that hidden field has data- if it does, the form was completed by a robot since human's can't see a hidden field.

I then just don't process the email and redirect the robot to some random site like google, microsoft, yahoo etc.

This technique is not quite as robust as some others, but it's simple and easy to implement.

**ikthius** · 12-14-2008 10:23 AM

Originally Posted by wspeeckaert

I use the simple technique of putting a 2nd HIDDEN email field on the form. I then test to see if that hidden field has data- if it does, the form was completed by a robot since human's can't see a hidden field.

I then just don't process the email and redirect the robot to some random site like google, microsoft, yahoo etc.

This technique is not quite as robust as some others, but it's simple and easy to implement.

sounds fine in principle, but I was hoping to make sure that anyone filling in the form filled it in correctly. after all its not a long form, 4 fields max, and it would be good to have full info instead of partial.

I found a javascript that has helped, it has taken me all day to implement it to a client who basically needs this validation.

although i would prefer it not to be javascript, but I can understand the reason why it would have to be javascript.

**Stephen Philbin** · 12-14-2008 03:04 PM

There's two things you can do to fix this problem. The first one is very simple. Simply add the address of any page you don't want a spider to visit to a "disallow" instruction in a robots.txt file. The second part of the solution would be to use PHP's Perl Compatible Regular Expressions (PCRE) functions such as preg_match.

Regular expressions can be a bit daunting if you've never come accross them before, but they're not so bad once you get the swing of them. If you get stuck with them or there's just something you're a bit unsure about, then post back with details about what you're trying to do and what's happening.

**hyperlisk** · 12-14-2008 04:31 PM

Might want to check this function out. It protects against email injection and validates it too:
http://shaunwagner.com/user_files/php/as_mail.txt

Thread: PHP email script, how to secure or validate?

Thread Tools

Display

PHP email script, how to secure or validate?

Validate email

Thread Information

Users Browsing this Thread

Bookmarks

Bookmarks

Posting Permissions