Hi all,
i have a php form that i use on websites for their contact forms.
it uses basic php mail send.
i have just received a couple of emails that were sent using the form, but i feel didnt get sent via the website. i.e. i think that they created a form which referenced to my form and used it remotely.

below is the code in the php form. is there any way to only allow access to the form from the server it is held on?

please note that i have removed our information i.e. our domain name etc.
also, the form works fine, we just need to lock it down.

<?php

if ($_SERVER['REQUEST_METHOD'] != 'POST') { 
  exit('No direct Access is allowed'); 
}

$to = 'info@domain.com';
$from = $_POST['email'];
$subject = 'WEBSITE CONTACT FORM RE: - '.$_POST['subject'];
$subject2 = $_POST['subject'];
$message = $_POST['message'];
$content = "
This Email was generated from the domain.com website in regards to:</br>
$subject2</br></br>
Please contact me about the following: </br>
$message";
$header = "MIME-Version: 1.0" . "\r\n";
$header .= "Content-type:text/html;charset=iso-8859-1" . "\r\n";
$header .= "From: $from" . "\r\n";
$header .= "Reply-To: $from" . "\r\n";
/*$header .="X-Mailer: PHP/" . phpversion();*/

/* ----------------- BELOW IS THE AUTO RPLY EMAIL SENT TO THE CONTACT  ----------- */

$ccto = $_POST['email'];
$ccfrom = "NOREPLY@domain.com";
$ccsubject = "Autoreply from the domain.com website";
$ccsubject2 = $_POST['subject'];
$ccmessage = $_POST['message'];
$cccontent = "
Please DO NOT respond to this email. the address it goes to does NOT get checked </BR></BR>
Please note that your email has been received and </br>
we will contact you as soon as possible about your enquiry.</br></br>
The following has been sent to us from the webform:</br></br> 
------------------------------------------------------------- </br>
This Email was generated from the domain.com website in regards to:</br>
$ccsubject2</br></br>
Please contact me about the following: </br>
$ccmessage </br></br>
------------------------------------------------------------- </br> </br>
Regards</br>
me";
$ccheader = "MIME-Version: 1.0" . "\r\n";
$ccheader .= "Content-type:text/html;charset=iso-8859-1" . "\r\n";
$ccheader .= "From: $ccfrom" . "\r\n";
$ccheader .= "Reply-To: $ccto" . "\r\n";


if(mail($to,$subject,$content,$header)){
if(mail($ccto,$ccsubject,$cccontent,$ccheader)){
echo ("<font color=#000099 size=6px valign=center>".'Email Sent' . "<font color=#000000 size=4px valign=center>".'</br>Please Click below to return to the c4i' . "<font color=#000099 size=4px valign=center> <a href=http://www.domain.com/contactus.html>".'</br> Return');
} else {
  echo ("Error, mail not sent, Please the click the back button and try again.");}}
  else {
echo ("Error, mail not sent, Please the click the back button and try again.");}

?>

thanks in advance

Jason

sometimes i resort to the referrer for something like that. its not always reliable but works when it is. look up HTTP_REFERER on php.net. there a proably other ways to accomplish this but i know this way could work.

thanks for the quick reply kkeith29,

i cannot actually find HTTP_REFERER on php.net.
there is other HTTP functions but not that one.

after googling it i got a broad cross section that refer to it but either warn against it as some browsers and servers do not pass info to it, and others say it is out of date.... others say that some string values come back as nulla lot of the time..... and the list goes on...

what are your thoughts and experience on this?

Jason

oh.... do you have an example on how to use it?

will keep the post alive and see if anyone else has any ideas as well.

You can do a session check. For example, in the contact form, set a session variable, say, $_SESSION['valid'] = "true"; In the script which does the processing, check if $_SESSION is set and its true. If yes, then process the form.

<?php
session_start();
if(isset($_SESSION['valid']) && $_SESSION['valid']=="true") {
 //process
} else {
 echo "You are in the wrong place!";
}

Or, you can also do it this way.
In the contact form, assign the value of session_id() to a hidden textbox. Then in the script, check if $_POST value is equal to session_id().

This article has been dead for over six months. Start a new discussion instead.