0

Dear programming cracks!
I set up a website and thought an email form would be nice, but I thought it would be easier to get it right!

I got it quite ok with the easy example below which I found at:
http://www.freewebmasterhelp.com/tutorials/php/6

<?
function checkOK($field)
{
if (eregi("\r",$field) || eregi("\n",$field)){
die("Invalid Input!");
}
}

$name=$_POST['name'];
checkOK($name);
$email=$_POST['email'];
checkOK($email);
$comments=$_POST['comments'];
checkOK($comments);
$to="php@gowansnet.com";
$message="$name just filled in your comments form. They said:\n$comments\n\nTheir e-mail address was: $email";
if(mail($to,"Comments From Your Site",$message,"From: $email\n")) {
echo "Thanks for your comments.";
} else {
echo "There was a problem sending the mail. Please check that you filled in the form correctly.";
}
?>

I adapted it slightly with fields and a check for needed input fields.
I copied and adapted these lines from another script:

if (empty($email) || (empty($name)) || (empty($comments))) {
echo "There was an error! Please go back and check that you filled in the required fields.";
	exit ;

So far it works quite well.
Except for -
It occured quite a few times that I got to the error page "Invalid Input!" because of those very first lines when I typed text in the comments field.
It seems to filter out too much and I don't understant what those first lines exactly do. On the site I copied thise from it said it was there to prevent spammers to use my php and mail function...

On one hand I want my script to be rather safe against spamming of course, on the other you should be able to type normally your message without resulting in an error message.

If you could help, I'd be very glad! :)
I wanted to concentrate on my page and content, now I'm spending days with that form mail! *sigh*

Cheers,
Dominique

4
Contributors
5
Replies
6
Views
7 Years
Discussion Span
Last Post by dominique7
1

Dear programming cracks!
I set up a website and thought an email form would be nice, but I thought it would be easier to get it right!

I got it quite ok with the easy example below which I found at:
http://www.freewebmasterhelp.com/tutorials/php/6

<?
function checkOK($field)
{
if (eregi("\r",$field) || eregi("\n",$field)){
die("Invalid Input!");
}
}

$name=$_POST['name'];
checkOK($name);
$email=$_POST['email'];
checkOK($email);
$comments=$_POST['comments'];
checkOK($comments);
$to="php@gowansnet.com";
$message="$name just filled in your comments form. They said:\n$comments\n\nTheir e-mail address was: $email";
if(mail($to,"Comments From Your Site",$message,"From: $email\n")) {
echo "Thanks for your comments.";
} else {
echo "There was a problem sending the mail. Please check that you filled in the form correctly.";
}
?>

I adapted it slightly with fields and a check for needed input fields.
I copied and adapted these lines from another script:

if (empty($email) || (empty($name)) || (empty($comments))) {
echo "There was an error! Please go back and check that you filled in the required fields.";
	exit ;

So far it works quite well.
Except for -
It occured quite a few times that I got to the error page "Invalid Input!" because of those very first lines when I typed text in the comments field.
It seems to filter out too much and I don't understant what those first lines exactly do. On the site I copied thise from it said it was there to prevent spammers to use my php and mail function...

On one hand I want my script to be rather safe against spamming of course, on the other you should be able to type normally your message without resulting in an error message.

If you could help, I'd be very glad! :)
I wanted to concentrate on my page and content, now I'm spending days with that form mail! *sigh*

Cheers,
Dominique

I am not the greatest ereg guy but what it looks to me is that if someone submits a form input with a carriage return, that this is going to fail. Which doesn't really make much sense to me unless you really want to keep carriage returns out of the submission.

Also, ereg and eregi are deprecated and completely eliminated from php6.

0

thanks for the reply!
Yes, to not allow carriage return in a textarea would be bad.

The guy who posted the tutorial and sample script (see link above) stated that it would prevent spammers from using your site/script to send spam through it.
I wasn't really aware that such a form and script could be hacked!
Is there a (simple) way to add a few ines to my script and possibly make it more secure?

Cheers,
Dominique

1

I'd suggest you get rid of the checkOK for starters, see how things go without it. If you start getting spam from your website, lookinto a better checkOK type function. Dying because of a linebreak is a wee bit simplistic. There are far better scripts to look for signs of spam. Capcha image verification on the form page is good for preventing spambots submitting your form for example.

1

I think you can remove checkOK() for $name and $comments. Having a check for 'To' and the 'Headers' field of the mail() function may be sufficient enough.

0

Ah, finally I'm understanding the script better.
I erased the check for the 3 fields, where I think that people would write a few lines, and now it works fine.

Now I remember someone called the manipulation which sometimes happens with such php form mail scripts "code injection".
Does anyone have an opinion if my script would be prone to that?

Also I could still add a captcha check, but it's not urgent yet.

Thanks a lot for your replies!
Cheers,
Dominique

Edited by dominique7: n/a

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.