I have a tell a friend page done in PHP adnd I'd like to have it so that they can't edit/change the message only add their email & friend email...and not be able to add spam to it.

and I'm pretty new at PHP so Thanks in advance for any help!

here's the code I'm using for the Tell a Friend

<?php 
 
$FriendName = $_POST['FriendName']; 
$FriendEmail = $_POST['FriendEmail']; 
$Name = $_POST['Name']; 
$Email = $_POST['Email']; 
$emailtext = $_POST['emailtext']; 
$string = "http://www.americanconsumerinstitute.org"; 
 
?> 
<html><head> 
<script language="JavaScript" type="text/JavaScript"> 
<!-- 
function MM_findObj(n, d) { //v4.01 
var p,i,x; if(!d) d=document; if((p=n.indexOf("?"))>0&&parent.frames.length) { 
d=parent.frames[n.substring(p+1)].document; n=n.substring(0,p);} 
if(!(x=d[n])&&d.all) x=d.all[n]; for (i=0;!x&&i<d.forms.length;i++) x=d.forms[i][n]; 
for(i=0;!x&&d.layers&&i<d.layers.length;i++) x=MM_findObj(n,d.layers[i].document); 
if(!x && d.getElementById) x=d.getElementById(n); return x; 
} 
 
function MM_validateForm() { //v4.0 
var i,p,q,nm,test,num,min,max,errors='',args=MM_validateForm.arguments; 
for (i=0; i<(args.length-2); i+=3) { test=args[i+2]; val=MM_findObj(args[i]); 
if (val) { nm=val.name; if ((val=val.value)!="") { 
if (test.indexOf('isEmail')!=-1) { p=val.indexOf('@'); 
if (p<1 || p==(val.length-1)) errors+='- '+nm+' must contain an e-mail address.\n'; 
} else if (test!='R') { num = parseFloat(val); 
if (isNaN(val)) errors+='- '+nm+' must contain a number.\n'; 
if (test.indexOf('inRange') != -1) { p=test.indexOf(':'); 
min=test.substring(8,p); max=test.substring(p+1); 
if (num<min || max<num) errors+='- '+nm+' must contain a number between '+min+' and '+max+'.\n'; 
} } } else if (test.charAt(0) == 'R') errors += '- '+nm+' is required.\n'; } 
} if (errors) alert('The following error(s) occurred:\n'+errors); 
document.MM_returnValue = (errors == ''); 
} 
//--> 
</script> 
</head> 
<body> 
<?php 
if (!$FriendEmail) { 
?> 
<br> 
<form name="form1" onSubmit="MM_validateForm('Name','','R','Email','','RisEmail','FriendName','','R','FriendEmail','','RisEmail');return document.MM_returnValue" action="" method="POST"> 
<div align="center"> 
<table width="427" border="0" cellspacing="0" cellpadding="3"> 
<tr> 
<td width="69" align="right" valign="top">&nbsp;</td> 
<td width="5"><font face="Verdana" size="2">&nbsp;</font></td> 
<td width="113"><font face="Verdana" size="2">Name: </font> </td> 
<td width="216"> <font face="Verdana" size="2">E-mail:</font></td> 
</tr> 
<tr> 
<td align="right" valign="top"><font face="Verdana" size="2"><b>You:</b></font></td> 
<td>&nbsp;</td> 
<td> 
<font face="Verdana"> 
<input type="text" name="Name" size="15"><font size="2"> </font></font> 
</td> 
<td> 
<font face="Verdana"> 
<input type="text" name="Email" size="20"><font size="2"> </font></font> 
</td> 
</tr> 
<tr> 
<td align="right" valign="top"><font face="Verdana" size="2"><b>Friend:</b></font></td> 
<td>&nbsp;</td> 
<td> 
<font face="Verdana"> 
<input type="text" name="FriendName" size="15"><font size="2"> </font> 
</font> 
</td> 
<td> 
<font face="Verdana"> 
<input type="text" name="FriendEmail" size="20"><font size="2"> </font> 
</font> 
</td> 
</tr> 
<tr> 
<td align="right" valign="top"><font face="Verdana" size="2"><b>Message:</b></font></td> 
<td>&nbsp;</td> 
<td colspan="2"> 
<font face="Verdana"> 
<textarea name="emailtext" cols="38" rows="6" style="font-family: Trebuchet MS; font-size: 10pt"> 
I found this great website and I believe you would be interested in it. 
Here is the link to that page: <?php echo $string ?> 
</textarea><font size="2"> </font></font> 
</td> 
</tr> 
<tr> 
<td align="right">&nbsp;</td> 
<td><font face="Verdana" size="2">&nbsp; </font> </td> 
<td> 
<font face="Verdana"> 
<input type="submit" value="Send" name="Submit"><font size="2"> </font> 
</font> 
</td> 
<td>&nbsp;</td> 
</tr> 
</table> 
</div> 
</form> 
<?php 
} 
else { 
if ($FriendEmail) { mail( $FriendEmail, "Message from $Name", "$FriendName, \n\n".$emailtext ."\n\n$Name", "From: $Email"); 
 
} 
 
 
echo "<center><br><br><font face=Verdana size=2>Thank you <font color=red>$Name</font>. The email has been sent to <font color=red>$FriendName</font>. <br><br><a href='javascript:window.close();'>Close this window</a></font><p> 
<font face=Verdana size=2>powered by: <a href=http://www.americanconsumerinstitute.org/ target=new>Tell A Friend</a></font></p>"; 
} 
?> 
<p>&nbsp;</p> 
</body> 
</html>

You will need to filter all your variables. Start with add_slashes() and strip _tags()

Also there is a big problem with PHP sending spam by users injecting the bcc field and sending spam to multiple users. I suspect most times its bots. To combat this I use the eregi() function

if (eregi('bcc', $email)) {
   // Email field contains bcc header. Kill 
   // The script, this is probably an attack
die();
 }

I usually don't let the user know, I just let them go on thinking they sent out their spam.

You can also filter out the URLs the same way, which can be from a normal user so you would need to let the user know in this case, then after the check you can append the url of the page to the end of the $message var

$message .= "The URL is http://www.site.com";

You can also use str_replace to replace obscene words and such in the message

StatiX

This article has been dead for over six months. Start a new discussion instead.