473,396 Members | 1,996 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > formmail security

Join Bytes to post your question to a community of 473,396 software developers and data experts.

FormMail security

Hi PHP guru's,

I've been working on creating a PHP formmail script. I have a working
version, but I'd like to get feed back on what security holes I may have
opened, and what I could do better. Here's the code:

<?php
// $to - set this to where form contents should be sent
$to = 's******@somewhere.com';

// $subject - the subject of the message to send to $to
$subject = 'Yay FormMail!';

// $from - who the email should appear to be from
$from = 'f*******@example.com';

// $thanks_page - URL of page to redirect to when the mail is sent
successfully
$thanks_page = 'http://www.example.com/thanks.html';

// $error_page - URL of page to redirect to when there is an error
$error_page = 'http://www.example.com/error.html';

// $allowed_referers - comma separated list of hostnames where form
contents can originate.
// POST's or GET's comming from anywhere else will be rejected.
$allowed_referers = 'example.com,www.example.com';

/*//////////////////////////
// DONT EDIT BELOW HERE!!!//
//////////////////////////*/

//Check that the referer is valid
$referers = explode(',', $allowed_referers);
preg_match('/http*\:\/\/(.*)\/.*/', $_SERVER[HTTP_REFERER], $matches);
$referer = $matches[1];
// if not, redirect to $error_page
if(!array_search($referer, $referers)) {
header("Location: $error_page");
}

// Check which method was used to send data, and sanitise it
if(count($_POST) > 0 || count($_GET) > 0) {
if(count($_POST) > 0) {
foreach($_POST as $k => $v) {
$form[strval($k)] = strip_tags(strval($v));
}
} else {
foreach($_GET as $k => $v) {
$form[strval($k)] = strip_tags(strval($v));
}
}
} else {
header("Location: $error_page");
exit();
}

$message = "Form submitted from $_SERVER[HTTP_REFERER] at " . date('h:ia D
jS F Y') . "\n\n";

// Convert the form data from an array into a string, ready for sending
foreach($form as $k => $v) {
$message .= "$k\t==>\t$v\n";
}

if(mail($to, $subject, $message, "From: $from")) {
header("Location: $thanks_page");
} else {
header("Location: $error_page");
}

?>

What do you think? Thanks in advance...

Regards,

Aidan
Dec 2 '05 #1
0 1435
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
contact - send to formmail after initial php checks
by: MrMagooba | last post by:
Hi, I have a contact page that, when submit is clicked it checks the inputs then outputs to a "read only" version of the input form fromwhich the email can be sent. How would I go about changing...
PHP
0
Help with Jack's FormMail
by: mcp6453 | last post by:
I am trying to use Jack's FormMail script (http://www.dtheatre.com/scripts/formmail). Since I'm brand new at PHP and not very good at HTML, I have an easy question, which I will narrow down. When...
PHP
1
web security question.
by: pxlpluker | last post by:
I have a friend that was using formmail.pl until last weekend when it was hacked by spammers with a buffer overflow attack on one of the form fields. I don't know enough about perl to know...
Python
0
FormMail.pl error
by: Craig | last post by:
I keep getting the error "Error: Bad/No Recipient" when submitting a form using formmail.pl Here is the part of the formmail.pl that you are supposed to alter to suit your needs using fake url...
Perl
15
Security of server-side code?
by: Shmuel (Seymour J.) Metz | last post by:
Back in the innocent days of the last century, I would have used a mailto link in my web page to allow people to cancel me. In the era of mass harvesting of addresses by spammers and other...
HTML / CSS
5
Formmail form "From:" how to change
by: John Oliver | last post by:
I'd like the email produced by FormMail to show a specific From: address rather than postmaster@server.host.name Googling isn't helping me... not sure what to look for :-( -- * John Oliver ...
HTML / CSS
2
HELP! Formmail email page won't work after Windows 2000 update
by: Rico | last post by:
Hello, I'm using formmail.asp which is an emailing utility. Basically, the user fills out a request page, clicks "Submit" and the page posts to formmail.asp which emails the user information. ...
ASP / Active Server Pages
4
Trouble with PHP formmail
by: laredotornado | last post by:
Hi, I'm using PHP 4.4.4 and have downloaded the free script formmail.php (version 4.1b). Wondered if anyone had experienced the same problem I'm having. I'm submitting a form to formmail.php, but...
PHP
3
formmail.cgi and entering an email address?
by: Geoff Cox | last post by:
Hello, I am using the formmail.cgi script and wonder if it is possible to have the user enter their email address and then have the results sent to this address by formmail.cgi? If yes, how...
Perl
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!