By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,677 Members | 1,298 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,677 IT Pros & Developers. It's quick & easy.

FormMail security

P: n/a
Hi PHP guru's,

I've been working on creating a PHP formmail script. I have a working
version, but I'd like to get feed back on what security holes I may have
opened, and what I could do better. Here's the code:

<?php
// $to - set this to where form contents should be sent
$to = 's******@somewhere.com';

// $subject - the subject of the message to send to $to
$subject = 'Yay FormMail!';

// $from - who the email should appear to be from
$from = 'f*******@example.com';

// $thanks_page - URL of page to redirect to when the mail is sent
successfully
$thanks_page = 'http://www.example.com/thanks.html';

// $error_page - URL of page to redirect to when there is an error
$error_page = 'http://www.example.com/error.html';

// $allowed_referers - comma separated list of hostnames where form
contents can originate.
// POST's or GET's comming from anywhere else will be rejected.
$allowed_referers = 'example.com,www.example.com';

/*//////////////////////////
// DONT EDIT BELOW HERE!!!//
//////////////////////////*/

//Check that the referer is valid
$referers = explode(',', $allowed_referers);
preg_match('/http*\:\/\/(.*)\/.*/', $_SERVER[HTTP_REFERER], $matches);
$referer = $matches[1];
// if not, redirect to $error_page
if(!array_search($referer, $referers)) {
header("Location: $error_page");
}

// Check which method was used to send data, and sanitise it
if(count($_POST) > 0 || count($_GET) > 0) {
if(count($_POST) > 0) {
foreach($_POST as $k => $v) {
$form[strval($k)] = strip_tags(strval($v));
}
} else {
foreach($_GET as $k => $v) {
$form[strval($k)] = strip_tags(strval($v));
}
}
} else {
header("Location: $error_page");
exit();
}

$message = "Form submitted from $_SERVER[HTTP_REFERER] at " . date('h:ia D
jS F Y') . "\n\n";

// Convert the form data from an array into a string, ready for sending
foreach($form as $k => $v) {
$message .= "$k\t==>\t$v\n";
}

if(mail($to, $subject, $message, "From: $from")) {
header("Location: $thanks_page");
} else {
header("Location: $error_page");
}

?>

What do you think? Thanks in advance...

Regards,

Aidan
Dec 2 '05 #1
Share this question for a faster answer!
Share on Google+

This discussion thread is closed

Replies have been disabled for this discussion.