Liam Delahunty: Home Tips Web Contact
Recommended laptop
under £500
.

Think I deserve a present? See my Amazon Wish List

PHP Contact form with some Anti header injection and simple URL spam filtering

<?php
/*
//   LOOK AT THE FORM AT THE END AND MAKE CHANGES TO THE FIELDS
//   REFLECT THOSE CHANGES IN THE FIELDS LISTED BELOW TOO!
//
//   THIS SCRIPT IS RELEASED AS IS FOR YOUR OWN USE AND TESTING
//   YOU MAY MODIFY IT BUT YOUR MODIFICATIONS MUST ALSO BE RELEASED
//   UNDER THE SAME LICENCE/CONDITIONS
//
//   The latest version will be availible via
//   http://www.liamdelahunty.com/tips/contact_form.php
//   Please consider a donation if this script is useful to you
//   Please retain this notice in your script, and in all subsequent versions.
//   
//   You may remove the link to my page in the form
//   
*/

//   UPDATE THESE FIELDS
$email_to = "contact.form@$_SERVER[SERVER_NAME]"; // UPDATE TO YOUR EMAIL
$email_subject = "$SCRIPT_URI Contact Form"; // UPDATE SUBJECT
$send_server_data = 1; // send the server vars - 0=no, 1=yes
//   list of required fields make sure the name is same in form.
$required = array("email", "comments");
//    List of all the fields that SHOULDN'T have CR/LF in them;
$crlftest = $_POST["name"];
$crlftest .= $_POST["email"];
$crlftest .= $_POST["hear_about_us"];
$crlftest .= $_POST["newsletter"];
$crlftest .= $_POST["submit"];
$crlftest = urldecode($crlftest);

function table_errs($err_array, $fieldname){
   print ("<tr>");
   if ($err_array[$fieldname]) {
      print ("<td class=err>");
   }else{
      print ("<td>");
   }
}

function check_required($required,$fieldname){
   global $err_array;
   if (in_array($fieldname,$required)){
      if ($_POST[$fieldname] == ""){
         $err_array[$fieldname] = "<b>Sorry</b> $fieldname is required.<br>";
      }
   }
   return $err_array;
}

   if (!function_exists("stripos")) {
      function stripos($str,$needle,$offset=0)
      {
         return strpos(strtolower($str),strtolower($needle),$offset);
      }
   }

if ($submit){
   // do some testing?

   if ($email != "" ){
      $email = trim($email);
      if(!ereg("([_a-z0-9A-Z\d\-\.]+@[_a-z0-9A-Z\d\-]+(\.[_a-z0-9A-Z\d\-]+)+)",$email,$regs)){
         $err_array[email] = "<b>Sorry</b> your email address ($email) doesn't appear to be valid<br>";
      }
   }

   $nasties[] = "Content-Type:";
   $nasties[] = "To:";
   $nasties[] = "Cc:";
   $nasties[] = "Bcc:";

   // lets check all the fields
   foreach ($_POST as $key => $value){
      $$key = $value;

      // Annoying URL spams in comments any field
      $http = substr_count($value, "http");
      $href = substr_count($value, "href");
      $url = substr_count($value, "[url");

      if ($http > 1 OR $href > 1 OR $url > 1){
         $err_array[$key] = "<b>Sorry</b> That looks a bit spammy. Rewrite it please.<br> $key - $http $href $url";
      }

      foreach($nasties as $nasty){
         if(stripos($value,$nasty) !== FALSE){
            // die or report
            $err_array[$key] = "<b>Error</b> No need for $nasty in $key.";
         }
      }
      // Check if the field is required
      check_required($required,$key);
   }

   // hard coded testing list form fields for CR and LF characters - all the fields that SHOULDN'T have them in
   if (eregi("\r",$crlftest) || eregi("\n",$crlftest)){
      // die or report
      $err_array[] = "<b>Error</b> One of more fields has a suspect content.";
   }

   if (eregi_replace("\?.*", "", $HTTP_REFERER) != $SCRIPT_URI){
      // referer could be masked or via a translation script such as via google, so use at your own risk
      // die or report
      $err_array[] = "<b>Error</b> Referer is not from this page. Your form can not be sent. Please contact via the email link below.";
   }

   $err_count = count($err_array);
   if ($err_count != 0){
      print ("<p class=err>Please correct the $err_count error(s):<br>");
      while (list($index,$value) = each($err_array)){
         print ("$value<br>");
      }
      print ("</p>");
   }

   if ($err_count == 0){// no errors send message
      reset($HTTP_POST_VARS);
      foreach ($_POST as $key => $value){
         $$key = $value;
         $message .= "$key:\n$value\n\n";
      }

      if($send_server_data){
         $message .= "\n\nSERVER:\n";
         foreach ($_SERVER as $key => $value){
            $$key = $value;
            $message .= "$key:\n$value\n\n";
         }
      }

      $email_headers = "From: $email\n";
      @mail($email_to, $email_subject, $message, $email_headers);

      print ("<p><b>Thank you $name.</b></p>");
   }
}

if (!$submit OR $err_count != "0"){
   print ("<p>Please use the form to send us a message.</p>");
}
print ("<form action=\"$PHP_SELF\" method=\"POST\">");
print ("<table>\n");

table_errs($err_array, "name");
print ("Your name: </td><td><input type=\"text\" size=35 name=\"name\" value=\"$name\"></td></tr>\n");

table_errs($err_array, "email");
print ("Your email (required): </td><td><input type=\"Text\" size=35 name=\"email\" value=\"$email\"></td></tr>\n");

table_errs($err_array, "comments");
print ("Your comments</td><td><textarea name=\"comments\" cols=\"29\" rows=\"4\">$comments</textarea></td></tr>\n");

table_errs($err_array, "hear_about_us");
print ("How did hear about us?</td><td><input type=\"Text\" size=35 name=\"hear_about_us\" value=\"$hear_about_us\"></td></tr>\n");

print ("<tr><td>Would you like to receive our occasional newsletter?</td><td><input type=\"Checkbox\" name=\"newsletter\" checked></td></tr>\n");
if (!$submit OR $err_count != "0"){
   print ("<tr><td>&nbsp;</td><td><input name=\"submit\" type=\"Submit\" value=\"Send\"></td></tr>\n");
}else{
   print ("<tr><td>&nbsp;</td><td><b>Request Submited</b></td></tr>\n");
   print ("<tr><td colspan=\"2\" align=\"center\">Contact form from <a href=\"http://www.liamdelahunty.com/tips/\">Liam Delahunty's Hints and Tips</a></td></tr>\n");
}
print ("</table>");
print ("</form>");
?>

<?php
function ascii_encode($str){
   global $encoded;
   $encoded="";
   for ($i=0; $i < strlen($str); $i++){
      $encoded .= '&#'.ord(substr($str,$i)).';';
   }
   return;
}

ascii_encode("$email_to");
print ("<p><a href=\"mailto:$encoded\">$encoded</a></p>");

?>

Share this!