if (preg_match("|\r\n|", $_POST['email'])){
die("Spammer.");
}
if (preg_match("|\r\n|", $_POST['subject'])){
die("Spammer.");
}
//and so on for anything you put into headers.
//body can contain newlines, of course.
On Sat, June 9, 2007 8:22 pm, Austin C wrote:
> how can I tell them not to include new lines?
>
> On 6/9/07, Richard Lynch <ceo@xxxxxxxxx> wrote:
>>
>> The return value of http://php.net/mail only says whether or not PHP
>> managed to queue up the email to go out.
>>
>> It does *NOT* imply that the email actually went anywhere.
>>
>> If your server isn't running through the queues and sending the
>> emails, they don't go out.
>>
>> If your server is rejecting the emails as it runs through the queue,
>> they don't go out.
>>
>> If your mail reader is marking them as spam and trashing them before
>> you see them, they went out, but you never got them.
>>
>> *ALSO*, and this is aboslutely crucial, if you DO get email to go
>> out,
>> you've just built an OPEN RELAY that will cheerfully send out
>> MILLIONS
>> of spam mail! DON'T DO THAT!!!
>>
>> The problem is that a Bad Guy can put something like this in
>> POST['contact']:
>>
>> "example@xxxxxxxxxxx>
>> victim1@xxxxxxxxxxx
>> victim2@xxxxxxxxxxx
>> victim3@xxxxxxxxxxx
>> .
>> .
>> .
>> victim999@xxxxxxxxxxx
>> <example@xxxxxxxxxxx"
>>
>> YOUR email script will then spew the same message to 1000 users!
>>
>> You need to sanitize user input -- Emails and names, for example,
>> should NOT contain newlines.
>>
>> On Fri, June 8, 2007 8:48 pm, Austin C wrote:
>> > Hello, I just finished making a PHP contact form for my webite,
>> and I
>> > can
>> > run through the whole thing, and get no errors, but it doesnt
>> email me
>> > the
>> > form contents.
>> >
>> > *Here is th actual form page:*
>> > <?php include("../header.php"); ?>
>> > <td bgcolor="#BFC4CB"><b><font color="#333333">Contact
>> > Me</font></b></td>
>> > </tr>
>> > </table>
>> > </td>
>> > </tr>
>> > <tr>
>> > <td bgcolor="#BFC4CB">
>> > <p>
>> > <font color="#333333">
>> > Please use this form to contact me:
>> > <p>
>> > <br><center><form action="processcontactform.php" method="post">
>> > Name: <input type="text" name="name" size="20">
>> > <br>Email Address/Method of Contact: <input type="text"
>> name="contact"
>> > size="30">
>> > <br>Reason for Contact: <select name="reasonforcontact">
>> > <option value="question">Question</option>
>> > <option value="suggestion">Suggestion</option>
>> > <option value="gcomment">General Comment</option>
>> > <option value="fanmail">Fan Mail</option>
>> > <option value="other">Other</option>
>> > </select>
>> > <br>Message: <br><textarea name="message1" rows="10"
>> > cols="30"></textarea>
>> > <br><input type="submit" value="send">
>> > </form></center>
>> > <?php include("../footer.php"); ?>
>> >
>> > *Here is the form page processor:*
>> > <?php include("../header.php"); ?>
>> > <td bgcolor="#BFC4CB">
>> > <b>
>> > <font color="#333333">Processing your information . .
>> > .</font></b></td>
>> > </tr>
>> > </table>
>> > </td>
>> > </tr>
>> > <tr>
>> > <td
>> bgcolor="#BFC4CB">
>> > <p>
>> > <font
>> color="#333333">
>> > <?php
>> > $name = $_POST['name'];
>> > $email = $_POST['contact'];
>> > $reason = $_POST['reasonforcontact'];
>> > $message = $_POST['message1'];
>> >
>> > $to = "webmaster@xxxxxxxxxxxxxxxxxxxxxx";
>> >
>> > $subject = "Contact Form Submitted at GWD-Dev";
>> >
>> > $body = "Hello Austin,
>> >
>> > ".$name." has sent in a contact form at GWD-Dev. The reason
>> he/she
>> > contacted you was for ".$reason.". Here is the message they
>> submitted
>> > with
>> > their form:
>> >
>> >
>> >
>> > ".$message."
>> >
>> > The contact field of the form contained the following
>> information:
>> > ".$email."
>> > Please remember to get back to them ASAP!!";
>> >
>> > $headers = "From: ".$name." <".$email.">\n";
>> >
>> >
>> >
>> > echo "Collecting information . . . . . . . . . . DONE!<p>";
>> >
>> > $mail_sent = @mail($to, $subject, $body, $headers);
>> >
>> > echo $mail_sent ? "<br>Sending contact form to webmaster . . . .
>> . .
>> > . .
>> > DONE!<p>" : "<script>alert('The mail did not go
>> through')</script>";
>> >
>> >
>> > echo "<br>. . . . . . . . . . . . . . . . . . . . . . . . . . . .
>> . .
>> > . . .
>> > . . . .<p>";
>> >
>> > echo "<br>Thank you for contacting us, please expect a reply in
>> > anywhere
>> > from 1 to 24 hours. Make sure that our email address,
>> > galacticneo@xxxxxxxxx&
>> > webmaster@xxxxxxxxxxxxxxxxxxxxxx, are not sent to your spam
>> folder.";
>> >
>> >
>> > include("../footer.php"); ?>
>> >
>> > --
>> > Thanks, the webmaster of Galacticneo
>> >
>>
>>
>> --
>> Some people have a "gift" link here.
>> Know what I want?
>> I want you to buy a CD from some indie artist.
>> http://cdbaby.com/browse/from/lynch
>> Yeah, I get a buck. So?
>>
>>
>
>
> --
> Thanks, the webmaster of Galacticneo
>
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
