2 Replies Latest reply on May 15, 2006 5:10 AM by Newsgroup_User

    PHP Spam

    roonaldo_efc
      I put a PHP contact form on my site and for a while it worked fine. Lately I've been getting spammed to death. is there ay way to set up PHP page so it doesn't contain my email address ? I assume that's what's causing the problem. Here's the code for my form and from the PHP response page :

      <form action="process.php" method="post" onSubmit="MM_validateForm('subject','','R','from','','RisEmail');return document.MM_returnValue">
      <input type="hidden">
      <p><input type="text" name="subject"></p>
      <p><input type="text" name="from"></p>
      <p><textarea name="message" rows="3" cols="40"></textarea>

      </p>
      <input type="submit" value="Send the info">
      <input type="reset" value="Clear the form">
      </form>


      the php element :

      <?php
      $to = "simon@xxx.com";

      $headers = "From: " . $from . "\r\n";
      $headers .= "Reply-To: " . $from . "\r\n";
      $headers .= "Return-Path: " . $from . "\r\n";

      if ( mail($to,$subject,$message,$headers) ) {
      echo "Thank you for contacting Cornfield Designs. We will be in touch with you directly. Please feel free to continue to browse our site.";
      } else {
      echo "The email has failed, please contact us by phone on ";
      }
      ?>

      thanks in advance

      Simon
        • 1. Re: PHP Spam
          Level 7
          You're using PHP, so why are you still validating with JavaScript?

          Bad, bad, bad!

          Validate with PHP.

          --
          Shane H
          shane@NOSPAMavenuedesigners.com
          http://www.avenuedesigners.com


          "roonaldo_efc" <webforumsuser@macromedia.com> wrote in message
          news:e48ndj$h0h$1@forums.macromedia.com...
          >I put a PHP contact form on my site and for a while it worked fine. Lately
          >I've
          > been getting spammed to death. is there ay way to set up PHP page so it
          > doesn't
          > contain my email address ? I assume that's what's causing the problem.
          > Here's
          > the code for my form and from the PHP response page :
          >
          > <form action="process.php" method="post"
          > onSubmit="MM_validateForm('subject','','R','from','','RisEmail');return
          > document.MM_returnValue">
          > <input type="hidden">
          > <p><input type="text" name="subject"></p>
          > <p><input type="text" name="from"></p>
          > <p><textarea name="message" rows="3" cols="40"></textarea>
          >
          > </p>
          > <input type="submit" value="Send the info">
          > <input type="reset" value="Clear the form">
          > </form>
          >
          >
          > the php element :
          >
          > <?php
          > $to = "simon@xxx.com";
          >
          > $headers = "From: " . $from . "\r\n";
          > $headers .= "Reply-To: " . $from . "\r\n";
          > $headers .= "Return-Path: " . $from . "\r\n";
          >
          > if ( mail($to,$subject,$message,$headers) ) {
          > echo "Thank you for contacting Cornfield Designs. We will be in touch
          > with
          > you directly. Please feel free to continue to browse our site.";
          > } else {
          > echo "The email has failed, please contact us by phone on ";
          > }
          > ?>
          >
          > thanks in advance
          >
          > Simon
          >


          • 2. Re: PHP Spam
            Level 7
            You may want to look into Header Injection Attacks:
            http://www.securephpwiki.com/index.php/Email_Injection?seenIEPage=1

            Since you let the user type in anything they want in the "from" field, your
            form is susceptible to this attack.


            "roonaldo_efc" <webforumsuser@macromedia.com> wrote in message
            news:e48ndj$h0h$1@forums.macromedia.com...
            >I put a PHP contact form on my site and for a while it worked fine. Lately
            >I've
            > been getting spammed to death. is there ay way to set up PHP page so it
            > doesn't
            > contain my email address ? I assume that's what's causing the problem.
            > Here's
            > the code for my form and from the PHP response page :
            >
            > <form action="process.php" method="post"
            > onSubmit="MM_validateForm('subject','','R','from','','RisEmail');return
            > document.MM_returnValue">
            > <input type="hidden">
            > <p><input type="text" name="subject"></p>
            > <p><input type="text" name="from"></p>
            > <p><textarea name="message" rows="3" cols="40"></textarea>
            >
            > </p>
            > <input type="submit" value="Send the info">
            > <input type="reset" value="Clear the form">
            > </form>
            >
            >
            > the php element :
            >
            > <?php
            > $to = "simon@xxx.com";
            >
            > $headers = "From: " . $from . "\r\n";
            > $headers .= "Reply-To: " . $from . "\r\n";
            > $headers .= "Return-Path: " . $from . "\r\n";
            >
            > if ( mail($to,$subject,$message,$headers) ) {
            > echo "Thank you for contacting Cornfield Designs. We will be in touch
            > with
            > you directly. Please feel free to continue to browse our site.";
            > } else {
            > echo "The email has failed, please contact us by phone on ";
            > }
            > ?>
            >
            > thanks in advance
            >
            > Simon
            >