cbrams9
27 Jul 2009, 05:01 AM
Hi All,
Someone has created a php mailto script for me and then told me that his php knowledge was not great, i.e. validation or form security.
Looking at the code below is this safe enough for me to use on a live website? Does it stop flooding/spam etc and be safe to be entered into the mysql database as it is?
<? ob_start(); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>example - Contact us</title>
<style type="text/css">
<!--
.style1 {color: #AEB6E8}
body {
background-image: url(images/background.png);
background-repeat: no-repeat;
background-color: #666699;
}
a:link {
color: #AEB6E8;
text-decoration: none;
}
a:visited {
text-decoration: none;
color: #333366;
}
a:hover {
text-decoration: underline;
color: #666699;
}
a:active {
text-decoration: none;
color: #AEB6E8;
}
body,td,th {
font-family: Arial, Helvetica, sans-serif;
}
-->
</style></head>
<body>
<div align="center">
<table width="804" border="1" align="center" cellpadding="0" cellspacing="0" bordercolor="#000033" bgcolor="#000033">
<tr>
<td width="800"><table width="800" cellspacing="0" cellpadding="0">
<tr>
<td><img src="images/banner.png" width="800" height="100" /></td>
</tr>
</table>
<table width="800" cellpadding="0" cellspacing="0" bgcolor="#000033">
<tr>
<td><img src="images/linkbanner.png" width="800" height="25" /></td>
</tr>
</table>
<table width="801" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF">
<tr>
<td width="799" height="147" align="center" valign="top"><blockquote>
<p><img src="images/contactusbanner.png" width="500" height="80" /><br />
<br />
<?
$con = mysql_connect("localhost","huus_formz","formz");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
function check_email_address($email) {
// First, we check that there's one @ symbol,
// and that the lengths are right.
if (!ereg("^[^@]{1,64}@[^@]{1,255}$", $email)) {
// Email invalid because wrong number of characters
// in one section or wrong number of @ symbols.
return false;
}
// Split it into sections to make life easier
$email_array = explode("@", $email);
$local_array = explode(".", $email_array[0]);
for ($i = 0; $i < sizeof($local_array); $i++) {
if
(!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&
?'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$",
$local_array[$i])) {
return false;
}
}
// Check if domain is IP. If not,
// it should be valid domain name
if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) {
$domain_array = explode(".", $email_array[1]);
if (sizeof($domain_array) < 2) {
return false; // Not enough parts to domain
}
for ($i = 0; $i < sizeof($domain_array); $i++) {
if
(!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|
?([A-Za-z0-9]+))$",
$domain_array[$i])) {
return false;
}
}
}
return true;
}
mysql_select_db("huus_formz", $con);
//Get Values
$name = $_POST['name'];
$email = $_POST['email'];
$about = $_POST['about'];
$types = $_POST['types'];
$messages = $_POST['message'];
$message = stripslashes($messages);
if (empty($message) && empty($email)){
print "No email address and no message was entered. <br>Please include an email and a message";
}
//if no message entered send print an error
elseif (empty($message)){
print "No message was entered.<br>Please include a message.<br>";
}
//if no email entered send print an error
elseif (empty($email)){
print "No email address was entered.<br>Please include your email. <br>";
}
//Check If Valid Email Address
elseif (!check_email_address($email)){
print "The Email Address You Entered Is Not A Valid Email .<br>Please Enter A Valid Email Address. <br>";
}
//if the form has both an email and a message
else {
if (!empty($name)) {
print "<b>Thank you $name.</b><br>";
}
for ($i=0;$i<count($types);$i++){
$ctypes= $ctypes . "\n$types[$i]";
$screen_ctypes= $screen_ctypes . "\n$types[$i]";
}
print "<p><b>The following message has been sent</b> <br /><br /> You Will Be Redirected To Contact Page Soon";
$body= 'Name:- ' . $name . '<br /><br /> Email:- ' . $email . '<br /><br /> How did you here about us:- ' . $about . '<br /><br /> What is your question regarding:- ' . $types. '<br /><br /> Message <br /><br />' . $message;
//mail the form contents
mail( "email address", "Contact Form", $body, "From: $email" );
$sql = "INSERT INTO Contact (name, email, about, types, message) VALUES ('$name','$email','$about','$types','$message')";
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
header("refresh: 2; web address/contactus.php");
}
?>
<br /></td>
</tr>
</table>
<p> <br />
<br />
<br />
<br />
<br />
</p></td>
</tr>
</table>
<table width="800" cellpadding="0" cellspacing="0" bgcolor="#000033">
<tr>
<td><div align="center"><span class="style1"><a href="index.html">Home</a> | <a href="productsone.html">Products</a> | <a href="wheretofindus.html">Where to find us </a>| <a href="contactus.php">Contact us</a> | <a href="sitemap.html">Site map</a> <br />
Layout, design and revisions © 2009 , <a href="index.html">Text</a>.<br />
Designed and built by <a href="http://www.address.co.uk">C&C Web Designs</a>.</span></div></td>
</tr>
</table></td>
</tr>
</table>
</div>
</body>
</html>
Many thanks
Someone has created a php mailto script for me and then told me that his php knowledge was not great, i.e. validation or form security.
Looking at the code below is this safe enough for me to use on a live website? Does it stop flooding/spam etc and be safe to be entered into the mysql database as it is?
<? ob_start(); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>example - Contact us</title>
<style type="text/css">
<!--
.style1 {color: #AEB6E8}
body {
background-image: url(images/background.png);
background-repeat: no-repeat;
background-color: #666699;
}
a:link {
color: #AEB6E8;
text-decoration: none;
}
a:visited {
text-decoration: none;
color: #333366;
}
a:hover {
text-decoration: underline;
color: #666699;
}
a:active {
text-decoration: none;
color: #AEB6E8;
}
body,td,th {
font-family: Arial, Helvetica, sans-serif;
}
-->
</style></head>
<body>
<div align="center">
<table width="804" border="1" align="center" cellpadding="0" cellspacing="0" bordercolor="#000033" bgcolor="#000033">
<tr>
<td width="800"><table width="800" cellspacing="0" cellpadding="0">
<tr>
<td><img src="images/banner.png" width="800" height="100" /></td>
</tr>
</table>
<table width="800" cellpadding="0" cellspacing="0" bgcolor="#000033">
<tr>
<td><img src="images/linkbanner.png" width="800" height="25" /></td>
</tr>
</table>
<table width="801" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF">
<tr>
<td width="799" height="147" align="center" valign="top"><blockquote>
<p><img src="images/contactusbanner.png" width="500" height="80" /><br />
<br />
<?
$con = mysql_connect("localhost","huus_formz","formz");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
function check_email_address($email) {
// First, we check that there's one @ symbol,
// and that the lengths are right.
if (!ereg("^[^@]{1,64}@[^@]{1,255}$", $email)) {
// Email invalid because wrong number of characters
// in one section or wrong number of @ symbols.
return false;
}
// Split it into sections to make life easier
$email_array = explode("@", $email);
$local_array = explode(".", $email_array[0]);
for ($i = 0; $i < sizeof($local_array); $i++) {
if
(!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&
?'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$",
$local_array[$i])) {
return false;
}
}
// Check if domain is IP. If not,
// it should be valid domain name
if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) {
$domain_array = explode(".", $email_array[1]);
if (sizeof($domain_array) < 2) {
return false; // Not enough parts to domain
}
for ($i = 0; $i < sizeof($domain_array); $i++) {
if
(!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|
?([A-Za-z0-9]+))$",
$domain_array[$i])) {
return false;
}
}
}
return true;
}
mysql_select_db("huus_formz", $con);
//Get Values
$name = $_POST['name'];
$email = $_POST['email'];
$about = $_POST['about'];
$types = $_POST['types'];
$messages = $_POST['message'];
$message = stripslashes($messages);
if (empty($message) && empty($email)){
print "No email address and no message was entered. <br>Please include an email and a message";
}
//if no message entered send print an error
elseif (empty($message)){
print "No message was entered.<br>Please include a message.<br>";
}
//if no email entered send print an error
elseif (empty($email)){
print "No email address was entered.<br>Please include your email. <br>";
}
//Check If Valid Email Address
elseif (!check_email_address($email)){
print "The Email Address You Entered Is Not A Valid Email .<br>Please Enter A Valid Email Address. <br>";
}
//if the form has both an email and a message
else {
if (!empty($name)) {
print "<b>Thank you $name.</b><br>";
}
for ($i=0;$i<count($types);$i++){
$ctypes= $ctypes . "\n$types[$i]";
$screen_ctypes= $screen_ctypes . "\n$types[$i]";
}
print "<p><b>The following message has been sent</b> <br /><br /> You Will Be Redirected To Contact Page Soon";
$body= 'Name:- ' . $name . '<br /><br /> Email:- ' . $email . '<br /><br /> How did you here about us:- ' . $about . '<br /><br /> What is your question regarding:- ' . $types. '<br /><br /> Message <br /><br />' . $message;
//mail the form contents
mail( "email address", "Contact Form", $body, "From: $email" );
$sql = "INSERT INTO Contact (name, email, about, types, message) VALUES ('$name','$email','$about','$types','$message')";
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
header("refresh: 2; web address/contactus.php");
}
?>
<br /></td>
</tr>
</table>
<p> <br />
<br />
<br />
<br />
<br />
</p></td>
</tr>
</table>
<table width="800" cellpadding="0" cellspacing="0" bgcolor="#000033">
<tr>
<td><div align="center"><span class="style1"><a href="index.html">Home</a> | <a href="productsone.html">Products</a> | <a href="wheretofindus.html">Where to find us </a>| <a href="contactus.php">Contact us</a> | <a href="sitemap.html">Site map</a> <br />
Layout, design and revisions © 2009 , <a href="index.html">Text</a>.<br />
Designed and built by <a href="http://www.address.co.uk">C&C Web Designs</a>.</span></div></td>
</tr>
</table></td>
</tr>
</table>
</div>
</body>
</html>
Many thanks