Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    Regular Coder
    Join Date
    May 2004
    Posts
    144
    Thanks
    0
    Thanked 0 Times in 0 Posts

    mail() and php validation

    Hi,

    I have a simple form that sends email using mail(). there are only 4 fields.
    first name, last name, email address, message

    I plan on validating for the email addres, and to strip tags in the message. but how much validation does anyone think the other fields need? I'm more concerned with spamming.

    thanks for any opinions,
    c.c.

  • #2
    Regular Coder meth's Avatar
    Join Date
    Jan 2003
    Posts
    262
    Thanks
    0
    Thanked 9 Times in 9 Posts
    There's 2 types of spambots to check for; email and links. Email spambots will try to inject additional mail addresses to send to in the mail headers. Link spambots will try to submit the form with 10 to 20 links in the message.

    To combat email spam, do stristr() searches on the POST values for 'CC:', 'BCC:', 'Content-Transfer-Encoding:', 'Subject:', 'Content-Type' and 'MIME-Version'. If any of these strings are found, you have a spambot or a tester feeling out your form for exploitability. I'd advise doing a header('Location: http://spam.abuse.net/'); if any of these strings are found.

    To check for link spamming, do stristr() searches on the POST values for '=http:', '="http:', and '= http:'. How you proceed with search results is up to you. If the string is found 10 or more times, I consider this spam and send the user on their way to spam.abuse.net. For <10 hits however, my preference is to just output a message to the user to format the message with links as plain text, no html.
    Last edited by meth; 05-29-2007 at 11:36 PM. Reason: typo
    I do Web Design, Brisbane based.
    More time spent in PHP/MySQL Web Development.
    And Search Engine Optimisation takes up the rest of it.

  • #3
    Regular Coder
    Join Date
    May 2004
    Posts
    144
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thank you for your reply. I never ran into the need for this kind of validation before and always like to be secure with forms and input.

  • #4
    Regular Coder
    Join Date
    May 2004
    Posts
    144
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I've fixed the code up some but i now realize i can't use an array as the 2nd argument in
    PHP Code:
    function ValSpam(){
        
    $array = array('cc:''bcc:''content-transfer-encoding:''subject:''content-type:''mime-version:''=http:''="http:''= http:');
        foreach (
    $_POST as $value){        
            if (
    stristr($value$array)){
            echo 
    '<font color="red"><b>Sorry</b></font><p>'
    i can do 1 argument at a time but not search through the array for it.
    Last edited by ClubCosmic; 05-30-2007 at 02:41 AM.

  • #5
    Regular Coder meth's Avatar
    Join Date
    Jan 2003
    Posts
    262
    Thanks
    0
    Thanked 9 Times in 9 Posts
    Try something along these lines:

    PHP Code:
    if ( isset($_POST['Submit']) ) {

        
    // concatenate POST vars to $strHaystack
        
    $strHaystack '';
        
        foreach (
    $_POST as $index => $value){
        
            
    $strHaystack .= $value;
            
            }
        
        
    // string needle array assignments
        
    $needles[] = "MIME-Version";
        
    $needles[] = 'Content-Type';
        
    $needles[] = 'Content-Transfer-Encoding';
        
    $needles[] = 'Subject:';
        
    $needles[] = 'CC:';
        
    $needles[] = 'BCC:';
        
        
    $spammer_detected false;
        
        foreach (
    $needles as $k => $v){
        
                if( 
    stristr($strHaystack,$v ) ){
                
    $spammer_detected true;
                break;
                
                }
            }

        if ( 
    $spammer_detected ) { 
            
    //do as you will to spammer 
            
        
    } else {
            
    //proceed with sending email
            
        
    }
        
    }
    //end form submitted 
    I do Web Design, Brisbane based.
    More time spent in PHP/MySQL Web Development.
    And Search Engine Optimisation takes up the rest of it.

  • #6
    Regular Coder
    Join Date
    May 2004
    Posts
    144
    Thanks
    0
    Thanked 0 Times in 0 Posts
    ahhhh,

    makes sense now. two foreach statements i for the haystack and one for the neeedles. thanks for your input.

    c.c.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •