Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 1 of 1
  1. #1
    New Coder
    Join Date
    Mar 2012
    Posts
    91
    Thanks
    2
    Thanked 0 Times in 0 Posts

    revise security for an old send e-mail order form

    Hi All,

    Below is part of a working php code for a send e-mail order and I would like to know if I can revise it to include some security of my own as well as making a change due to a replace function not in use now after PHP 5.

    First I understand that this..... eregi_replace("[\r|\n]*", "", $_POST ....... being the eregi_replace part is no longer in use. My question is, can I simply replace with preg_replace wording only to bring up-to-date.

    The second question is related to the $msg = trim(stripslashes($msg));
    I would like to include another trim and some str_replace with the original trim like this..... $msg = trim(stripslashes($msg)); $msg = trim(strip_tags($msg)); $msg = str_replace("(", "", $msg); $msg = str_replace(")", "", $msg); $msg = str_replace("<", "", $msg);

    Can I do that?


    Code:
    	}
    
    	$msg = trim(stripslashes($msg));
    	$badStrings = array("Content-Type:",
    	                     "MIME-Version:",
    	                     "Content-Transfer-Encoding:",
    	                     "bcc:",
    	                     "cc:");
    
    	foreach($badStrings as $v2){
    	    if(strpos(strtolower($_POST['destination_email']), strtolower($v2)) !== false){
    	        error("Website Form Hack Attempt on Destination Email: '$destination_email'");
    	        header("HTTP/1.0 403 Forbidden");
    	            exit;
    	    }
    	    if(strpos(strtolower($_POST['subject']), strtolower($v2)) !== false){
    	        error("Website Form Hack Attempt on Subject: '$subject'");
    	        header("HTTP/1.0 403 Forbidden");
    	            exit;
    	    }
    	    if(strpos(strtolower($_POST['Customer_Email']), strtolower($v2)) !== false){
    	        error("Website Form Hack Attempt on Email: '$email'");
    	        header("HTTP/1.0 403 Forbidden");
    	            exit;
    	    }
    	    if(strpos(strtolower($_POST['response_email']), strtolower($v2)) !== false){
    	        error("Website Form Hack Attempt on Response_email: '$response_email'");
    	        header("HTTP/1.0 403 Forbidden");
    	            exit;
    	    }
    	    if(strpos(strtolower($_POST['response_name']), strtolower($v2)) !== false){
    	        error("Website Form Hack Attempt on Response_name: '$response_name'");
    	        header("HTTP/1.0 403 Forbidden");
    	            exit;
    	    }
    	}
    
    	$destination_email = eregi_replace("[\r|\n]*", "", $_POST['destination_email']);
    	$email = eregi_replace("[\r|\n]*", "", $_POST['Customer_Email']);
    	$subject = eregi_replace("[\r|\n]*", "", $_POST['subject']);
    	$response_email = eregi_replace("[\r|\n]*", "", $_POST['response_email']);
    	$response_name = eregi_replace("[\r|\n]*", "", $_POST['response_name']);
    
    
    	mail("$destination_email","Manual Order via Postal Service Notification : $subject","$msg\n","FROM: $destination_email");
    
    	$autoresponse_file = eregi_replace("[\r|\n]*", "", $_POST['autoresponse_file']);
    	if($autoresponse_file && $email)
    	{

    The change would look like this......
    Code:
    	}
    
    	
    	$msg = trim(stripslashes($msg)); 
    	$msg = trim(strip_tags($msg)); 
    	$msg = str_replace("(", "", $msg); 
    	$msg = str_replace(")", "", $msg); 
    	$msg = str_replace("<", "", $msg);
    	$badStrings = array("Content-Type:",
    	                     "MIME-Version:",
    	                     "Content-Transfer-Encoding:",
    	                     "bcc:",
    	                     "cc:");
    
    	foreach($badStrings as $v2){
    	    if(strpos(strtolower($_POST['destination_email']), strtolower($v2)) !== false){
    	        error("Website Form Hack Attempt on Destination Email: '$destination_email'");
    	        header("HTTP/1.0 403 Forbidden");
    	            exit;
    	    }
    	    if(strpos(strtolower($_POST['subject']), strtolower($v2)) !== false){
    	        error("Website Form Hack Attempt on Subject: '$subject'");
    	        header("HTTP/1.0 403 Forbidden");
    	            exit;
    	    }
    	    if(strpos(strtolower($_POST['Customer_Email']), strtolower($v2)) !== false){
    	        error("Website Form Hack Attempt on Email: '$email'");
    	        header("HTTP/1.0 403 Forbidden");
    	            exit;
    	    }
    	    if(strpos(strtolower($_POST['response_email']), strtolower($v2)) !== false){
    	        error("Website Form Hack Attempt on Response_email: '$response_email'");
    	        header("HTTP/1.0 403 Forbidden");
    	            exit;
    	    }
    	    if(strpos(strtolower($_POST['response_name']), strtolower($v2)) !== false){
    	        error("Website Form Hack Attempt on Response_name: '$response_name'");
    	        header("HTTP/1.0 403 Forbidden");
    	            exit;
    	    }
    	}
    
    	$destination_email = preg_replace("[\r|\n]*", "", $_POST['destination_email']);
    	$email = preg_replace("[\r|\n]*", "", $_POST['Customer_Email']);
    	$subject = preg_replace("[\r|\n]*", "", $_POST['subject']);
    	$response_email = preg_replace("[\r|\n]*", "", $_POST['response_email']);
    	$response_name = preg_replace("[\r|\n]*", "", $_POST['response_name']);
    
    
    	mail("$destination_email","Manual Order via Postal Service Notification : $subject","$msg\n","FROM: $destination_email");
    
    	$autoresponse_file = preg_replace("[\r|\n]*", "", $_POST['autoresponse_file']);
    	if($autoresponse_file && $email)
    	{
    Martin.
    Last edited by SpidersWebHelp; 12-15-2013 at 09:32 PM.


 

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •