View Full Version : php mail() flood control

03-22-2004, 07:40 PM
Guys/gals - I have an issue.

I have a php mail() form, where its basically just name/email/phone/msg and I keep getting flooded with like 300 - 1000 something emails when somebody sends something.

I need to know what code to throw in there to eliminate this from happening... some sort of flood control persay.

thanks in advance.


03-22-2004, 08:07 PM
post the mail form script

03-22-2004, 08:11 PM
$form_block = "
<form method=\"POST\" action=\"$_SERVER[PHP_SELF]\">
<p><strong>Your name:</strong><br />
<input type=\"text\" name=\"sender_name\" value=\"$_POST[sender_name]\" size=30></p>
<p><strong>Your E-Mail Address:</strong><br />
<input type=\"text\" name=\"sender_email\" value=\"$_POST[sender_email]\" size=30></p>
<p><strong>Message:</strong><br />
<textarea name=\"message\" cols=30 rows=5 wrap=virtual>$_POST[message]</textarea></p>
<input type=\"hidden\" name=\"op\" value=\"ds\">
<p><input type=\"submit\" name=\"submit\" value=\"Send This Form\"></p>

if ($_POST[op] != "ds") {
// show form
echo "$form_block";
} else if ($_POST[op] == "ds") {
// check value of $_POST[sender_name]
if ($_POST[sender_name] == "") {
$name_err = "<div class=\"error\" align=\"center\">The Name field was left Blank</div><br />";
$send = "no";
// check value of $_POST[sender_email]
if ($_POST[sender_email] == "") {
$email_err = "<div class=\"error\" align=\"center\">The Email field was left Blank</div><br />";
$send = "no";
// check value of $_POST[message]
if ($_POST[message]== "") {
$message_err = "<div class=\"error\" align=\"center\">You did not enter a Message</div><br />";
$send = "no";
if ($send != "no") {
// it's ok to send, so construct the mail
$msg = "E-MAIL SENT FROM WWW SITE\n"; // body text build
$msg .= "Sender's name: $_POST[sender_name]\n";
$msg .= "Sender's E-Mail: $_POST[sender_email]\n";
$msg .= "Message: $_POST[message]\n\n";

$to = "sales@mydomain.com";
$subject = "Contact Form";
$mailheaders = "From: $_POST[sender_email]\n";
$mailheaders .= "Reply-To: $_POST[sender_email]\n\n";
// send the mail
mail($to, $subject, $msg, $mailheaders);
// display confirmation to user
echo "<p>Thank you $_POST[sender_name], your content has been sent!><br />
A member of our staff will be in contact with you as soon as possible.</p>";
} else if ($send == "no") {
// print error messages
echo "$name_err";
echo "$email_err";
echo "$message_err";
echo "$form_block";

03-22-2004, 08:55 PM
dosent look like theres anything wrong there

so eitheir server is doing weird ****
your being spammed
one way to sort problem would be to log ip address of user ($_SERVER['REMOTE_ADDR']) and limit number of times an ip can send email using your mailer and delette the loggd ips after a amount of time

03-22-2004, 09:18 PM
I don't see anything in your code that would cause that.

So it's probably a malicious user. Or an inpatient user that keeps hitting reload or so.

To prevent : there have been numerous threads here about preventing people to submit a form more then x-times:
- require a login;
- use cookies.

I would recommend the cookie appraoch, and only set the persistent cookie when they create/activate their account.
When they request the form --> check if the cookie was set and register the datetime in the db. When they post the form --> register this in the db. Before processing the form, check when the previous mail was posted.

Also, set a sessionvariable when the mail was sent. Store the time inthere. At the top of your pocessing code, check if that sessionvar is set and whet the time whas. If it is within the limit you choose (5 minutes or so?) then you don't proces the form.

Also, include a dynamically generated image with a code that the user needs to copy. Like this one http://www.phpclasses.org/search.html?words=OCR+CAPTCHA+&go_search=1&x=6&y=6

There are ways around all these, but it will drastically cut down the number of posts.

03-23-2004, 12:12 AM
ok... might have to check in cpanel or whm forums or something...

I cant use a login form prior to this because this is a contact form on the site - so that would be pretty weird.

thanks again