A contact form where site visitors can fill in information and
have it mailed to you is a useful feature for any website. Using a
PHP script to accomplish this is a very popular method. When
using a PHP script to send mail it is important that you ensure the
script is secure from spammers. This means that there must be routines
in place to check for certain things such as allowing HTTP links in the
form before allowing the server to send a message. Without
adding a PHP routine which will check all the 3 input boxes on your PHP
contact form for http, CR and LF characters then your PHP contact form
is open for abuse. A quick simple fix for any PHP contact form is to
check the input boxes for the CR ('r') and CF ('n') and http text
characters and either strip them out or prevent the form from being sent
in the first place.
The instructions below outline how to implement a PHP contact form that
already has spam prevention routines in place, to your existing website.
1. Download a copy of the contactme_php.txt script to your desktop. The contactme_php.txt file contains all of the important
information on how and where your email is sent.2. Using a text editor (eg. Notepad or Netfirms File Manager) edit the
file. Locate the following block of text and replace it with your email
address and mail subject accordingly:
/******** START OF CONFIG SECTION *******/
$sendto = "yourname@yourdomain.com, $email";
$subject = "Website Contact Enquiry";
// Select if you want to check form for standard spam text
$SpamCheck = "Y"; // Y or N
Fill in the $sendto field with your email address, the $subject field
with the subject of the email you will receive and enter Y or N for
$spamcheck on whether you want to enable spam checking or not (HIGHLY
RECOMMENDED). If you want the person filling out the contact form to
also receive a copy of the message, leave $email inside the $sendto
variable. If you only want yourself to receive a copy then remove $email .
3. Once the changes have been made you may save the changes (rename the file to contactme.php) and upload the file to your account.
4. In order to use this contact form on your site, simply add the following
line of code to the web site page you want to have the form display on:
<?php include "contactme.php"; ?>
The form will be displayed wherever you place that line of code. Please
ensure that the file contactme_.php is located in the same folder where
you are attempting to include it from, or specify the full path to the
file using the format:
<?php include
"http://yourdomain.com/contact/contactme.php"; ?>
Some of this information, as well as the script itself was taken from
http://www.stevedawson.com/article0015.php .
contact.php code below
<table width="760" border="0" cellspacing="10" cellpadding="0" align="center">
<tr>
<td align="center">
<?php
if (isset($_POST["op"]) && ($_POST["op"]=="send")) {
/******** START OF CONFIG SECTION *******/
$sendto = "youremail@address.com, $email";
$subject = "Website Contact Enquiry";
// Select if you want to check form for standard spam text
$SpamCheck = "Y"; // Y or N
$SpamReplaceText = "*content removed*";
// Error message prited if spam form attack found
$SpamErrorMessage = "<p align="center"><font color="red">Malicious code content detected.
</font><br><b>Your IP Number of <b>".getenv("REMOTE_ADDR")."</b> has been logged.</b></p>";
/******** END OF CONFIG SECTION *******/
$name = $HTTP_POST_VARS['name'];
$email = $HTTP_POST_VARS['email'];
$message = $HTTP_POST_VARS['message'];
$headers = "From: $emailn";
$headers . "MIME-Version: 1.0n"
. "Content-Transfer-Encoding: 7bitn"
. "Content-type: text/html; charset = "iso-8859-1";nn";
if ($SpamCheck == "Y") {
// Check for Website URL's in the form input boxes as if we block website URLs from the form,
// then this will stop the spammers wastignt ime sending emails
if (preg_match("/http/i", "$name")) {echo "$SpamErrorMessage"; exit();}
if (preg_match("/http/i", "$email")) {echo "$SpamErrorMessage"; exit();}
if (preg_match("/http/i", "$message")) {echo "$SpamErrorMessage"; exit();}
// Patterm match search to strip out the invalid charcaters, this prevents the mail injection spammer
$pattern = '/(;|||`|>|<|&|^|"|'."n|r|'".'|{|}|[|]|)|()/i'; // build the pattern match string
$name = preg_replace($pattern, "", $name);
$email = preg_replace($pattern, "", $email);
$message = preg_replace($pattern, "", $message);
// Check for the injected headers from the spammer attempt
// This will replace the injection attempt text with the string you have set in the above config section
$find = array("/bcc:/i","/Content-Type:/i","/cc:/i","/to:/i");
$email = preg_replace($find, "$SpamReplaceText", $email);
$name = preg_replace($find, "$SpamReplaceText", $name);
$message = preg_replace($find, "$SpamReplaceText", $message);
// Check to see if the fields contain any content we want to ban
if(stristr($name, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
if(stristr($message, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
// Do a check on the send email and subject text
if(stristr($sendto, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
if(stristr($subject, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
}
// Build the email body text
$emailcontent = "
-----------------------------------------------------------------------------
WEBSITE CONTACT ENQUIRY
-----------------------------------------------------------------------------
Name: $name
Email: $email
Message: $message
_______________________________________
End of Email
";
// Check the email address enmtered matches the standard email address format
if (!eregi("^[A-Z0-9._%-]+@[A-Z0-9._%-]+.[A-Z]{2,6}$", $email)) {
echo "<p>It appears you entered an invalid email address</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}
elseif (!trim($name)) {
echo "<p>Please go back and enter a Name</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}
elseif (!trim($message)) {
echo "<p>Please go back and type a Message</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}
elseif (!trim($email)) {
echo "<p>Please go back and enter an Email</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}
// Sends out the email or will output the error message
elseif (mail($sendto, $subject, $emailcontent, $headers)) {
echo "<br><br><p><b>Thank You $name</b></p><p>We will be in touch as soon as possible.</p>";
}
}
else {
?>
<p align="center">Please complete all details of your enquiry<br>and we will get back to you shortly.</p>
<br>
<form method="post"><INPUT NAME="op" TYPE="hidden" VALUE="send">
<table>
<tr>
<td><p>Name:</p></td>
<td>
<input name="name" type="text" size="30" maxlength="150">
</td>
</tr>
<tr>
<td><p>E-mail:</p></td>
<td>
<input name="email" type="text" size="30" maxlength="150">
</td>
</tr>
<tr>
<td valign="top"><p>Message:</p></td>
<td><textarea name="message" cols="40" rows="6"></textarea></td>
</tr>
<tr><td></td> <td><input name="submit" type="submit" value="Send Message"></td></tr>
</table>
</form>
<?php } ?>
<p align="center"><font size="-2">Supplied by <a href="http://www.stevedawson.com">SteveDawson.com</a></font></p></td>
</tr>
</table>
Glossary
Contact Us
- GETTING STARTED -
Email
Email
Print
Add Comment