PDA

View Full Version : Help me with my web form


sg552
June 17th, 2008, 06:47
Hello, this webform is from The Web Help .com. I modifty it so visitor can input their name, email address, recepient email address, subject and message.

The problem is, when visitor input email address like this in the recepient input box: fsdgs@gmail.com, fdgsa@gmail.com, dsafds@gmail.com or <dfss@yahoo.com>, <kljlkj@gmail.com>, the message will be sent to 2 to 3 selected recipent so if 10000 email format like above is being input in the recepient input box, my host will suspend me for sure... spammers can use my webform for sending spam :(.

This is the code


<?php
// -----------------------------------------
// The Web Help .com
// -----------------------------------------
// remember to replace you@email.com with your own email address lower in this code.

// load the variables form address bar
$to = $_REQUEST["to"];
$subject = $_REQUEST["subject"];
$message = $_REQUEST["message"];
$sendname = $_REQUEST["sendname"];
$from = $_REQUEST["from"];
$verif_box = $_REQUEST["verif_box"];
$headers .= 'From: ' . $sendname . ' <' . $from . ">\r\n" . 'Reply-To: ' . $from . "\r\n";


// remove the backslashes that normally appears when entering " or '
$to = stripslashes($to);
$message = stripslashes($message);
$subject = stripslashes($subject);
$sendname = stripslashes($sendname);
$from = stripslashes($from);

// check to see if verificaton code was correct
if(md5($verif_box).'a4xn' == $_COOKIE['tntcon']){
// if verification code was correct send the message and show this page
mail($to, $subject, $message, $headers);
// delete the cookie so it cannot sent again by refreshing this page
setcookie('tntcon','');
} else {
// if verification code was incorrect then return to contact page and show error
header("Location:http://www.mydomain.com/?wrong_code=true");
exit;
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>E-Mail Sent</title>
<style type="text/css">
<!--
body,td,th {
font-family: Arial, Helvetica, sans-serif;
font-size: 12px;
}
-->
</style></head>

<body>
Email sent. Thank you.<br />
<br />
Return to <a href="/">home page</a> ?
</body>
</html>

What I want to do now is only allowed every visitor to input 1 email address in the recepient input box thats mean only 1 email will be sent...

My webform also use captcha. The captcha works great.

I hope anyone can help me with my web form. Thanks in advance.:)
JohnN
June 17th, 2008, 07:51
Hello, this webform is from The Web Help .com. I modifty it so visitor can input their name, email address, recepient email address, subject and message.

The problem is, when visitor input email address like this in the recepient input box: fsdgs@gmail.com, fdgsa@gmail.com, dsafds@gmail.com or <dfss@yahoo.com>, <kljlkj@gmail.com>, the message will be sent to 2 to 3 selected recipent so if 10000 email format like above is being input in the recepient input box, my host will suspend me for sure... spammers can use my webform for sending spam :(.

This is the code


<?php
// -----------------------------------------
// The Web Help .com
// -----------------------------------------
// remember to replace you@email.com with your own email address lower in this code.

// load the variables form address bar
$to = $_REQUEST["to"];

$to = explode(",",$to);
$to = $to['0'];

$subject = $_REQUEST["subject"];
$message = $_REQUEST["message"];
$sendname = $_REQUEST["sendname"];
$from = $_REQUEST["from"];
$verif_box = $_REQUEST["verif_box"];
$headers .= 'From: ' . $sendname . ' <' . $from . ">\r\n" . 'Reply-To: ' . $from . "\r\n";


// remove the backslashes that normally appears when entering " or '
$to = stripslashes($to);
$message = stripslashes($message);
$subject = stripslashes($subject);
$sendname = stripslashes($sendname);
$from = stripslashes($from);

// check to see if verificaton code was correct
if(md5($verif_box).'a4xn' == $_COOKIE['tntcon']){
// if verification code was correct send the message and show this page
mail($to, $subject, $message, $headers);
// delete the cookie so it cannot sent again by refreshing this page
setcookie('tntcon','');
} else {
// if verification code was incorrect then return to contact page and show error
header("Location:http://www.mydomain.com/?wrong_code=true");
exit;
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>E-Mail Sent</title>
<style type="text/css">
<!--
body,td,th {
font-family: Arial, Helvetica, sans-serif;
font-size: 12px;
}
-->
</style></head>

<body>
Email sent. Thank you.<br />
<br />
Return to <a href="/">home page</a> ?
</body>
</html>

What I want to do now is only allowed every visitor to input 1 email address in the recepient input box thats mean only 1 email will be sent...

My webform also use captcha. The captcha works great.

I hope anyone can help me with my web form. Thanks in advance.:)

done. +rep away;)
sg552
June 17th, 2008, 09:33
done. +rep away;)

Hello mate. Thanks for your help but the script still sent
out the email if I use this format in recipient input box


<gda@gmail.com>, <tss@gmail.com>,

I test it my self and still receive the email in my inbox. :(

I want to stop any cc or bcc from being executed in the recipient input box.

I just copy the whole script above, paste it in notepad and upload, still does not work.

Please help me mate. Thanks in advance :)
BMR777
June 17th, 2008, 10:09
Also try,


<?php
// -----------------------------------------
// The Web Help .com
// -----------------------------------------
// remember to replace you@email.com with your own email address lower in this code.

// load the variables form address bar
$to = $_REQUEST["to"];
$to = preg_replace("/[^a-zA-Z0-9@._-]/", "", $to);

$to = explode(",",$to);
$to = $to['0'];

$subject = $_REQUEST["subject"];
$message = $_REQUEST["message"];
$sendname = $_REQUEST["sendname"];
$from = $_REQUEST["from"];
$verif_box = $_REQUEST["verif_box"];
$headers .= 'From: ' . $sendname . ' <' . $from . ">\r\n" . 'Reply-To: ' . $from . "\r\n";


// remove the backslashes that normally appears when entering " or '
$to = stripslashes($to);
$message = stripslashes($message);
$subject = stripslashes($subject);
$sendname = stripslashes($sendname);
$from = stripslashes($from);

// check to see if verificaton code was correct
if(md5($verif_box).'a4xn' == $_COOKIE['tntcon']){
// if verification code was correct send the message and show this page
mail($to, $subject, $message, $headers);
// delete the cookie so it cannot sent again by refreshing this page
setcookie('tntcon','');
} else {
// if verification code was incorrect then return to contact page and show error
header("Location:http://www.mydomain.com/?wrong_code=true");
exit;
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>E-Mail Sent</title>
<style type="text/css">
<!--
body,td,th {
font-family: Arial, Helvetica, sans-serif;
font-size: 12px;
}
-->
</style></head>

<body>
Email sent. Thank you.<br />
<br />
Return to <a href="/">home page</a> ?
</body>
</html>

Added line:


$to = preg_replace("/[^a-zA-Z0-9@._-]/", "", $to);

This strips out everything except for A-Z, a-z, 0-9, @ . _ and - from the to email address, so commas entered into the form should have no effect because they are stripped. Only safe email characters are allowed. Let me know if this works for you. :)

BMR777
sg552
June 17th, 2008, 11:23
Also try,


<?php
// -----------------------------------------
// The Web Help .com
// -----------------------------------------
// remember to replace you@email.com with your own email address lower in this code.

// load the variables form address bar
$to = $_REQUEST["to"];
$to = preg_replace("/[^a-zA-Z0-9@._-]/", "", $to);

$to = explode(",",$to);
$to = $to['0'];

$subject = $_REQUEST["subject"];
$message = $_REQUEST["message"];
$sendname = $_REQUEST["sendname"];
$from = $_REQUEST["from"];
$verif_box = $_REQUEST["verif_box"];
$headers .= 'From: ' . $sendname . ' <' . $from . ">\r\n" . 'Reply-To: ' . $from . "\r\n";


// remove the backslashes that normally appears when entering " or '
$to = stripslashes($to);
$message = stripslashes($message);
$subject = stripslashes($subject);
$sendname = stripslashes($sendname);
$from = stripslashes($from);

// check to see if verificaton code was correct
if(md5($verif_box).'a4xn' == $_COOKIE['tntcon']){
// if verification code was correct send the message and show this page
mail($to, $subject, $message, $headers);
// delete the cookie so it cannot sent again by refreshing this page
setcookie('tntcon','');
} else {
// if verification code was incorrect then return to contact page and show error
header("Location:http://www.mydomain.com/?wrong_code=true");
exit;
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>E-Mail Sent</title>
<style type="text/css">
<!--
body,td,th {
font-family: Arial, Helvetica, sans-serif;
font-size: 12px;
}
-->
</style></head>

<body>
Email sent. Thank you.<br />
<br />
Return to <a href="/">home page</a> ?
</body>
</html>

Added line:


$to = preg_replace("/[^a-zA-Z0-9@._-]/", "", $to);

This strips out everything except for A-Z, a-z, 0-9, @ . _ and - from the to email address, so commas entered into the form should have no effect because they are stripped. Only safe email characters are allowed. Let me know if this works for you. :)

BMR777

Hi, I use your script and it actually works :fangel: The last line did execute:


Email sent. Thank you.<br />

but I don't get 2 email in my 2 inbox so I think it's works. :)

Thank you very much + rep added to both of you. Thank you :)
JohnN
June 17th, 2008, 11:37
BMR777 - REGEX isn't my strong point, but wouldn't that actually REPLACE all instances of those characters with a blank?
sg552
June 17th, 2008, 11:37
Hi JohnN, how to add rep actually? :O Please reply thanks...
BMR777
June 17th, 2008, 11:44
BMR777 - REGEX isn't my strong point, but wouldn't that actually REPLACE all instances of those characters with a blank?

No, it strips everything but those characters. I use that code on one of my scripts to protect against malicious entries into the database and it only allows the characters specified, everything else is turned to a blank. :)

BMR777
JohnN
June 17th, 2008, 11:48
No, it strips everything but those characters. I use that code on one of my scripts to protect against malicious entries into the database and it only allows the characters specified, everything else is turned to a blank. :)

BMR777

alright, ill take your word for it:p
sg552
June 18th, 2008, 10:12
alright, ill take your word for it:p

JohnN, I'm sorry rep cannot be added. the forum say I have 20 reputation point?:confused4